CCNP Switch - Implementing Network Monitoring (Foundation Topic)

 - SNMPv1 and v2 can neither authenticate the source of a management message nor provide encryption.
 -syslog levels mnenonic
(e)veryone (a)lways (c)omplains (e)ven (w)hen (n)othing (i)s (d)ifferent
0 emergencies
1 alerts
2 critical
3 errors
4 warnings
5 notifications
6 informational
7 debuggin
 
When designing a campus network, when redundancy is created, managing redundancy can be achieved by monitoring the network, through SNMP and Syslog (System Logging), and testing connectivity with an IP SLA.

The following are some of the capabilities of well-configured network management:
 - Ability to verify the network is working well and behaving in the planned manner
 - Ability to characterize the performance of the network
 - Ability to understand how much traffic is flowing and where it is flowing in the network
 - Ability to troubleshoot the network.

The following tools are used extensively for typical enterprise network management:
■  Syslog
■  SNMP
■  IP SLA

Syslog
 - The Cisco IOS system message logging (syslog) process enables a device to report and save important error and notification messages locally or to a remote logging server.
 - Syslog messages can be sent to local console connections, the system buffer, or remote syslog servers.
 - Syslog enables text messages to be sent to  a syslog server using UDP port 514.
 - Cisco devices produce syslog messages as a result of network events.
 - Every syslog message contains a severity level and a facility.
 - Many networking devices support syslog, including routers, switches, application servers, firewalls, and ot her network appliances.
 - Cisco IOS Software has more than 500 facilities. The most common syslog facilities are: IP, OSPF, SYS operating system, IP Security (IPsec), Route Switch Processor (RSP), Interface (IF)
 - Other  facilities  include  Cisco  Discovery  Protocol,  STP,  multicast,  IPsec,  TCP,  BGP, RADIUS, Telnet, and those facilities related to QoS services.

Syslog levels

Syslog Severity  Severity Level
Emergency        Level 0, highest level
Alert            Level 1
Critical         Level 2
Error            Level 3
Warning          Level 4
Notice           Level 5
Informational    Level 6
Debugging        Level 7

ACL Logging
The default is 6 (informational). 

Syslog Message format
 - The system messages begin with a percent sign (%),
 - System log  messages  can contain up  to 80 characters,
 - A sequence number appears on the syslog message if the  service sequence-numbers global configuration command is configured.
 - The timestamp shows the date and time of the message or event if the global configuration command is configured:
service timestamps  [debug  |  log]  [datetime uptime] [localtime  |msec|show-timezone|year]
The timestamp can be have one of three formats:
■  mm/dd hh:mm:ss
■  hh:mm:ss (short uptime)
■  d h (long uptime)

Syslog message format
 - Facility:  A code consisting of two or more uppercase letters that indicates the hardware device, protocol, or a module of the system software.
 - Severity:  A single-digit code from 0 to 7 that reflects the severity of the condition. The lower the number, the more serious the situation.
 - Mnemonic: A code that uniquely identifies the error message.
 - Message-text: A text string describing the condition. This portion of the message sometimes contains detailed information about the event, including terminal port numbers, network addresses, or addresses that correspond to locations in the system memory address space.

Configuring Syslog
Configure a syslog server:
logging <ip address of the Syslog server>
To configure from which severity level messages have to be sent to the Syslog server, use the global configuration command
logging trap level
Messages can be kept on the local switch. Valid parameters are the maximum local log size and the severity level that has to be logged: Enabling higher logging with small buffer size might mean that your logging dis plays only a short duration of time before newer messages overwrite the older ones.
logging buffered ?
<0-7>  Logging severity level
<4096-2147483647> Logging buffer size
alerts  Immediate action needed   (severity=1)
...
Display the content of the local log files
show logging
Example:
000073: *Mar  1 00:56:14.854: %SYS-5-CONFIG_I: Configured from console by console
000074: *Mar  1 01:00:02.303: %OSPF-4-NORTRID: OSPF process 1 failed to allocate unique router-id and cannot start
 
SNMP

SNMP is often the foundation of network manage ment architecture.
NMP contains three elements,
  ■  Network Management Application (SNMP Manager) - client
  ■  SNMP Agents (running inside a managed device) - devices with SNMP enabled
  ■  MIB Database object that describes the information in a predetermined format that the agent can use to populate the data.

SNMP Components
There are three different components that are defined by SNMP:
SNMP manager — The SNMP manager is a central system that is used to monitor traffic seen by the various SNMP agents as well as provide a mechanism for the control of these agents.

SNMP agent — The SNMP agent is a software component that exists within a network element;
 this component is used to maintain real-time information about the elements operations.
 The agent is also used to communicate this information back to the central SNMP manager as well as perform control actions dictated by the SNMP manager.

Management Information Base (MIB) — The MIB is a virtual information storage location where network management information is held.
Within the MIB are a number of different collections of objects that are related together (think database).
Each of these collections contains a number of variables that can be altered by the SNMP agent and/or SNMP manager.

SNMP Versions
Neither SNMPv1 nor SNMPv2 offers security features. Specifically, SNMPv1 and v2 can neither authenticate the source of a management message nor provide encryption.
Because of the lack of security features, many SNMPv1 and v2 implementations are limit ed to a read-only capability, reducing their utility to that of a network monitor.

SNMPv1
The initial version of the SNMP standard (SNMP version 1, or SNMPv1) is defined in RFC 1157.
Following are five basic SNMP messages:
 - Get Request: Used to request the value of a specific MIB variable from the agent.
 - Get Next Request:  Used after the initial Get Request to retrieve the next object instance from a table or a list.
 - Set Request: Used to set a MIB variable on an agent.
 - Get Response:  Used by an agent to respond to a Get Request or Get Next Request from a manager.
 - Trap: Used by an agent to transmit an unsolicited alarm to the manager. An agent sends a Trap message when a certain condition occurs.

SNMPv2
SNMPv2 was introduced with RFC 1441, but members of the Internet Enginee Task Force (IETF) subcommittee could not agree on the security and administrative sections of the SNMPv2 specification.
Community-based  SNMPv2  (SNMPv2C),  defined  in  RFC  1901,  is  the  most  common implementation.
SNMPv2C  deploys  the  administrative  framework  defined  in  SNMPv1, which uses read/write community strings for administrative access.

SNMPv2 introduces two new message types:
■  Get Bulk Request:  Reduces repetitive requests and replies and improves performance when you are retrieving large amounts of data (for example, tables).
■  Inform Request: Alert an SNMP manager of specific conditions. Unlike SNMP Trap messages, which are unconfirmed, the NMS acknowledges an Inform Request by sending an Inform Response message back to the requesting device.
 - SNMPv2 adds new data types with 64-bit counters, because 32-bit counters were quickly outmoded by fast network interfaces.
 - On Cisco routers, SNMPv2 is implemented in Cisco IOS Software Release 11.3 and later.

SNMPv3
 - Described in RFCs 3410 through 3415.
 - Adds methods to ensure the secure transmission of critical data between managed devices.
 - On Cisco routers, SNMPv3 is implemented in Cisco IOS Software Release 12.0 and later

SNMPv3 introduces three levels of security:
■  noAuthNoPriv: No authentication is required, and no privacy (encryption) is provided.
■  authNoPriv: Authentication is based on Hash-based Message Authentication Code with Message Digest 5 (HMAC-MD5) or Hash-based Message Authentication Code with Secure Hash Algorithm (HMAC-SHA). No encryption is provided.
■  authPriv:  In  addition  to  authentication,  Cipher  Block  Chaining -Data  Encryption Standard (CBC-DES) encryption is used as the privacy protocol.

SNMP Recommendations
 - SNMPv1 and SNMPv2 use community strings in clear text.
 - Community strings should be carefully chosen to ensure they are not trivial.
 - Community strings should be changed at regular intervals and in accordance with network security policies.
 - If SNMP is used only to monitor devices, use read-only communities.
 - Ensure that SNMP messages do not spread beyond  the management consoles.
 - You can use access-lists to prevent SNMP messages from going beyond the required devices, and on the monitored devices to limit access for management systems only.
 - SNMPv3 is recommended because it provides authentication and encryption.

Configuring SNMP
Community cisco grants read-only access to the local switch, while xyz123 grants read and write access to the local switch.
sw(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255  any
sw(config)# snmp-server community cisco RO 100
sw(config)# snmp-server community xyz123 RW 100
sw(config)# snmp-server trap 10.1.1.50
The  snmp-server trap  command has two purposes: It configures the SNMP server  and instructs the switch to send its traps to this server.

snmp-server manager
The SNMP manager process sends SNMP requests to agents and receives SNMP responses and notifications from agents.
When the SNMP manager process is enabled, the router can query other SNMP agents and process incoming SNMP traps.
Most network security policies assume that routers will be accepting SNMP requests, sending SNMP responses, and sending SNMP notifications.
With the SNMP manager functionality enabled, the router may also be sending SNMP requests, receiving SNMP responses, and receiving SNMP notifications.
The security policy implementation may need to be updated prior to enabling this functionality.

SNMP requests are typically sent to UDP port 161.
SNMP responses are typically sent from UDP port 161.
SNMP notifications  (Traps and InformRequests) are typically sent from UDP port 162.

IP SLA - IP Service Level Agreement
 - An SLA is a contract between the network provider and its customers, or between a network department and internal corporate customers.
 - It provides a form of guarantee to customers about the level of user experience.
 - An SLA specifies connectivity and performance agreements for an end-user service from a service provider.
 - Administrators can ultimately reduce the mean time to repair (MTTR) by proactively iso lating network issues.
 - Typically, the technical components of an SLA contain a guarantee level for network availability, network performance in terms of round-trip time (RTT), and network response in terms of latency, jitter, and packet loss. The specifics of an SLA vary depend ing on the applications an organization is supporting in t he network.

IP SLA Measurements
 - The IP SLA measurement functionality in Cisco IOS Software enables configuration of a router to send synthetic traffic to a host computer or a router that has been configured to respond
 - One-way travel times and packet loss data are gathered.
 - Certain measurements also enable jitter data to be collected.

Following are several common functions for IP SLA measurements:
■  Edge-to-edge network availability monitoring
■  Network performance monitoring and network performance visibility
■  VoIP, video, and virtual private network (VPN) monitoring
■  IP service network health readiness or assessment
■  Multiprotocol Label Switching (MPLS) network monitoring
■  Troubleshooting of network operation

Reporting tools use SNMP to extract the data into a database and then report on it.

IP SLA Source and Responder
The IP SLA source is where all IP SLA measurement probe operations are configured either by the command-line interface (CLI) or through an SNMP tool that supports IP SLA operation.
 - The source is the Cisco IOS device that sends probe packets.
 - The destination of the probe might be another Cisco router or another network target, such as  a web server or IP host.
Although the destination of the probe can be any IP device, the measurement accuracy is improved with an IP SLA responder.
An IP SLA responder is a device that runs Cisco IOS Software  and  is  configured  as  an  IP  SLA  measurement  responder  with  the  ip  sla  monitor responder configuration command.

Configuring IP SLA
 - IP SLA test is done by sending an ipIcmpEcho message to the IP address 10.1.1.1, from the local interface f0/1. This message is sent every 10 seconds
 - The 10.1.1.1 device should be configured to answer  this message with  the  ip sla responder command.

SwitchB(config)# ip sla monitor 11
SwitchB(config-sla)#  type  echo  prot  ipIcmpEcho  10.1.1.1  source -int  fa0/1
SwitchB(config-sla)# frequncy 10
SwitchB(config0sla)# exit
SwitchB(config)#  ip  sla  monitor  schedule  11  life  forever  start -time  now
SwitchB(config)# track 1 ip sla 11 reachability
Verify IP SLA operation
sw# show ip sla statistics
Round Trip Time (RTT) for Index 1
Latest RTT: NoConnection/Busy/Timeout
Latest  operation  start  time:  11:11:22.533  eastern  Thu  Jul  9  2010
Latest operation return code: Timeout
Over thresholds occurred: FALSE
Number of successes: 177
Number of failures: 6
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: Never