Network Monitoring

beef410's version from 2018-05-17 20:04


Question Answer
(NMS) SNMP ManagerMonitoring software installed on a server labelled the Network Management Station NMS
MIBManagement Information Base, database on the agent that contains information regarding the agent.
OIDObjectID's the variables contained in the MIB
PollingUDP port 161, requires frequent polling for good response time. This costs BW and CPU cycles
GET RequestNMS requests MIB OID value
GET ResponseMID provides OID value
FlowGet Req -> Get Reply
SETNMS requests the MIB set a specific OID value
InformSNMPv2c feature, a trap that requires an ACK
Server/ClientIn SNMP the servers are those which hold MIB's and the client is the manager. 1:Many client:server relationship.

SNMP Versions

Question Answer
SNMPSimple Network Management Protocol
SNMPv1Users could be assigned a read and write community string, PW and auth level forms the community string and is sent by plaintext
SNMPv2cv2 did away with community strings, 2c brought them back. Community string is still plaintext but now has informs
SNMPv3v3 Introduces authentication and encryption with a PW hash. Engine ID is used to uniquely ID SNMP agents

SNMP Traps

Question Answer


Question Answer
(config)#snmp-server community <word> <ro/rw> <acl>Enables SNMP server using community string, with read-only read-write permissions, using an ACL
(config)#snmp-server contact <line>Contact information
(config)#snmp-server trapsCreate SNMP traps
(config)#snmp-server hostsSet address of hosts
(config)#snmp-server group <word> <version> <auth>Create server group
(config)#snmp-server engineID remote <ip> udp-port <port> <engineID>Serves as server ID necessary for informs and cross NAT SNMP required in v3
authNoPrivAuthentication, no privacy (encryption)
noAuthNoPrivNo authentication, no privacy (encryption)
authPrivAuthentication and privacy (encryption)
(config)#:snmp-server user <username> <version> auth <md5/sha> <PW> priv <encryption>user creation

Service Level Agreement

Question Answer
CIRCommitted Information Rate, guaranteed provided BW. Allows for planning of WAN's.
SLABased on minimum guarantees of service. Can be based on just about any measurable network metric. Based on source/responder pairs. Useless without solid NTP
(config)#ip sla <#>Enter SLA configuration mode
SourceSends control packets to responder on UDP1967
ResponderClient being requested to enter SLA. Will send accept or refuse message.
ControllingControlling exists until the Source starts to send test packets
ProbingTime during which test packets are being sent.
sh ip sla applicationShows available SLA's to use.
(config)#ip sla responderEnables switch/router to act as a responder
sh ip sla statSee SLA stats, will show successful/failed executions of the SLA (not yes/no on an issue)
(config)#ip sla schedule <#> <life/starttime/recurring/ageout> <#> start-time nowCommand to configure start and duration of an SLA

SPAN SwitchPort ANalyzer

Question Answer
SPANAllows a switch to mirror traffic from one or more source ports to the dest. port connected to the network analyzer.
Local SPANSource and dest. ports on are the same switch. This is the default meaning when speaking of SPAN
sh monitor(sh span is for STP), SPAN details. Will tell you if none is setup
(config)#monitor session <#> source <int/vlan/remote> <port/int/Po> destination <int/remote>Basic setup, can configure tx/rx (both is default), use port ranges, just about w/e would be relevant to sniffing.
(config)#monitor session <#> filter <vlan range>For a range of vlans use Filter keyword.
VTPWill treat RSPAN VLAN like a normal VLAN. Will prune RSPAN VLAN>
RSPANRemote SPAN, all intermediate switches between source and dest must be RSPAN capable. Uses dedicated RSPAN vlan to move traffic across trunk links.
(config-vlan)#remote-spanenables remote span for the vlan interface you're in.
(config)#monitor session # destination remote vlan #Enables RSPAN for the listed vlan in the listed monitor session.
(config)#monitor session # source remote vlan #Vlan has to be created on both ports if VTP isn't running. RPSAN only vlan created before RSPAN config.

SPAN Troubleshoot

Question Answer
SPANSwitchPort ANalyzer
show intWill show port as being monitored, dest port will show up/down(monitoring)
Source portsCan be monitored by multiple span sessions, can also be monitored while part of a portchannel.
Source/DestA port cannot be both a source and destination
VLANMembership doesn't matter
VSPANUsing a Vlan as the source
TrunkCan be source ports, but will also pull all vlans.
SpeedDest should be as fast or faster than source port
DestCan only run one session, IOS won't let you. Can't be part of an etherchannel and doesn't participate in STP/VTP/CDP/DTP/PaGP/LACP
RSPANMake sure all switches are in the RSPAN VLAN