12 IP Services Flashcards
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help us collect
information about locally attached devices. Using CDP, we can gather hardware and protocol information about neighbor devices.
The show cdp command
The show cdp command is great for getting information about two CDP global parameters typically configured on Cisco devices:
■ CDP timer delimits how often CDP packets are transmitted out all active interfaces.
■ CDP holdtime delimits the amount of time that the device will hold packets received from neighbor devices.
SW-3#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled
This output tells us that the default transmits every 60 seconds and will hold packets from a neighbor in the CDP table for 180 seconds.
The show cdp neighbor command
The show cdp neighbor command delivers information about directly connected devices. It’s important to remember that CDP packets aren’t passed through a Cisco switch and that you only see what’s directly attached. This means that if your router is connected to a switch, you won’t see any of the Cisco devices connected to that switch!
cdp configuration
SW-3(config)#cdp ?
advertise-v2 - CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
run - Enable CDP
timer - Specify the rate at which CDP packets are sent (in sec)
tlv - Enable exchange of specific tlv information
sh cdp neighbors detail
This command can be run on both routers and switches, and it displays detailed information about each device connected
to the device you’re running the command on. Gives the IOS version
and IP address of the neighbor devices.
Documenting a network topology using CDP
First find out the IP addresses of each interface using the “show running config” command
Next determine the type of device on the other end of each of these interfaces. For that use the “show cdp neighbors” command
You can also use the “show cdp neighbors detail” command to view more information
Link Layer Discovery Protocol (LLDP)
A Nonproprietary discovery protocol that provides pretty much the same information as CDP but works in multi-vendor
networks.
The IEEE created a new standardized discovery protocol called 802.1AB for Station and Media Access Control Connectivity Discovery (Link Layer Discovery Protocol (LLDP).
LLDP defines basic discovery capabilities, but it was also enhanced to specifically address voice applications. This version is called LLDP-MED (Media Endpoint Discovery).
LLDP and LLDP-MED are not compatible!
LLDP has the following configuration guidelines and limitations:
■ LLDP must be enabled on the device before you can enable or disable it on any interface.
■ LLDP is supported only on physical interfaces.
■ LLDP can discover up to one device per port.
■ LLDP can discover Linux servers.
You can turn off LLDP completely with the no lldp run command from global configuration mode and enable it with the lldp run command.
Doing this enables it on all
interfaces:
SW-3(config)#no lldp run
SW-3(config)#lldp run
To turn LLDP off or on for an interface, use the lldp transmit and lldp receive
commands:
SW-3(config-if)#no lldp transmit
SW-3(config-if)#no lldp receive
SW-3(config-if)#lldp transmit
SW-3(config-if)#lldp receive
Network Time Protocol (NTP)
Network Time Protocol provides time to all your network devices. NTP synchronizes clocks of computer systems over packetswitched, variable-latency data networks.
Typically you’ll have an NTP server that connects through the Internet to an atomic clock. This time can then be synchronized throughout the network to keep all routers, switches, servers, etc., receiving the same time information and in sync.
Correct network time within the network is important because:
■ It allows the tracking of events in the network in the correct order.
■ Clock synchronization is critical for the correct interpretation of events within the syslog data.
■ Clock synchronization is critical for digital certificates.
Direct console messages to a syslog server
A syslog server saves copies of console messages and can time-stamp them so you can
view them later.
SF(config)#service timestamps log datetime msec
SF(config)#ntp server 172.16.10.1 version 4
Configure devices to get accurate time information from a centralized server
SF(config)#ntp server 172.16.10.1 version 4
You can also make your router or switch an NTP server with the ntp master command.
to verify that our NTP client is receiving clocking information, use the following commands:
SF#sh ntp ?
associations - NTP associations
status - NTP status status VTP domain status\
SF#sh ntp status
S1#sh ntp associations
SNMP
SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs). A couple
of examples are Cisco Prime and SolarWinds. Agents send messages to the NMS station, which then either reads or writes information into a database stored on the NMS called a Management Information Base (MIB).
NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. End devices running SNMP agents would send an SNMP trap
to the NMS if a problem occurs.
SNMP has three versions, with version 1 being rarely implemented today.
SNMPv1 - Supports plaintext authentication with community strings and uses only UDP.\
SNMPv2c - Supports plaintext authentication with community strings with no encryption
but provides GET BULK, which is a way to gather abundant information at once and minimize the number of GET requests. It offers a more detailed error message via a reporting method called INFORM, but it’s not really more secure than v1. It uses UDP even though it
can be configured to use TCP.
SNMPv3 - Supports strong authentication with MD5 or SHA, providing confidentiality
(encryption) and data integrity of messages via DES or DES-256 encryption between agents and managers. GET BULK is a supported feature of SNMPv3, and this version
also uses TCP.
Management Information Base (MIB)
A management information base (MIB) is a collection of information that’s organized hierarchically that can be accessed by protocols like SNMP. RFCs define some common public variables, but most organizations define their own private branches along with basic SNMP standards.
Organizational IDs (OIDs) are laid out as a tree with different levels assigned by different organizations. Top-level MIB OIDs belong to various standards organizations. Vendors assign private branches in their own products.
To obtain information from the MIB on the SNMP agent, you can use several different
operations:
■ GET: This operation is used to get information from the MIB to an SNMP manager.
■ SET: This operation is used to get information to the MIB from an SNMP agent.
■ WALK: This operation is used to list information from successive MIB objects within a specified MIB.
■ TRAP: This operation is used by the SNMP agent to send a triggered piece of
information to the SNMP manager.
■ INFORM: This operation is the same as a trap, but it adds an acknowledgment, which traps don’t provide.
Configuring SNMP
Four steps to run through to configure a Cisco device for SNMP access:
- Enable SNMP read-write access to the router.
- Configure SNMP contact information.
- Configure SNMP location.
- Configure an ACL to restrict SNMP access to the NMS hosts.
Router(config)#snmp-server community Todd rw
Router(config)#snmp-server location Boulder
Router(config)#snmp-server contact Todd Lammle
Router(config)#ip access-list standard Protect_NMS_Station
Router(config-std-nacl)#permit host 192.168.10.254
Secure Shell (SSH)
Here are the steps for setting up SSH on your Cisco devices:
- Set your hostname:
Router(config)#hostname Todd - Set the domain name—both the hostname and domain name are required for the encryption keys to be generated:
Todd(config)#ip domain-name Lammle.com - Set the username to allow SSH client access:
Todd(config)#username Todd password Lammle - Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa - Enable SSH version 2 on the device:
Todd(config)#ip ssh version 2 - Connect to the VTY lines of the switch or router:
Todd(config)#line vty 0 15 - Tell the lines to use the local database for password:
Todd(config-line)#login local - Configure your access protocols:
Todd(config-line)#transport input ?