The document discusses Network Time Protocol (NTP) and syslog logging. It provides an in-depth overview of NTP including key concepts like stratum levels, NTP modes, configuration, authentication, and troubleshooting. It also covers syslog logging, describing how Cisco devices use syslog to send system messages to monitoring locations for fault detection and security auditing. An example NTP lab is shown using GNS3 with configurations for an NTP server, clients, and authentication.
2. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
NETWORK TIME PROTOCOL [NTP]
KEY POINTS:
• NTP is a term which is stands for Network Time Protocol
• NTP is used to allow network devices to synchronize clocks with central source clock.
• NTP make sure logging information and timestamps have the accurate time and date.
• Network Time Protocol (NTP) is runs over User Datagram Protocol [UDP 123]
• Network Time Protocol (NTP) uses a hierarchical system of time sources.
• Network Time Protocol (NTP) uses client-server architecture to work.
• Currently there are two versions of NTP version 3 and NTP version 4.
• A Network Time Protocol (NTP) server is also referred to as an NTP Master.
• Router can be configured in three modes Server, Client and Server/Client mode.
• By default, Router works in Network Time Protocol (NTP) Server/Client mode.
• Stratum defines the reliability and accuracy of Network Time Protocol source.
• Network Time Protocol (NTP) uses of stratum 0 to stratum 15 for NTP sources.
• One 1 is the most reliable and 15 is the worst Network Time Protocol source.
• Stratum 0 represents Atomic Clock and not used in Cisco Router or Cisco Switch.
• Stratum 1 to 15 are valid levels and used in Cisco Routers and Cisco Switches.
• Stratum 16 represents Network Time Protocol (NTP) is not synchronized.
• Default stratum level of Cisco Router’s or Switches internal clock is 8.
• Syslog messages timestamp using the Network Time Protocol (NTP).
3. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
NTP Stratum:
• NTP, stratum levels define the distance from the reference clock.
• A Stratum-0 device that is assumed to be most accurate and it has no delay.
• Network Time Protocol Stratum-0 servers cannot be used on the network.
• For example, a device with Network Time Protocol stratum 1 is very accurate device.
• Network Time Protocol (NTP) Stratum 1 might have an atomic clock attached to it.
• Another NTP using stratum 1 server to synchronize own time would be a stratum 2 device.
• Because stratum 2 is one Network Time Protocol (NTP) hop further away from the source.
• Configure multiple NTP servers, client will prefer NTP server with lowest stratum value.
NTP Architecture:
• NTP uses stratums 1 to 16 to define clock accuracy.
• A lower NTP stratum value represents higher accuracy.
• Clocks at NTP stratums 1 through 15 are in synchronized state.
• Clocks at Network Time Protocol stratum 16 are not synchronized.
• Stratums is like TTL number decreases every hop a packet passes by.
NTP Modes:
• Cisco Routers and Cisco Switches can use four (4) different NTP modes.
4. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
• NTP Server, NTP Client, NTP Server/Client and NTP Peer or Symmetric Active mode.
NTP Server Mode:
• NTP server is a network device, which is running NTP service.
• NTP server is configured to provide Time information to NTP clients.
• NTP server provide only Time information to NTP Clients.
• NTP server never accept time synchronization information from other devices.
• NTP server mode router reads time from NTP source or uses its own clock as NTP source.
NTP Client Mode:
• NTP Client mode, Router only receives NTP updates.
• NTP Client does not advertise received updates.
• NTP Client uses them to synchronize its own clock.
NTP Server/Client Mode:
• NTP Server/Client, Router receives updates from NTP server.
• NTP Server/Client also advertises them from its own interfaces.
• NTIP Server/Client mode Cisco Router or Switch plays both roles.
• As NTP Client, it receives NTP updates & as NTP Server, it advertises NTP updates.
• NTP Server/Client mode, as an NTP Server, instead of using its own NTP Source.
• NTP router uses received NTP updates from other NTP server.
• NTP Server advertise the NTP updates to other NTP Clients.
• This feature allows using a single centralized NTP source at NTP Server.
NTP Peer Mode:
• An NTP peer does not have authority over the other.
• In NTP peer mode, each device can provide time synchronization to other.
• So, one can synchronize the other in case of failures.
NTP Master:
• To make a router to become an authoritative NTP server.
• Where internal devices can synchronize use NTP master command.
• NTP master command tells router that it is an NTP server.
• NTP server is also referred to as an NTP Master.
• If it is using its hardware clock is a reference.
NTP Versions:
• Cisco IOS use many versions, but version 3 & 4 are most commonly used.
• Version 4 supports IPv6 and is backwards compatible with NTP version 3.
• Network Time Protocol (NTP) Version 4 also adds DNS support for IPv6.
5. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
• Another difference is that NTPv3 use broadcast messages & NTPv4 use multicast.
• NTPv4 also allows for increased security using public key cryptography and certificates.
NTP Security & Authentication:
• NTP communications can be secured using an Access Control List.
• NTP can be secured by authentication mechanism that uses MD5 algorithm.
• All NTP packets that can update the clock have to be authenticated.
• The packets will be authenticated using HMAC MD5, which carries a key number.
• To use ACL, write ACL to allow certain IP addresses or a range then apply to NTP.
GNS3:
INITIAL CONFIG:
Router(config)#hostname NTPCORE01
NTPCORE01(config)#int e0/0
NTPCORE01(config-if)#ip add dhcp
NTPCORE01(config-if)#no shut
NTPCORE01(config-if)#int e0/3
NTPCORE01(config-if)#ip add 192.168.1.98 255.255.255.0
NTPCORE01(config-if)#no shut
Switch(config)#hostname NTPCLIENT01
NTPCLIENT01(config)#int gi0/0
NTPCLIENT01(config-if)#no switchport
NTPCLIENT01(config-if)#ip add 192.168.1.99 255.255.255.0
6. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
NTPCLIENT01(config-if)#no shut
Switch(config)#hostname NTPCLIENT02
NTPCLIENT01(config)#int gi2/0
NTPCLIENT01(config-if)#no switchport
NTPCLIENT01(config-if)#ip add 192.168.1.100 255.255.255.0
NTPCLIENT01(config-if)#no shut
NTP CONFIG STARTS HERE:
Adjust Router Clock
NTPCORE01# show calendar
NTPCORE01# show clock
NTPCORE01# show clock detail
NTPCORE01# clock set 1:20:11 Feb 20 2020
NTPCORE01# show clock
Configure NTP Server
NTPCORE01 (config)# ntp master 3
NTPCORE01 (config)# interface e0/3
NTPCORE01 (config-if)# ntp broadcast
NTPCORE01# show clock
NTPCORE01# show clock detail
Configure NTP Server/Client
NTPCLIENT02(config)# interface gi0/0
NTPCLIENT02(config)# ntp broadcast
Ntp broadcast client
NTPCLIENT01 (config)#ntp server 192.168.1.100 version 3
NTPCLIENT01# show clock
NTPCLIENT01# show clock detail
Configure NTP Client
NTPCLIENT02(config)#ntp server 192.168.1.1 version 3
NTPCLIENT02(config)# interface gi2/0
NTPCLIENT02(config)# ntp broadcast client
NTPCLIENT02# show clock
NTPCLIENT02# show clock detail
Configure NTP Peer
NTPCLIENT01(config)# ntp peer 192.168.1.100
NTPCLIENT02(config)# ntp peer 192.168.1.99
NTPCLIENT01(config)# ntp peer 192.168.1.100 version 3
NTPCLIENT02(config)# ntp peer 192.168.1.99 version 3
NTPCLIENT01#show ntp associations
8. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
Field Description
characters in
display lines
* —Synchronized to this peer
# —Almost synchronized to this peer
+ —Peer selected for possible synchronization
- —Peer is a candidate for selection
~ —Peer is statically configured
Address Address of peer.
ref clock Address of reference clock of peer.
St Stratum of peer.
When Time since last NTP packet was received from peer.
Poll Polling interval (in seconds).
Reach Peer reachability (bit string, in octal).
Delay Round-trip delay to peer (in milliseconds).
Offset Relative time of peer clock to local clock (in milliseconds).
Disp Dispersion
NTPCLIENT01(config)#do sh ntp packets
Ntp In packets : 19
Ntp Out packets : 20
Ntp bad version packets : 19
Ntp protocol error packets : 0
NTPCLIENT01(config)#
NTPCLIENT01(config)#do sh ntp status
Clock is synchronized, stratum 4, 192.168.1.98
nominal freq is 1000.0003 Hz, actual freq is 1000.0003 Hz, precision is 2**14
ntp uptime is 60000 (1/100 of seconds), resolution is 1000
reference time is E1B69D71.8023BE97 (04:24:17.500 UTC Wed Jan 1 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.07 msec, peer dispersion is 0.00 msec
loopfilter state is 'FREQ' (Drift being measured), drift is 0.000000000 s/s
system poll interval is 64, last update was 72 sec ago.
NTPCLIENT01(config)#
Field Description
Synchronized System is synchronized to an NTP peer.
Unsynchronized System is not synchronized to any NTP peer.
Stratum NTP stratum of this system.
Reference Address of peer the system is synchronized to.
nominal freq Nominal frequency of system hardware clock.
actual freq Measured frequency of system hardware clock.
Precision Precision of the clock of this system (in Hertz).
9. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
reference time Reference time stamp.
clock offset Offset of the system clock to synchronized peer.
root delay Total delay along path to root clock.
root dispersion Dispersion of root path.
peer dispersion Dispersion of synchronized peer.
Troubleshoot and Verify NTP:
To verify NTP there many commands to use some of them are the following:
show ntp status
show ntp associations
show ntp associations detail
debug ntp packet
debug ntp events
debug ntp authentication
10. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
SYSLOG
• Syslog stands for System Logging, standard protocol used to send system log.
• Cisco network devices Routers and Switches use Syslog to send system messages.
• Cisco network devices use debug output to a local logging process inside the device.
• Syslog is used on a variety of devices to give system information to the system admin.
• Most Cisco devices use the syslog protocol to manage system logs and system alerts.
• Logging can be used for fault notification, network forensics, and security auditing.
• Syslog messages can be output to the console, local buffer or a remote syslog serve.
• Logs can include content flow, configuration changes and new software installs etc.
• Logging helps to detect unusual network traffic, network device failures, issue etc.
• Syslog uses port UDP 514
The syslog logging service provides three primary capabilities:
1. Gathering logging information for monitoring and troubleshooting
2. Selecting the type of logging information that is captured
3. Specifying the destinations of captured syslog messages
11. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
Syslog message format
seq no: timestamp: %facility-severity-MNEMONIC: description
Example: 00:00:46: *Feb 20 01:45:15.706: %LINK-3-UPDOWN: Interface Port-channel1,
changed state to up
The service sequence-numbers command was not configured, but the service
timestamps command was configured. The facility is LINK, the severity is 3, and the
MNEMONIC is UPDOWN.
12. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
CONFIGURE SYSLOG IN 3-STEPS:
To configure the router to send system messages to a syslog server, complete the following
three steps:
Step 1. Configure the IP address of the syslog server in global configuration mode:
R1(config)# logging 192.168.1.3
Step 2.
R1(config)# logging trap 4
or
R1(config)# logging trap warning
Step 3. Optionally, configure the source interface with the logging source-interface
interface-type interface-number global configuration mode command. This specifies that
syslog packets contain the address of a specific interface, regardless of which interface the
packet uses to exit the router. For example, to set the source interface to g0/0, use the
following command:
R1(config)# logging source-interface g0/0
COMMAND TO SEE “LOGGING” OUTPUT IN CISCO DEVICES:
#Show logging
GNS3
13. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
TASK #1 FOLLOW THE LAB FROM PREVIOUS “NTP” SECTION
TASK #2 CONFIGURE “192.168.1.151/24” on SYSLOG SERVER AS SHOWN ABOVE TOPOLOGY
TASK #3 CONFIGURE THE REQUIRED CLI COMMAND ON “NTPCLIENT02”
NTPCLIENT02(config)#loggin host 192.168.1.151
NTPCLIENT02(config)#logging trap 4
TASK #4 GOTO SYSLOG SERVER AND ANALYSE PACKETS
root@SYSLOG:~# cat /var/log/syslog
Jun 25 15:45:17 192.168.1.100 105: *Feb 20 01:45:15.706: %CDP-4-DUPLEX_MISMATCH: duplex
mismatch discovered on GigabitEthernet2/0 (not half duplex), with AGGRSW01 Ethernet2/0 (half
duplex).
WIRESHARK CAPTURE SCREENSHOT:
OPTIONAL SYSLOG CLI COMMANDS:
Router#config t
Router(config)#logging host <snmp-server-ip>
Router(config)#service timestamps log datetime [msec] [localtime] [show-timezone]
Router(config)#service sequence-numbers
Router(config)#logging buffered 16483
Router(config)#logging <ip.of.syslog.server>
Router(config)#logging console <level>
Router(config)#logging monitor <level>
Router(config)#logging trap <level>
Router(config)#logging history <level>
Router(config)#logging history size <1 to 500>
Router(config)#logging rate-limit <seconds> all except <level>
Router(config)#end
Router#terminal monitor
Router#show running-config
Router#show logging
Router#show logging history
14. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
DHCP [DYNAMIC HOST CONTROL PROTOCOL]
• DHCP is an abbreviation for Dynamic Host Configuration Protocol.
• Cisco IOS features known as Easy IP Lease which is full-featured DHCP server.
• DHCP is a client server protocol that automatically provides an IP to hosts.
• DHCP also provide IP, subnet mask, default gateway, DNS server & other config.
• DHCP allows a network device to dynamically receive IP address parameters.
• DHCP process follows DORA process, Discover, Offer, Request & Acknowledgement.
• DHCP is application layer protocol used by hosts for obtaining network setup information.
• DHCP Server dynamically configures a host or Network device in a network.
• DHCP is Client server protocol, which uses User Datagram Protocol services.
• DHCP port number for server is UDP port 67 and for the client is UDP port 68.
• DHCP assigned Internet Protocol (IP) address from a pool (range) of addresses.
• Dynamic Host Configuration Protocol (DHCP) is an application layer protocol.
Dynamic Automatically
Host Any computer that is connected to the network
Configuration To configure a host means to provide network information
Protocol Set of rules and regulation
Advantages of DHCP:
• Primary advantage of DHCP is easier management of IP addresses.
• Centralized network client configuration.
• DHCP greatly reduce the time required to configure & reconfigure computers.
• DHCP Server assigning IP addresses automatically avoid configuration errors.
• Ease of adding new clients to a network.
• Reuse of IP addresses reducing the total number of IP addresses.
• No need to reconfigure each client separately.
• Configure the network from a centralized area.
• Easy handling of new users and reuse of IP address can be achieved.
IOS DHCP Server:
• Cisco devices running Cisco software include DHCP server.
• Cisco router can be used as a DHCP server and the various options available.
• Cisco IOS routers and layer 3 switches can be configured as DHCP server.
• The Cisco IOS DHCP server is a full DHCP server implementation.
• Cisco IOS DHCP assigns and manages IP addresses from specified address pools.
• Cisco IOS DHCP server can be configured to assign additional parameters as well.
• DHCP server is the one responsible for handing out IPs to the clients.
DHCP Client:
• DHCP client is a host using DHCP to obtain configuration parameters.
• The endpoint that receives configuration information from a DHCP server.
15. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
• DHCP client is anything needing an IP address that is not configured as a static.
• Cisco routers can be configure as both DHCP servers and DHCP clients.
• DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages.
• DHCP Client uses UDP port 67 to send messages to the server.
DHCP OPERATIONS:
STEP 1:
DHCP client sends out a DHCP Discover message to find out the DHCP server. DHCP discover
message is a layer 2 broadcast as well as layer 3 broadcast.
Fields in DHCP Discover Message:
Src IP: 0.0.0.0 Dst IP: 255.255.255.255
Src MAC : DHCP clients MAC address
Dst MAC: FF:FF:FF:FF:FF:FF
Hence from the above fields it is clear DHCP Discover message is a Network Layer and Data
Link Layer Broadcast.
STEP 2:
DHCP server receives the DHCP discover message from client and sends back the DHCP offer
message with field information as below:
Src IP: DHCP Server IP Address Dst IP: 255.255.255.255 #Still Broadcast as Client still has
no IP Address#
Src MAC : MAC Address of DHCP Server
Dst MAC: DHCP clients MAC address
Hence from above field it is clear that DHCP offer message is a layer 2 unicast but still as
layer 3 broadcast.
STEP 3:
DHCP client receives the DHCP offer from DHCP server and sends back a DHCP Request
message with following fields:
Src IP: 0.0.0.0 #As still the IP address hasn’t been assigned to Client #Dst IP:
255.255.255.255 #Still Broadcast as Client must have received Offer from more than one
DHCP server in their domain and the DHCP client accepts the Offer that its receives the
earliest and by doing a broadcast it intimates the other DHCP server to release the Offered
IP address to their available pool again #
Src MAC : MAC Address of DHCP Server
Dst MAC: DHCP clients MAC address
Above fields concludes that DHCP request message is also a layer 2 unicast and a layer 3
broadcast.
16. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN
CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY
STEP4:
Once the DHCP client sends the request to get the Offered IP address, DHCP server responds
with an acknowledge message towards DHCP client with below fields:
Src IP: DHCP Server IP AddressDst IP: 255.255.255.255
Src MAC : MAC Address of DHCP Server
Dst MAC: DHCP clients MAC address
From above fields substantiates that DHCP Acknowledge is a layer 2 unicast but still a layer
3 broadcast.
For more details on the information you must get familiar with the DHCP header fields.
Few important fields from DHCP header for our reference are as below –
Ciaddr: Client IP address.
Yiaddr ‘your’ (client) IP address: Server’s response to client.
Siaddr Server IP address: Address of sending server or of the next server to use in the next
Bootstrap process step.
Giaddr: Relay agent IP address, used in booting via a relay agent.
Chaddr: Client hardware address.
DHCP DISCOVER WIRESHARK PACKETS: