SkarpSkarp

Chapter 18 of 27

Monitoring and Control: SNMP, syslog, QoS, FTP, TFTP, and SSH

Gain visibility and control over your network using logging, monitoring, secure remote access, and simple file transfer services.

27 min readen

Big Picture: Monitoring and Control in Cisco Networks

Why This Module Matters

You now move from just making packets flow to seeing and controlling how the network behaves: monitoring, logging, secure access, and file transfer.

Key Tool Categories

You will use: SNMP and syslog for visibility, SSH for secure CLI access, FTP/TFTP for configs and images, and QoS to protect important traffic.

Exam Focus

CCNA questions expect you to recognize each tool’s role, read basic configs and outputs, and spot obvious misconfigurations or missing security.

SNMP Fundamentals: How Devices Expose Metrics

SNMP Roles

SNMP uses a manager–agent model. The NMS is the manager; each router and switch runs an agent exposing counters and status.

MIBs and Operations

Information is stored as objects in a MIB. The manager does GET/SET on OIDs; devices send TRAP/INFORM messages for important events.

SNMP Versions

SNMPv1/v2c use cleartext community strings; SNMPv3 adds authentication and encryption and is the secure, recommended option.

SNMP on Cisco IOS: Basic Config and Verification

SNMPv2c Read-Only Setup

Create a read-only community: `snmp-server community NETMON-RO ro`. This lets tools poll stats but not change configs.

Restrict Access with ACL

Use a standard ACL so only the NMS can query: `ip access-list standard NMS-SNMP` then `permit 10.10.10.50` and bind it to the community.

SNMPv3 Secure Example

For secure monitoring, define a v3 group and user with auth+priv, then point the host to use that user with `version 3 priv`.

Syslog: Centralized Logging for Cisco Devices

What Syslog Does

Syslog collects messages about events like interface flaps, link errors, and config changes and can send them to a central server.

Severity Levels

Severities range from 0 (emergencies) to 7 (debugging). Lower number = more important; thresholds control what actually gets logged.

Why Centralize Logs

A remote syslog server keeps logs after reboots, lets you search across devices, and aligns with NTP time for accurate timelines.

Configuring Syslog on Cisco IOS

Add Timestamps

Use `service timestamps log datetime msec localtime show-timezone` so each log line has clear, precise timing info.

Send Logs to Server

Point to the syslog server: `logging host 10.20.20.5` then choose threshold with `logging trap warnings` (0–4).

Verify with show logging

Use `show logging` to see buffer settings, server details, and recent messages to confirm logs are flowing as expected.

QoS Basics: Why Classification, Marking, and Queuing Matter

QoS Goal

QoS ensures important traffic like voice and video still works well when links are congested by deciding who gets priority.

Classification & Marking

Classification groups flows into classes; marking writes DSCP/CoS values into packets so every hop knows each packet’s class.

Queuing Under Congestion

When an interface is busy, packets sit in different queues; schedulers like priority queuing decide which queues are served first.

Simple QoS Scenario: Protecting Voice Traffic

The Problem Without QoS

On a small WAN link, big file transfers can crowd out voice packets, causing choppy or delayed calls.

Classify and Prioritize Voice

Match DSCP EF traffic in a class-map, then give it a priority queue with `priority percent 20` in a policy-map.

Apply and Verify

Attach the policy to the WAN interface with `service-policy output` and verify with `show policy-map interface`.

SSH vs Telnet, FTP, and TFTP: Secure Access and File Transfer

SSH vs Telnet

SSH encrypts remote CLI traffic on TCP 22 and is preferred. Telnet on TCP 23 is cleartext and mainly a legacy or exam distractor.

TFTP Basics

TFTP uses UDP 69, has no login or encryption, and is often used for quick config or IOS transfers in controlled environments.

FTP Basics

FTP uses TCP 20/21, supports usernames and directories, but classic FTP is still cleartext unless secured by FTPS or SFTP.

Hands-On: Configure SSH and Use TFTP/FTP on a Cisco Device

This step walks you through a practical, CCNA‑level configuration of SSH, then shows how to back up configs using TFTP or FTP.

Thought Exercise: Designing a Small Monitoring and Control Setup

Imagine you are the network admin for a small office with:

  • 1 edge router (doing NAT to the internet)
  • 2 access switches with VLANs for users and servers
  • 1 Windows/Linux server that can run NMS + syslog + TFTP/FTP services

Your goals:

  • Monitor device health and interface usage
  • Collect logs centrally
  • Securely manage devices remotely
  • Back up configs and IOS images

Mentally design your setup by answering these prompts (you can jot notes on paper or in your editor):

  1. SNMP design
  • Which device will act as the SNMP manager?
  • Which SNMP version will you use and why?
  • How will you restrict SNMP access (hint: ACL)?
  1. Syslog design
  • Which device will be the central syslog server?
  • What severity level will you send to the server (e.g., warnings and above)?
  • Why is time synchronization (NTP) important here?
  1. Remote access
  • How will you ensure all devices use SSH instead of Telnet?
  • Where will you store local admin accounts and passwords?
  1. File transfer
  • Will you use TFTP, FTP, or both for config and IOS backups? Why?
  • How often will you schedule backups (e.g., after each change, nightly)?

After you sketch your design, compare it mentally against these checks:

  • SNMPv3 preferred, with ACLs
  • Central syslog server with at least severity 4 and above
  • SSH only on VTY lines
  • TFTP/FTP only reachable from a management VLAN, not the open internet.

Quiz 1: Monitoring and Logging

Check your understanding of SNMP and syslog.

You are configuring monitoring on a Cisco router. The security team requires encrypted management traffic and centralized logs that include interface up/down events and critical errors. Which combination best meets these requirements?

  1. Enable SNMPv2c with a read-write community, use Telnet for CLI, and log only to the console.
  2. Enable SNMPv3 with auth+priv, use SSH for CLI, and send syslog messages of severity warnings and higher to a remote server.
  3. Enable SNMPv1, use SSH for CLI, and send only debugging messages to a remote syslog server.
  4. Disable SNMP entirely, use Telnet for CLI, and rely on the local logging buffer for all logs.
Show Answer

Answer: B) Enable SNMPv3 with auth+priv, use SSH for CLI, and send syslog messages of severity warnings and higher to a remote server.

The secure choice is SNMPv3 with authentication and encryption (auth+priv) plus SSH for encrypted CLI. Sending syslog messages of severity warnings (4) and higher to a remote server captures critical events like interface up/down and errors. The other options either use insecure protocols (Telnet, SNMPv1/v2c without protection) or poor logging practices.

Quiz 2: QoS and File Transfer

Test yourself on QoS concepts and FTP/TFTP usage.

A branch office has voice, video, and data traffic sharing a low-bandwidth WAN link. The network engineer wants to ensure voice gets low latency while still allowing other traffic. Which design best matches basic QoS principles and common Cisco practice?

  1. Classify all traffic as best-effort and rely on FIFO queuing.
  2. Classify voice traffic, mark it with DSCP EF, place it in a priority queue with a bandwidth limit, and treat remaining traffic as best-effort.
  3. Mark all traffic with the same DSCP value to simplify configuration.
  4. Use TFTP to transfer voice packets faster than other packets.
Show Answer

Answer: B) Classify voice traffic, mark it with DSCP EF, place it in a priority queue with a bandwidth limit, and treat remaining traffic as best-effort.

QoS should classify voice, mark it with DSCP EF, and place it in a controlled priority queue so it has low latency without starving other traffic. The remaining traffic can be best-effort. FIFO alone cannot protect voice; marking everything the same removes differentiation; TFTP is unrelated to per-packet QoS.

Key Term Review: Monitoring, QoS, and Secure Access

Flip through these cards to reinforce core terms from this module.

SNMP Manager
The network management system (NMS) that polls SNMP agents, reads/writes MIB objects, and receives traps or informs from devices.
SNMP Agent
Software running on a network device (router, switch, firewall) that exposes management information via SNMP to an external manager.
SNMPv3 auth+priv
The secure SNMPv3 mode that provides both authentication and encryption of SNMP messages, recommended for production networks.
Syslog Severity 0–7
Numeric levels where 0 is emergencies, 1 alerts, 2 critical, 3 errors, 4 warnings, 5 notifications, 6 informational, and 7 debugging.
Classification (QoS)
The process of identifying and grouping traffic into classes based on attributes such as IP, ports, protocol, VLAN, or existing DSCP/CoS markings.
Marking (QoS)
Writing QoS values (such as DSCP in the IP header or CoS in the 802.1Q VLAN tag) into packets so that downstream devices know how to treat them.
Queuing (QoS)
Storing packets in different queues when an interface is congested and scheduling them according to policies like priority or fair queuing.
SSH
Secure Shell, a protocol that provides encrypted remote CLI access (TCP port 22) and replaces Telnet on modern Cisco networks.
TFTP
Trivial File Transfer Protocol, a simple UDP-based protocol (port 69) used for basic, unauthenticated file transfers like IOS and config backups in trusted environments.
FTP
File Transfer Protocol, a TCP-based protocol (ports 20/21) that supports usernames and directories but is unencrypted in its classic form.

Key Terms

CoS
Class of Service, a 3-bit field in the 802.1Q VLAN tag used to indicate Layer 2 QoS priority.
FTP
File Transfer Protocol, a connection-oriented file transfer protocol using TCP ports 20 and 21, supporting user authentication but typically unencrypted.
MIB
Management Information Base, a hierarchical database of managed objects that an SNMP agent exposes to an SNMP manager.
NMS
Network Management System, a central platform that monitors and sometimes controls network devices, often using SNMP and syslog.
QoS
Quality of Service, a set of mechanisms that manage congestion and prioritize certain types of network traffic over others.
SSH
Secure Shell, an encrypted protocol for remote command-line access to network devices, typically using TCP port 22.
DSCP
Differentiated Services Code Point, a 6-bit field in the IP header used to mark packets for QoS treatment.
SNMP
Simple Network Management Protocol, a standard protocol that lets a central manager monitor and sometimes control network devices via agents and MIB objects.
TFTP
Trivial File Transfer Protocol, a simple, connectionless file transfer protocol using UDP port 69, with no authentication or encryption.
SNMPv3
The secure version of SNMP that supports authentication and encryption, preferred for production monitoring and management traffic.
Syslog
A standard logging protocol used by Cisco devices to send event messages with severity levels to local and remote destinations.
Telnet
A legacy protocol for remote CLI access that transmits data in cleartext over TCP port 23 and is considered insecure.
Logging buffer
Memory on a Cisco device used to store log messages locally, viewable with the show logging command.
Priority queue
A special QoS queue that is serviced before others to ensure low latency for delay-sensitive traffic like voice.
Syslog severity
A numeric level from 0 (emergencies) to 7 (debugging) that indicates the importance or urgency of a syslog message.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself