Network Services

Question 1

NTP

Answer 1

NTP is used to synchronize timekeeping among a set of distributed time servers and clients. NTP uses UDP port 123 as both the source and destination, which in turn runs over IP.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock that is attached to a time server. NTP then distributes this time across the network. An NTP client makes a transaction with its server over its polling interval (from 64 to 1024 seconds). This transaction dynamically changes over time depending on the network conditions between the NTP server and the client. No more than one NTP transaction per minute is needed to synchronize two machines.
The communications between machines running NTP (associations) are usually statically configured. Each machine is given the IP addresses of all machines with which it should form associations. However, in a LAN, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only.

Question 2

NTP Versions

Answer 2

NTPv4 is an extension of NTPv3 and provides the following capabilities:

NTPv4 supports IPv6, making NTP time synchronization possible over IPv6.

Security is improved over NTPv3. NTPv4 provides a whole security framework that is based on public key cryptography and standard X.509 certificates.

Using specific multicast groups, NTPv4 can automatically calculate its time-distribution hierarchy through an entire network. NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the lowest bandwidth cost.

In NTPv4 for IPv6, IPv6 multicast messages instead of IPv4 broadcast messages are used to send and receive clock updates.

Question 3

Stratum

Answer 3

NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. For example, a Stratum 1 time server has a radio or atomic clock that is directly attached to it. It then sends its time to a Stratum 2 time server through NTP, and so on. A machine running NTP automatically chooses the machine with the lowest stratum number that is configured to communicate with by using NTP as its time source. This strategy effectively builds a self-organizing tree of NTP speakers.

Question 4

NTP Sychronization

Answer 4

NTP avoids synchronizing to a machine whose time may not be accurate in two ways:

NTP never synchronizes to a machine that is not synchronized itself.

NTP compares the time that several machines report. NTP will not synchronize to a machine whose time is significantly different from the others, even if its stratum is lower.

Question 5

NTP Modes

Answer 5

NTP can operate in these four different modes that provide you with the flexibility for configuring time synchronization in your network:

Server

Client

Peer

Broadcast/multicast

Question 6

NTP Mode - Client

Answer 6

It synchronizes its time to the server.

A device that is an NTP client can act as an NTP server to another device.

Question 7

NTP Mode - Server

Answer 7

It provides accurate time information to clients.

A device that is an NTP client can act as an NTP server to another device.

Question 8

NTP Mode - Peer

Answer 8

Peers exchange time synchronization information. The peer mode is also commonly known as symmetric mode. It is intended for configurations where a group of low stratum peers operate as mutual backups for each other.

Symmetric modes are most often used between two or more servers operating as a mutually redundant group and are configured with the ntp peer command. In these modes, the servers in the group members arrange the synchronization paths for maximum performance, depending on network jitter and propagation delay. If one or more of the group members fail, the remaining members automatically reconfigure as required.

Question 9

NTP Mode - Broadcast/Multicast

Answer 9

The broadcast mode requires a broadcast server on the same subnet. Because routers do not propogate broadcast messages, only broadcast servers on the same subnet are used. Broadcast mode is intended for configurations that involve one or a few servers and a potentially large client population. On a Cisco device, a broadcast server is configured by using the broadcast command with a local subnet address. A Cisco device acting as a broadcast client is configured by using the broadcast client command, allowing the device to respond to broadcast messages that are received on any interface.

Question 10

NTP Authentication Configuration

Answer 10

Cisco devices support only MD5 authentication for NTP. To configure NTP authentication, follow these steps:

Define the NTP authentication key or keys with the ntp authentication-key command. Every number specifies a unique NTP key.

Enable NTP authentication by using the ntp authenticate command.

Tell the device which keys are valid for NTP authentication by using the ntp trusted-key command. The only argument to this command is the key that you defined in the first step.

4. Specify the NTP server that requires authentication by using the ntp server ip_address key key_number command. You can similarly authenticate NTP peers by using the ntp server ip_address key key_number command.

Not all clients need to be configured with NTP authentication. NTP does not authenticate clients—it authenticates the source. Therefore, the device will still respond to unauthenticated requests. Be sure to use access lists to limit NTP access.

Question 11

NTP ACL Restrictions

Answer 11

For NTP, the following four restrictions can be configured through access lists:

peer: Time synchronization requests and control queries are allowed. A device is allowed to synchronize itself to remote systems that pass the access list.

serve: Time synchronization requests and control queries are allowed. A device is not allowed to synchronize itself to remote systems that pass the access list.

serve-only: It allows synchronization requests only.

query-only: It allows control queries only.

Question 12

PTP

Answer 12

defined in IEEE 1588 as Precision Clock Synchronization for Networked Measurements and Control Systems. PTP was developed to synchronize clocks in packet-based networks that include distributed device clocks of varying precision and stability. PTP is designed specifically for industrial, networked measurement and control systems, and is optimal for use in distributed systems because it requires minimal bandwidth and little processing overhead.

Question 13

PTP Characteristics

Answer 13

The following are PTP characteristics:

Smart grid power automation applications, such as peak-hour billing, virtual power generators, and outage monitoring and management, require extremely precise time accuracy and stability.

Timing precision improves network monitoring accuracy and troubleshooting ability.

The PTP message-based protocol can be implemented on packet-based networks, such as Ethernet networks.

The benefits of using PTP in an Ethernet network include:

    Low cost and easy setup in existing Ethernet networks.

    Limited bandwidth is required for PTP data packets.

Question 14

Best Master Clock Algorithm (BMCA)

Answer 14

pecifies how each clock on the network determines the best primary clock in its subdomain of all the clocks it can see, including itself. The BMCA runs locally on each port in the network continuously for every announce interval and quickly adjusts for changes in network configuration. BMCA based on IEEE 1588-2008 uses announce messages for advertising clock properties.

Question 15

BMCA Criteria

Answer 15

The BMCA uses the following criteria to determine the best primary clock in the subdomain:

Clock quality, where GPS is considered the highest quality.

Clock accuracy of the clock’s time base.

Stability of the local oscillator.

Closest clock to the grandmaster.

Question 16

BMCA Attributes to Determine Best Clock

Answer 16

BMCA based on IEEE 1588-2008 uses own data set with the received data set to determine the best clock based on the attributes with the following properties, in the indicated order:

Priority1: User-assigned priority to each clock. The range is from 0 to 255. The default value is 128.

Class: Class to which the clock belongs to, each class has its own priority.

Accuracy: Precision between clock and UTC, in nanoseconds.

Variance: Variability of the clock.

Priority2: Final-defined priority. The range is from 0 to 255. The default value is 128.

Unique Identifier: 64-bit Extended Unique Identifier (EUI).

Question 17

PTP Clock Types

Answer 17

A PTP network is made up of PTP-enabled devices and devices that are not using PTP.

The PTP-enabled devices typically consist of the following clock types:

The Grandmaster Clock is the primary source of time for clock synchronization using PTP.

An Ordinary Clock is a PTP clock with a single PTP port.

A Boundary Clock in a PTP network operates in place of a standard network switch or router.

A Transparent Clock in a PTP network updates the time-interval field that is part of the PTP event message. This update compensates for switch delay and has an accuracy of within one picosecond.

Question 18

Transparent Clock Types

Answer 18

There are two types of transparent clocks:

End-to-end (E2E) transparent clocks measure the PTP event message transit time for SYNC and DELAY_REQUEST messages. The secondary uses this information when determining the offset between the secondary’s and the primary’s time. End-to-end transparent clocks do not provide correction for the propagation delay of the link itself.

Peer-to-peer (P2P) transparent clocks measure PTP event message transit time in the same way end-to-end transparent clocks do. In addition, peer-to-peer transparent clocks measure the upstream link delay. The upstream link delay is the estimated packet propagation delay between the upstream neighbor peer-to-peer transparent clock and the peer-to-peer transparent clock under consideration. These two times (message transit time and upstream link delay time) are both added to the correction field of the PTP event message, and the correction field of the message received by the secondary contains the sum of all link delays. In theory, this is the total end-to-end delay (from primary to secondary) of the SYNC packet.

Question 19

PTP Domain Characteristics

Answer 19

These are PTP domain characteristics:

A PTP domain is an interacting set of clocks that synchronize to one another using PTP.

Domains allow multiple clock distribution systems to share the same communications medium.

Default domain is 0.

Cisco Industrial Ethernet (IE) switches work with a single domain.

Power profile standard requires a domain to be configurable.

Boundary clock drops packets with a wrong domain.

Question 20

Logging mechanisms

Answer 20

Cisco device syslog messages, which include OS notifications about unusual network activity or administrator implemented debug messages.

SNMP trap notifications about network device status or configured thresholds being reached.

Exporting of network traffic flows using NetFlow.

Question 21

Syslog Destinations

Answer 21

Console: By default, logging is enabled on the console port. Hence, the console port always processes syslog output even if you are using some other port or method (such as aux, vty, or buffer) to capture the output.

AUX and VTY Ports: To receive syslog messages when connected to the AUX port or remotely logged into the device via Telnet or SSH through the vty lines, type the terminal monitor command.

Memory Buffer: Logging to memory logs messages to an internal buffer. The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled. The buffer size can be changed, but to prevent the router from running out of memory, do not make the buffer size too large. To enable system message logging to a local buffer, use the logging buffered command in global configuration mode. To display messages that are logged in the buffer, use the show logging command. The first message displayed is the oldest message in the buffer.

Syslog Server: To log system messages and debug output to a remote host, use the logging host command in the global configuration mode. This command identifies a remote host (usually a device serving as a syslog server) to receive logging messages. By issuing this command more than once, you can build a list of hosts that receive logging messages.

Flash Memory: Logging to buffer poses an issue when trying to capture debugs for an intermittent issue or during high traffic. When the buffer is full, older messages are overwritten. And when the device reboots, all messages are lost. Using persistent logging allows you to write logged messages to files on a router's flash disk. To log messages to flash, use the logging persistent command.

Question 22

Syslog Format

Answer 22

seq no:time stamp: %facility-severity-MNEMONIC:description

seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.

time stamp: Date and time of the message or event, which appears only if the service time stamps log[datetime | log] global configuration command is configured.

facility: The facility to which the message refers (for example, SNMP, system, and so on).

severity: Single-digit code from 0 to 7 that is the severity of the message.

MNEMONIC: The text string that uniquely describes the message.

description: The text string containing detailed information about the event that the message is reporting.

Question 23

Logging Severity

Answer 23

There are eight levels of severity of logging messages. Levels are numbered from 0 to 7, from most severe (emergency messages) to least severe (debug messages).

By default, system logging is “on,” and the default severity level is debugging, which means that all messages are logged.

Emergency (Severity 0): System is unusable

Alert (Severity 1): Immediate action needed

Critical (Severity 2): Critical condition

Error (Severity 3): Error condition

Warning (Severity 4): Warning condition

Notification (Severity 5): Normal but significant condition

Informational (Severity 6): Informational message

Debugging (Severity 7): Debugging message

Question 24

SNMP Components

Answer 24

SNMP Manager network management system (NMS): Collects management data from managed devices via polling or trap messages.

SNMP Agent: Found on a managed network device, it locally organizes data and sends it to the manager.

Question 25

Management Information Base (MIB)

Answer 25

MIBs are collections of definitions of the managed objects. SNMP agents keep the database of values for definitions written in the MIB.

Question 26

SNMP Trap

Answer 26

unsolicited notifications that are sent from agent to manager. SNMP traps are event-based and provide almost real-time event notifications.

Question 27

SNMP Message Types

Answer 27

SNMPv1 introduced five message types: GET request, GET NEXT request, SET request, GET response, and Trap

SNMPv2 introduced two new message types: GET BULK request, which polls large amounts of data, and Inform Request, a type of trap message with expected acknowledgment on receipt. Version 2 also added 64-bit counters to accommodate faster network interfaces.

Question 28

SNMPv3 Security Levels

Answer 28

noAuthNoPriv: No authentication is required, and no privacy (encryption) is provided.

authNoPriv: Authentication is based on Message Digest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA). No encryption is provided.

authPriv: In addition to authentication, cipher block chaining (CBC)- Data Encryption Standard (DES) encryption is used.

Question 29

SNMP Basic Guidelines

Answer 29

Restrict access to read-only: NMS systems rarely need SNMP write access. Separate community credentials should be configured for systems that require write access.

Restrict manager SNMP views to access only the needed set of MIBs: By default, there is no SNMP view entry. It works like an access list because if you have any SNMP view on certain MIB trees, every other tree is implicitly denied.

Configure access control lists (ACLs) to restrict SNMP access to only known managers: Access lists should be used to limit SNMP access to only known SNMP managers.

Implement security mechanisms: SNMPv3 is recommended whenever possible. It provides authentication, encryption, and integrity. Be aware that the SNMPv1 or SNMPv2c community string was not designed as a security mechanism and is transmitted in cleartext. Nevertheless, community strings should not be trivial and should be changed at regular intervals.

Question 30

NetFlow Components

Answer 30

Flow Exporter: The router or network device in charge of collecting flow information and exporting it to a flow collector.

Flow Collector: A server that receives the exported flow information.

Flow Analyser: An application that analyzes flow information collected by the flow collector.

Question 31

Netflow Use Cases

Answer 31

Analysis of new applications and their impact on the network: Identify new application network loads such as VoIP or remote-site additions and analyze the impact on your network.

Reduction in peak WAN traffic: Use NetFlow statistics to measure WAN traffic improvement from application-policy changes and understand who is using the network.

Troubleshooting and understanding network challenges: Quickly diagnose slow network performance, bandwidth hogs, and bandwidth utilization with CLI or reporting tools.

Detection of unauthorized WAN traffic: Avoid costly upgrades by identifying the applications causing congestion.

Detection of security and anomalies: Use for anomaly detection and worm diagnosis along with applications such as Cisco Stealthwatch.

Validation of QoS parameters: Confirm that appropriate bandwidth has been allocated to each class of service (CoS) and that no CoS is over or undersubscribed.

Question 32

IP Flow Attributes

Answer 32

Traditionally, an IP flow is based on a set of five to seven IP packet attributes:

IP source address

IP destination address

Source port

Destination port

Layer 3 protocol type

CoS

Router or switch interface

Question 33

Additional Info added to a flow

Answer 33

Additional information added to a flow includes the following:

Flow time stamps to understand the life of a flow; time stamps are useful for calculating packets and bytes per second.

Next-hop IP addresses, including BGP routing Autonomous systems.

Subnet mask for the source and destination addresses to calculate prefixes.

TCP flags to examine TCP handshakes.

Question 34

Steps to implement NetFlow data reporting

Answer 34

The following steps are used to implement NetFlow data reporting:

NetFlow is configured to capture flows to the NetFlow cache; it is referred to as the “NetFlow record.”

The NetFlow export is configured to send flows to the collector.

The NetFlow cache is searched for flows that have terminated, which are exported to the NetFlow collector server.

Approximately 30 to 50 flows are bundled together and transported in UDP format to the NetFlow collector server; it is referred to as the “NetFlow Monitor.”

The NetFlow collector software creates real-time or historical reports from the data.

Question 35

Netflow Versions

Answer 35

The export versions, including versions 5, 7, and 9, are well-documented formats. In the past, the most common format that was used is NetFlow export version 5, but version 9 is the latest format. NetFlow export version 9 has some advantages for important technologies, such as security, traffic analysis, and multicast.

The main feature of the NetFlow version 9 export format is that it is template-based. A template describes a NetFlow record format and attributes of fields (such as type and length) within the record. The router assigns each template an ID, which is communicated to the NetFlow Collection Engine along with the template description. The template ID is used for all further communication from the router to the NetFlow Collection Engine.

These templates allow NetFlow data export format version 9 to accommodate NetFlow-supported technologies such as Multicast, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop. The version 9 export format enables you to use the same version for main and aggregation caches, and the format is extendable, so you can use the same export format with future features.

There is also version 10, but this version is used for identifying IP Flow Information Export (IPFIX). Although IPFIX is heavily based on NetFlow, v10 does not have anything to do with NetFlow, and IPFIX has replaced the NetFlow protocol itself. Based on the NetFlow version 9 implementation, IPFIX is on the IETF standards track with RFC 5101 (obsoleted by RFC 7011), RFC 5102 (obsoleted by RFC 7012), and so on, which were published in 2008.

Question 36

Cisco IOS Embedded Event Manager (EEM)

Answer 36

a powerful and flexible tool to automate tasks and customize the behavior of Cisco IOS Software and the operation of a device.

EEM is a primarily product-independent software feature consisting of a series of event detectors, an EEM server, and interfaces to allow action routines that are called policies to be invoked

The scripts are referred to as EEM policies and can be programmed using a simple CLI-based interface or using a scripting language called Tool Command Language (Tcl).