Skip to main content

System Management - Key concepts

 Device Management

Console and VTY

  • Console and VTY provide access to the device CLI for configuration and troubleshooting.
    • Console is used for local access.
    • VTY allows remote access via Telnet or SSH.
    • TCP Keepalives: Use service tcp-keepalives-in to avoid dead Telnet or SSH sessions occupying VTY lines.

Router1(config)#service tcp-keepalives-in

Technical Tip: To prevent being locked out of a router due to exhausted VTY lines, configure an access list restricting VTY access.

access-list 9 permit 172.25.1.1

line vty 0 4

 access-class 9 in

  • Source Interface for Telnet: Set the router to use a specific IP for outgoing Telnet connections using:

ip telnet source-interface loopback0

SSH and SCP

  • SSH: Use Secure Shell (SSH) to securely access the device. Configure SSH with RSA keys.

ip domain-name example.com

crypto key generate rsa modulus 1024

  • SCP (Secure Copy Protocol): SCP can be used to securely transfer files between network devices.

Technical Tip: Ensure SSH and SCP are properly configured on the device with password-based or key-based authentication for security.

RESTCONF and NETCONF

  • RESTCONF and NETCONF are modern APIs for managing network devices.
    • NETCONF uses XML for communication.
    • RESTCONF uses HTTP-based methods for managing network configurations.

Technical Tip: Use NETCONF for configuration and state monitoring when automating with tools like Ansible or Python scripts. RESTCONF is more HTTP-friendly and can integrate with web applications.

Using Telnet

  • Telnet: Insecure and should be replaced with SSH. However, for legacy systems, manage sessions by adjusting the inactivity timer.

service tcp-keepalives-in

exec-timeout 180

Technical Tip: Disable the default hostname resolution to avoid unnecessary Telnet connections on typos.

Router1(config)#line vty 0 4

Router1(config-line)#transport preferred none

Using ARP

  • ARP: Use Address Resolution Protocol to map IP addresses to MAC addresses. Commands like show ip arp help troubleshoot address mappings.

Technical Tip: Clear ARP cache when troubleshooting inconsistent IP-to-MAC mappings:

clear arp-cache

Using CDP

  • CDP (Cisco Discovery Protocol): Use show cdp neighbors detail for topology discovery and neighbor information.

Technical Tip: Reduce CDP timer settings for quicker updates in dynamic environments:

cdp timer 30

cdp holdtime 120

Using IP Host

  • IP Host: Configure static DNS-like mappings between hostnames and IP addresses using the ip host command.

Technical Tip: Use ip host for quick telnet or SSH access to devices:

ip host Router1 192.168.1.1

Reload Commands

  • Schedule router reloads for maintenance or upgrades:

reload in 20

reload at 14:00 Feb 15

Technical Tip: Always use the show reload command to verify scheduled reloads and use reload cancel if needed.

SNMP

SNMP Overview

  • SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices.
    • SNMP Manager: The network management system (NMS) that collects data from network devices.
    • SNMP Agent: The software on the device that responds to SNMP queries.

SNMP Versions

  • SNMPv1/v2c: Uses community strings for authentication (less secure).
  • SNMPv3: Adds security with authentication and encryption, providing:
    • Message Integrity: Ensures the message was not tampered with.
    • Authentication: Verifies the source of the message.
    • Encryption: Secures the contents of the message.

Technical Tip: Always prefer SNMPv3 for better security, using authentication and encryption:

snmp-server user user1 group1 v3 auth md5 password123 priv des password123

SNMP Configuration

  • Basic SNMP configuration example:

snmp-server community public ro 33

snmp-server location DataCenter

snmp-server enable traps bgp hsrp

snmp-server host 192.168.1.100 public

Technical Tip: Use access-lists to restrict SNMP queries to specific IP ranges:

access-list 33 permit 192.168.1.0 0.0.0.255

Traps and Informs

  • Traps: Unreliable notifications sent to the SNMP manager.
  • Informs: Reliable notifications requiring an acknowledgment from the SNMP manager.

Technical Tip: Use traps for routine monitoring, but consider informs for critical events where confirmation is essential.

Logging

Logging (Local Logging, Syslog, Debugs)

  • Local Logging: Logs messages to the internal buffer.

logging buffered 8192

Technical Tip: Limit log buffer size to avoid memory exhaustion on the device.

  • Syslog: Sends log messages to an external Syslog server.

logging host 192.168.1.100

logging trap debugging

  • Debugging: Use debug commands for real-time troubleshooting, but be cautious as they may affect performance.

debug ip packet

undebug all  # Turn off debugging

Technical Tip: Always use conditional debugging to limit the scope of debug output to specific interfaces or protocols:

debug interface Loopback0

Timestamps

  • Timestamps: Use timestamps to add time information to log messages, aiding in event correlation.

service timestamps log datetime msec localtime show-timezone

Technical Troubleshooting Tips

  • Always use show commands to verify configurations:

show running-config

show snmp community

show log

  • When logging messages, ensure correct severity levels are configured for better visibility:

logging trap errors

  • For SNMP issues, verify the SNMP community strings and ACLs blocking SNMP traffic using:

show snmp community

show access-lists

Labels:

Comments

Post a Comment

Popular posts from this blog

How to import Putty Saved Connections to mRemoteNG

Just started using mRemoteNG and its being very cool to connect to different remote connection with different protocols e.g Window Remote Desktop, VNC to Linux, SSH, HTTP connection etc. from a single application. As new user I configured some remote desktop connection which was quite easy to figure out. But when I wanted to add SSH connections, it came in my mind to import all of the saved connections in the putty. But I couldn't figure it out how can it be done, though it was quite easy and here are the steps. Open your mRemoteNG Create a folder if you want segregation of multiple networks Create a new connection Enter the IP address of remote server under connection in Config pane Under the config pane, select protocol " SSH version 2 ".  Once you select protocol to SSH version 2 you are given option to import putty sessions, as shown in the snap below. In the above snap, I have imported CSR-AWS session from my saved sessions in Putty.
1 comment
Read more

Authoritative DNS Servers Delegation and Internal DNS Explained

DNS (Domain Name System) plays a critical role in how users and systems find resources on the internet or within internal networks. Whether it's managing an internal domain in an enterprise or delegating parts of a domain for traffic distribution, DNS setups vary widely depending on needs. In this blog post, we’ll break down the different types of DNS setups, including authoritative DNS servers, DNS delegation, and how internal DNS functions within organizations. 1. Authoritative DNS Server An Authoritative DNS server is the final source of truth for a specific domain. When someone queries a domain (e.g., example.com ), the authoritative DNS server for that domain holds the DNS records (A records, CNAME, MX, etc.) and responds with the corresponding IP address. Key Points: Who can host it? Authoritative DNS servers are often hosted by domain registrars (e.g., GoDaddy, Namecheap) or cloud DNS providers (e.g., AWS Route 53, Cloudflare). However, organizations can also host their ...
Post a Comment
Read more

BGP MED: Managing Inbound Traffic with Multi-Exit Discriminator

The Multi-Exit Discriminator (MED) is used in BGP to control inbound traffic into your AS. It tells a neighboring AS which entry point into your network it should prefer when there are multiple links between your AS and the neighboring AS. The lower the MED value , the more preferred the path. MED is only honored between the same neighboring AS . Example Scenario : You are connected to ISP1 via two routers, CE1 and CE2 , and want to control which router ISP1 uses to send traffic into your AS. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP1): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Lower MED, More Preferred) : Create a route map to set the MED to 50 for CE1: route-map SET_MED permit 10 set metric 50 Apply this route map to the neighbor in the BGP configuration for CE1: router bgp 65001 neighbor 10.0.1.1 remote-as 65000 neighbor 10.0.1.1 route-map SET_MED out Configuratio...
Post a Comment
Read more