Monitoring Campus -

Monitoring Campus



Severity Levels

Emergencies(0) Alerts(1) Critical(2) Errors(3)


stopped processes

paltform errors

hardware issues

port security


ACl issues

TCAM issues

PAgP problems

ethernet controller

interface Up/Down

Warnings(4) Notofications(5) Informational(6) Debugging(7)

DHCP snooping




inline power


interface line protocol

stack events

port security

pynamic ARP inspection




hardware diagmostics

debug output

Message format

00:30:39 %SYS  5 CONFIG_I:  Configured from Console by Console
Timestamp Facility Severity Mnemonic Message Text
  • Timestamp - the date and time from the internal switch clock. Up time by default.
  • Facility Code - a system identifier that categorizes the switch function or module that has generated the message; the facility code always begins with a percent sign.
  • Severity - a number from 0 to 7 that indicates how important or severe the event is; a lower severity means the event is more critical.
  • Mnemonic - a short text string that categorizes the event within the facility code
  • Message Text - a description of the event or condition that triggered the system message.

Logging to the Console

Switch(config)# logging console severity

Redirect the console messages to remote access session

Switch(config)# terminal monitor

Logging to the Internal Buffer

    By default, the internal logging buffer is disabled

Switch(config)# logging buffered severity

    By default, the logging buffer is 4096 bytes or characters long, which is enough space to collect 50 lines of full-length text.

Switch(config)# logging buffered size

Remote Syslog Server

    Messages are sent from a switch to a syslog server over the network using UDP port 514.

Switch(config)# logging host ip-address
Switch(config)# logging trap severity
Switch(config-if)# no logging event link-status

Internal System Clock

Switch(config)# clock timezone name offset-hours [ offset-minutes ]
Switch(config)# clock summer-time name date start-month date year hh:mm end-month day year hh:mm [ offset-minutes ]


Switch(config)# clock summer-time name recurring [ start-week day month hh:mm end-week day month hh:mm [ offset-minutes ]
Switch(config)# exit
Switch# clock set hh:mm:ss


NTP Mode Description
Server The device synchronizes with a source in a lower stratum and
provides time synchronization with servers or clients in a higher
Client The device synchronizes its clock with an NTP server.
Peer The device exchanges time information with another peer device.
Broadcast/multicast The device operates as an NTP server, but pushes time information
out to any listening device. Because the “push” is in only one
direction, the time accuracy can suffer somewhat.

    By default, NTP Version 3 is used; NTP Version 4 adds IPv6 capability.

Switch(config)# ntp server ip-address [ prefer ] [ version { 3 | 4 }]

Securing NTP

    The authentication process does not encrypt the NTP data; it is used to authenticate an NTP server so that the NTP client knows it is a trusted source.

Switch(config)# ntp authentication-key key-number md5 key-string
Switch(config)# ntp authenticate
Switch(config)# ntp trusted-key key-number
Switch(config)# ntp server ip-address key key-number

    Define an access list and to apply it to NTP operation.

Switch(config)# access-list acl-num permit ip-address mask
Switch(config)# ntp access-group {serve-only | serve | peer | query-only } acl-num

    For the ntp access-group command, you should use one of the following keywords to specify which type of NTP activity should be permitted.

  • serve-only - only synchronization requests are permitted
  • serve - synchronization and control requests are permitted; the device is not permitted to synchronize its own time clock
  • peer - synchronization and control requests are permitted; the device can synchronize its own time clock
  • query-only - permit only control queries.

SNTP (Simplified Network Time Protocol) Time Synchronization

    When a switch is configured for SNTP, it operates as an NTP client only.

Switch(config)# sntp authentication-key key-number md5 key-string
Switch(config)# sntp authenticate
Switch(config)# sntp trusted-key key-number
Switch(config)# sntp server ip-address key key-number

Adding Time Stamps to Logging Messages

Switch(config)# service timestamps log datetime [ localtime ] [ show-timezone ] [ msec ] [ year ]


  • manager - A network management system that uses SNMP to poll and receive data from any number of network devices. The SNMP manager usually is an application that runs in a central location
  • agent - A process that runs on the network device being monitored. All types of data are gathered by the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with information from the database, and it can send unsolicited alerts or “traps” to an SNMP manager.

    A data about itself is stored in a Management Information Base (MIB) database in memory and is updated in real time.

    An SNMP manager communicate with an SNMP agent over UDP port 161.

  • get request - the value of one specific MIB variable is needed
  • get next request - the next or subsequent value following an initial get request is needed
  • get bulk request - whole tables or lists of values in a MIB variable are needed
  • set request - a specific MIB variable needs to be set to a value

    In case of traps or inform UDP port 162 is  used.

  • SNMP trap - news of an event (interface state change, device failure, and so on) is sent without any acknowledgment that the trap has been received
  • inform request - news of an event is sent to an SNMP manager, and the manager is required to acknowledge receipt by echoing the request back to the agent

    Each SNMPv3 group is defined with a security level that describes the extent to which the SNMP data will be protected. The following security levels area vailable.

  • noAuthNoPriv - SNMP packets are neither authenticated nor encrypted
  • authNoPriv - SNMP packets are authenticated but not encrypted
  • authPriv - SNMP packets are authenticated and encrypted
Version Authentication Data Protection Unique Features
SNMPv1 Community string None 32-bit counters
SNMPv2c Community string None Adds bulk request and inform request message types, 64-bit counters
SNMPv3 Username Hash-based MAC (SHA or MD5) DES, 3DES, AES (128- 192-, 256-bit) encryption Adds user authentication, data integrity, and encryption Adds restricted views

Configuring SNMP


Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community community- string [ ro | rw ] [ access-list-number ]
Switch(config)# snmp-server host host-address community-string [ trap-type ]


Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ ro | rw ] [ access-list-number ]
Switch(config)# snmp-server host host-address [ informs ] version 2c community-string


Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server view view-name oid-tree

    If no view is configured, all MIB variables are visible to the users.

Switch(config)# snmp-server group group-name v3 { noauth | auth | priv } [ read read- view ] [ write write-view ] [ notify notify-view ] [ access access-list ]

    The SNMPv3 priv keyword and packet encryption can be used only if the switch is running a cryptographic version of its Cisco IOS Software image

Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha } auth- password priv { des | 3des | aes { 128 | 192 | 256 } priv-password [ access-list-number ]
Switch(config)# snmp-server host host-address [ informs ] version 3 { noauth | auth | priv } username [ trap-type ]


Type Description Third-party management platform
icmp-echo ICMP echo response time Yes
path-echo Hop-by-hop and end-to-end response times over path
discovered from ICMP echo
path-jitter Hop-by-hop jitter over ICMP echo path No
dns DNS query response time Yes
dhcp DHCP IP address request response time Yes
ftp FTP file-retrieval response time Yes
http Web page-retrieval response time Yes
udp-echo End-to-end response time of UDP echo Yes
udp-jitter Round-trip delay, one-way delay, one-way jitter, one-way
packet loss, and connectivity using UDP packets
tcp-connect Response time to build a TCP connection with a host Yes

    IP SLA responder must also add time stamps to the packets it sends, to flag the time a test packet arrived and the time it left the responder. For this to work accurately, both the source and responder must synchronize their clocks through NTP.

    To set up an IP SLA operation, the Cisco IP SLA source device begins by opening a control connection to the IP SLA responder over UDP port 1967. The source uses the control connection to inform the responder to begin listening on an additional port where the actual IP SLA test operation will take place.

Configuring IP SLA

Switch(config)# ip sla responder

    IP SLA MD5

Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string string
Switch(config-keychain-key)# exit
Switch(config-keychain)# exit
Switch(config)# ip sla key-chain chain-name

    On the source switch

Switch(config)# ip sla operation-number
Switch(config-ip-sla)# test-type parameters...
Switch(config-ip-sla)# icmp-echo destination-ip-addr [ source-ip-addr ]
Switch(config-ip-sla)# udp-jitter destination-ip-addr dest-udp-port [ source-ip source-ip-addr ] [ source-port source-udp-port ] [ num-packets number-of-packets ] [ interval packet-interval ]

    As an alternative, you can configure the udp-jitter operation to test Voice over IP (VoIP) call quality. To do this, the udp-jitter command must include the codec keyword and a codec definition. The IP SLA operation will then
simulate a real-time stream of voice traffic using a specific codec.

Switch(config-ip-sla)# udp-jitter destination-ip-addr dest-udp-port codec { g711alaw | g711ulaw | g729a }

    By default, IP SLA operations are run at regular 60-second intervals for the lifetime of the test.

Switch(config-ip-sla)# frequency seconds

    Schedule the test operation

Switch(config)# ip sla schedule operation-number [ life { forever | sec-onds }] [ start-time { hh: mm [: ss ] [ month day | day month ] | pending | now | after hh:mm:ss }] [ ageout seconds ] [ recurring ]

    HSRP can track the status of an IP SLA operation to automatically decrement the priority value when the target device stops answering ICMP echo packets.

Switch(config)# track object-number ip sla operation-number { state | reachability }
Switch(config-if)# standby group track object-number decrement decrement-value

Port Mirroring

Switched Port Analyzer (SPAN)

Switch(config)# monitor session session-number source { interface type member/mod/num | vlan vlan-id }[ rx | tx | both ]
Switch(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate ]

    The destination port does not participate in STP. Only one session available per destination port, but source port can be monitored in multiply sessions. 

    SPAN does not normally copy Layer 2 protocols that are sent by the switch itself. Examples include Spanning Tree Protocol (STP) bridge protocol data units (BPDUs), Cisco Discovery Protocol (CDP), Virtual Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), and Page Aggregation Protocol (PAgP). If you want to capture any VLAN tagging information or the Layer 2 protocol packets, you can add the encapsulate replicate keywords.

    SPAN destination interface can only transmit mirrored traffic by default. Any frames that are sent into the destination interface are simply dropped. To override the default SPAN behavior. Add the following command syntax to the monitor session destination command to allow ingress traffic:

ingress { dot1q vlan vlan-id | isl | untagged vlan vlan-id }

    If the SPAN source is a trunk port, you might want to mirror only traffic from specific VLANs on the trunk.

Switch(config)# monitor session session-number filter vlan vlan-range

Remote SPAN

    An RSPAN-capable switch also floods the RSPAN packets out all its ports belonging to the RSPAN VLAN, in an effort to send them toward the RSPAN destination.

Switch(config)# vlan
Switch(config-vlan)# vlan-id remote-span
Switch(config)# monitor session session-number mod/num | vlan vlan-id }[ rx | tx | both ]
Switch(config)# rspan-vlan-id destination monitor session session-number remote vlan

 On destination switch

Switch(config)# rspan-vlan-id monitor session session-number source remote vlan rspan-vlan-id
Switch(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate]

    RSPAN must allow the STP to run on the RSPAN VLAN to prevent bridging loops from forming. As a result, STP BPDUs normally are sent and received on the VLAN. You cannot monitor BPDUs with RSPAN.

Managing SPAN Sessions

Switch# show running-config | include monitor
Switch# show monitor [session { session-number | all | local | range range-list | remote}] [detail]
Switch(config)# no monitor session { session | range session-range } | local | all }


Leave a Comment: