CompTIA Network+ N10-006 Cert Guide (2015)
Chapter 11. Network Management
After completion of this chapter, you will be able to answer the following questions:
What are some of the more common tools used to physically maintain a network?
What components are involved in configuration management?
What sorts of network monitoring tools are available to network administrators, and what types of information are included in various logs?
Even with a network’s increasing dependence on wireless technologies, physical cabling still serves as the critical backbone of a network. Therefore, network management, monitoring, and troubleshooting require a familiarity with a variety of cable maintenance tools. These tools might be used, for example, to physically terminate cabling and troubleshoot cabling issues. This chapter addresses these and other maintenance tools, providing an overview of each.
Another key network management element is documentation, which encompasses, for example, managing device configuration information. Such configuration repositories are continually evolving entities requiring ongoing attention. This chapter discusses several of the most important configuration element components.
This chapter concludes by addressing network monitoring resources and reports whose information can be gleaned from monitoring resources. For example, the primary network management protocol used by network management systems (NMSs) is Simple Network Management Protocol (SNMP), and this chapter discusses the various versions of SNMP. In addition, syslog servers and a variety of reports are considered.
Foundation Topics
Maintenance Tools
The number of troubleshooting issues occurring in a network can be reduced by proper installation and configuration. For example, improper wiring might function immediately following an installation; however, over time, the wiring might start to experience intermittent issues that cause network disruptions. In such a situation, you, as a network administrator, need to be familiar with a collection of maintenance tools to help diagnose, isolate, and resolve the wiring issue.
Therefore, this chapter presents you with a collection of popular network tools. Having this understanding can help you better perform initial installations and resolve issues with existing installations.
Bit-Error Rate Tester
Interference on a transmission medium, or faulty cabling, can cause errors in the transmission of binary data (or bits). A common measurement for bit errors is called bit error rate (BER), which is calculated as follows:
BER = Bit errors / Bits transmitted
For example, imagine that a network device transmitted the binary pattern of 10101010; however, the pattern received by the destination device was 10101111. Comparing these two bit patterns reveals that the sixth and eighth bits were incorrectly received. Therefore, the BER could be calculated by dividing the number of bit errors (two) by the number of transmitted bits (eight), resulting in a BER of 25 percent (BER = 2 / 8 = .25).
When troubleshooting a link where you suspect a high BER, you can use a piece of test equipment called a bit-error rate tester (BERT), as shown in Figure 11-1. A BERT contains both a pattern generator (which can generate a variety of bit patterns) and an error detector (which is synchronized with the pattern generator and can determine the number of bit errors), and it can calculate a BER for the tested transmission link.
Figure 11-1 Bit-Error Rate Tester (BERT) (Photo Courtesy of BBN International [http://www.bbnint.co.uk])
Butt Set
A butt set is a piece of test equipment typically used by telephone technicians. The clips on the butt set can connect a punch-down block (for example, a 66 block or a 110 block) connecting to a telephone. This allows the technician to check a line (for example, to determine whether a dial tone is present on the line or to determine whether a call can be placed from the line).
The name butt set (which is sometimes called a butt in) comes from the device’s capability to butt into (or interrupt) a conversation in progress. For example, a telephone technician might be at the top of a telephone pole and connect to the wires of a phone currently in a call. The technician would then butt into the call, identifying himself and stating that he was testing the line.
Although a butt set is an extremely common piece of test equipment for telephone technicians, it has less usefulness to you as a network administrator. One exception, however, is if you are working on a digital subscriber line (DSL) line. You could use a butt set while working on DSL wiring to confirm dial tone is present on the line.
Cable Certifier
Chapter 3, “Network Components,” introduced you to a variety of unshielded twisted-pair (UTP) wiring categories (for example, Category 3, Category 5, and Category5e). Different UTP categories support different data rates over specific distances. If you are working with existing cable and want to determine its category, or if you simply want to test the supported frequency range (and therefore data throughput) of a cable, you can use a cable certifier.
Cable Tester
A cable tester can test the conductors in an Ethernet cable. Notice the two parts that make up the cable tester. By connecting these parts of the cable tester to each end of a cable under test, you can check the wires in the cable for continuity (that is, check to make sure there are no opens, or breaks, in a conductor). In addition, you can verify an RJ-45 connector’s pinouts (that wires are connected to appropriate pins on an RJ-45 connector).
Connectivity Software
When you are physically separate from the network you are maintaining or troubleshooting, you might be able to access the network through remote connectivity software that enables you to take control of a PC that is located on a remote network. In addition, Microsoft has its own proprietary protocol called Remote Desktop Protocol (RDP), which supports remotely connecting to a Microsoft Windows computer. Figure 11-2 shows Microsoft’s Remote Desktop Connection application (which comes with most professional versions of Microsoft Windows). In the figure, you see a dialog box prompting a user for an IP address of the remote computer with which he wants to connect.
Figure 11-2 Microsoft’s Remote Desktop Connection
Crimper
A crimper, as pictured in Figure 11-3, can be used to attach a connector (for example, an RJ-45 connector) to the end of a UTP cable. To accompany a crimper, you might want to purchase a spool of cable (for example, Category 6 UTP cable) and a box of RJ-45 connectors. You will then be equipped to make your own Ethernet patch cables, which might be less expensive than buying preterminated UTP cables, and convenient when you need a patch cable of a nonstandard length or when you need a nonstandard pinout on the RJ-45 connectors (for example, when you need a T1 crossover cable). Many crimpers have a built-in wire stripper and wire snip function as well.
Figure 11-3 Crimper
Electrostatic Discharge Wrist Strap
Do you remember a time when you touched a metallic object and received a shock because of the static electricity you built up (for example, by walking on a carpeted floor)? That static discharge was probably a few thousand volts. Although the shock might have caused you to recoil your hand, you survived this event because the amperage of the shock was low (probably just a few milliamps). Although no damage was done to your hand or the object you touched, if the static discharge occurred when you touched a component on a circuit board, you could destroy that component.
Viewed under a microscope, the damage done to electrical components subjected to static shock is very evident, with visible craters in the components. Therefore, you must take care when handling circuit boards (for example, blades used in modular switches or routers) to avoid destroying potentially expensive equipment.
As a precaution, you can wear an electrostatic discharge (ESD) wrist strap. The strap is equipped with a clip that you attach to something with a ground potential (for example, a large metal desk). While wearing the wrist strap, if you have any static buildup in your body, the static flows to the object with a ground potential, to which your strap is clipped, thus avoiding damage to any electrical components you might touch.
Note
Some ESD wrist straps contain a resistor to prevent you from being harmed if you come in contact with a voltage source capable of producing a significant current. Specifically, the formula for voltage is V = R * I, where V is voltage, R is resistance, and I is current. By rewriting the formula as I = V / R, you can see that if electricity has to flow through a greater resistance, the resulting current will be lower and, therefore, safer.
Environmental Monitor
Components (for example, routers, switches, and servers) making up a computer network are designed to operate within certain environmental limits. If the temperature rises too high in a server farm, for example, possibly because of an air-conditioner outage, components could begin to fail. To prevent such an occurrence, you can use environmental monitors to send an alert if the temperature in a room rises above or drops below administratively configured thresholds. By alerting appropriate personnel about a suspicious temperature variation before it becomes an issue, action can hopefully be taken to, for example, repair an air-conditioning unit or provide extra ventilation, thus preventing a system failure. In addition to monitoring a room’s temperature, some environmental monitors monitor a room’s humidity.
Environmental monitors including power and temperature monitors can alert appropriate personnel in a variety of ways. For example, some environmental monitors can send an alert to a SNMP server. This alert is known as an SNMP trap. Another common notification option allows an environmental monitor to send an e-mail or SMS text message to alert appropriate personnel about the suspect environmental condition.
Having fault-tolerant power options, such as uninterruptible power supplies (UPS), fault-tolerant power circuits into the building, generators, and appropriate converters or inverters for the critical network devices can assist in preventing downtime in the event of a single power failure. Having monitoring systems in place allows you to react and restore redundancy.
Device placement in racks should be done in such a way to allow proper air flow through the systems in the racks. Racks may be two- or four-post racks organized into rows. Free-standing racks may also be used to hold the network systems and devices. A rack-mounted server has rails on the side that allow it to be inserted into a rack. Environmental monitors can trigger an alert about potential damage if the humidity or temperature goes outside of the proper values for network devices and servers.
Loopback Plug
When troubleshooting a network device, you might want to confirm that a network interface is functional (for example, that it can transmit and receive traffic). One way to perform such a test is to attach a loopback plug to a network interface and run diagnostic software designed to use the loopback plug. A loopback plug takes the transmit pins on an Ethernet connector and connects them to the receive pins, such that everything that is transmitted is received back on the interface. Similarly, a fiber-optic loopback plug, as shown in Figure 11-4, interconnects a fiber-connector’s transmit fiber with a connector’s receive fiber. The diagnostic software can then transmit traffic out of a network interface and confirm its successful reception on that same interface.
Figure 11-4 Fiber-Optic Loopback Plug (Photo Courtesy of Digi-Key Corporation [http://www.digikey.com])
Multimeter
When working with copper cabling (as opposed to fiber-optic cabling), a multimeter can check a variety of a cable’s electrical characteristics. These characteristics include resistance (in ohms), current (in amps), and voltage (in volts). Figure 11-5 shows an example of a multimeter.
Figure 11-5 Multimeter
As one example, you could use the ohmmeter function of a multimeter (the resistance feature) to check continuity of an Ethernet cable. If you connect the two leads of a multimeter to two pins of a cable, the resulting resistance is approximately 0 ohms if those two pins are connected, and the resulting resistance approaches an infinite number of ohms if the pins do not connect with one another.
Another common use of a multimeter is to use the voltmeter function (the voltage feature). As an example, you could check leads of an Ethernet cable to see whether DC voltage is being applied to a device needing to receive Power over Ethernet (PoE).
Protocol Analyzer
If you understand the characteristics of the protocols running on your network (for example, understanding the fields in a protocol’s header), a protocol analyzer (also known as a network sniffer) can be a tremendous troubleshooting asset. A protocol analyzer can be a standalone device or software running on a laptop computer. You can use a protocol analyzer to capture traffic flowing through a network switch, using the port mirroring feature of a switch, as described in Chapter 4, “Ethernet Technology.” By examining the captured packets, you can discern the details of communication flows (sessions) as they are being set up, maintained, and torn down. The examination of these captured packets is referred to as traffic analysis, which provides an administrator with valuable insights about the nature of traffic flowing through the veins of the network.
Protocol analyzers come in a wide range of features and costs. Wireshark is a free software program that can make your laptop act like a protocol analyzer. Protocol analyzers can assist in identifying details such as top talkers, top destinations, top protocols in use, and quantity of traffic on the network. You can download your free copy of Wireshark from http://www.wireshark.org. Figure 11-6 shows the Wireshark application.
Figure 11-6 Wireshark Protocol Analyzer Software
WiFi Analyzer
Software running on a general-purpose computer or on a specialized device can perform wireless analysis of WiFi signals. This type of tool would be used as part of a wireless site survey after WiFi has been implemented to create a heat map of the wireless airspace.
Looking-Glass Sites
A looking glass server on the Internet allows users to connect to view the routing information from that server’s perspective. These are normally related to Border Gateway Protocol (BGP) routes. There are hundreds of thousands of routes in BGP. Using a looking-glass site could assist an engineer in verifying that changes he made to his local BGP router configuration are having the desired effect on the BGP routes on the Internet. To find a BGP looking-glass site, use Google to search for “BGP looking glass.”
Speed Test Sites
There are many speed test services that can assist in verifying throughput from a local computer to an Internet site. One example is speedtest.net. Using sites such as this can assist when determining whether the overall connection to the Internet is slow or if it is just a specific site or server that is slow to respond.
Punch-Down Tool
When terminating wires on a punch-down block (for example, a 110 block), an insulated wire is inserted between two contact blades. These blades cut through the insulation and make electrical contact with the inner wire. As a result, you do not have to strip off the insulation.
However, if you attempt to insert the wire between the two contact blades using a screwdriver, for example, the blades might be damaged to the point where they will not make a good connection. Therefore, you should use a punch-down tool, which is designed to properly insert an insulated wire between the two contact blades without damaging the blades.
Throughput Tester
Networks often perform differently when they are under a heavy load, as opposed to little or no load, which might be the case if you are mocking up a design in a test-bed environment (which is a test network isolated from a production network). Also, you might simply want to verify a network’s maximum throughput. Either scenario could benefit from a throughput tester.
A throughput tester is a network appliance that typically has multiple network interfaces and can generate high volumes of pseudo-random data. You could, for example, connect a throughput tester to a proposed network that has been mocked up in a test bed to observe how the network performs under a heavy load. Also, you can attach a throughput tester to a production network to determine the actual throughput of that existing network. Figure 11-7 shows an example of a throughput tester appliance.
Figure 11-7 Throughput Tester (Photo Courtesy of NSS Labs [http://www.nsslabs.com])
Time Domain Reflectometer/Optical Time Domain Reflectometer
Suppose that you have been troubleshooting a network cable (either copper or fiber optic), and you determine that there is a break in (or physical damage to) the cable. However, identifying exactly where the break exists in a long length of cable can be problematic. Fortunately, you can use a time domain reflectometer (TDR) for copper cabling or an optical time domain reflectometer (OTDR) for fiber-optic cabling to locate the cable fault.
Both light and electricity travel at speeds approaching 3 * 108 meters per second (approximately 186,000 miles per second), although the speeds are a bit slower and vary depending on the medium. A TDR can send an electric signal down a copper cable (or an OTDR, a light meter, which sends light down a fiber-optic cable), and when the electric signal (or light) encounters a cable fault, a portion of the electric signal (or light) reflects back to the source. Based on the speed of electricity, or light, in the medium and on the amount of time required for the reflected electric signal or light to be returned to the source, a TDR or an OTDR can mathematically determine where the cable fault lies. Figure 11-8 shows an example of an OTDR.
Figure 11-8 Optical Time Domain Reflectometer (Photo Courtesy of Coral-i Solutions [http://www.coral-i.com])
Toner Probe
If you are working on a punch-down block and attempting to identify which pair of wires connect back to an end-user’s location (for example, someone’s office), you can use a toner probe. A toner probe allows you to place a tone generator at one end of a connection (for example, someone’s office), and use a probe on a punch-down block to audibly detect to which pair of wires the tone generator is connected.
A toner probe, therefore, comes in two pieces: the tone generator and the probe. Another common name for a toner probe is a fox and hound, where the tone generator is the fox, and the probe (which searches for the tone) is the hound. Some network devices have built-in troubleshooting tools, such as a voice-enabled Cisco router that can produce test tones.
Configuration Management
Configuration management (CM) focuses on maintaining up-to-date documentation of a network’s configuration. As a result, CM helps ensure consistent configuration practices across network devices. CM encompasses a variety of procedures, including the following:
Asset management: Asset management, as related to networks, is a formalized system of tracking network components and managing the lifecycle of those components. As an example, Cisco defines the Cisco Lifecycle Services maintenance model, which defines distinct phases in the lifecycle of a network asset using the acronym PPDIOO, which stands for the following:
Prepare
Plan
Design
Implement
Operate
Optimize
Baselining: When troubleshooting a network issue, one of the first things you should do, after clearly defining the problem, is to gather information. This information might come from diagnostic commands you issue on network routers or switches, as a couple of examples. Information contained in the output of those diagnostic commands might include a link’s bandwidth utilization, a router’s CPU utilization, or a switch’s memory utilization. For those numbers to be meaningful, however, you need to have previously collected similar data when the network was operating properly. The collection of such data under normal operating conditions is known as baselining. With comprehensive baseline data in your possession (which might include data collected at different times of the day and different days of the week), you can better notice any deviations from the norm when analyzing the data you collect when a problem exists on a network.
Cable management: Designing and troubleshooting large networks requires documentation about a network’s existing cable (that is, copper and fiber-optic cable) infrastructure. This documentation might include a diagram of a network’s conduit system (if nearby buildings are interconnected), locations of punch-down blocks, and a listing of the sources and destinations of a network’s cable runs that includes a consistent numbering system to clearly identify different cable pairs. Documentation including labels should be considered for ports, systems, circuits, and patch panels. A standardized naming convention can assist in identifying where a connection is, based on its name.
Change management: When you make a change in a network, such as upgrading the operating system on a router requiring a network outage of 15 minutes, realize that your actions could impact a business’s operation. Therefore, many large companies institute a change management system, which is commonly in the form of software used by network administrators to alert other network administrators about an upcoming network change (for example, an Internet access outage required to swap out a router). Then, when other network administrators receive that notification, if they know of a conflict, where the planned network outage would impact a critical network function at a critical time (for example, a planned Internet outage might be scheduled for a time when a company is conducting a webcast for its customers), they can give feedback to the originator of the change notification. The two network administrators might then choose a different time to implement the planned change. Other changes that may need to occur include updates to firmware, drivers, vulnerability patches, or reverting to a previous version of software in the event of a problem or incompatibility with the current system. All of these changes should be managed through a well-documented change control process. Change requests should be well documented, including the configuration procedures that will be used, what devices will be worked on, what the rollback process is if there is a problem, and the potential impact of the change. Changes should be formally approved by management and communicated to all parties involved before being implemented.
Network documentation: Although having an up-to-date collection of network documentation is vital for effective network troubleshooting, be aware that having outdated network documentation can be worse than having no documentation at all. For example, if you attempt to troubleshoot an issue by relying on outdated (and therefore inaccurate) network documentation, you could make incorrect assumptions about which switch ports were connected to which end-user stations. As a result, you could draw erroneous conclusions.
Therefore, take care to ensure the ongoing upkeep of a complete set of network documentation. Although the elements that make up this set of documentation can vary from network to network, the following are some of the more common elements:
Contact information: In larger networks, where different devices fall under different administrative authorities, you need to be able to quickly reach a responsible party to respond to an event. In addition, you should have ready access to contact information for a network’s service provider, which might also include the circuit ID of a service provider’s incoming WAN link.
Policies: When debate arises concerning activity on a network and the way the network is configured to handle various traffic types, a network administrator can benefit from having a set of written internal operating procedures, policies, and standards in place. These policies, such as an acceptable use policy, a security policy, or a quality of service policy, should have received approval by an authority within an organization (for example, the chief information officer [CIO]), rather than coming directly from the enforcing party (such as a network administrator). Policies regarding backups and restores for critical systems and the configurations of network devices such as routers should also be part of the written policies and procedures.
Network maps and diagrams: A collection of network maps should include both a map of a network’s physical topology and a map of a network’s logical topology. For example, a physical topology map shows such information as circuit IDs, port numbers, fiber pairs, and locations of network devices. Conversely, a logical topology map might show a network’s VLANs. A port scanner can be used to identify devices on the network with listening ports, such as a web server on TCP port 80, or an FTP server on port 21. IP network address space used and specific subnets in use should also be documented.
Documentation: Documentation about vendors, including contact information, should be readily available. Warranty information about network assets should also be maintained and updated on a periodic basis as new assets are added and old assets are retired.
Wiring schemes: Network documentation should include information about the wiring within and between buildings. For example, what conduit systems exist, and how many copper pairs are in the riser cable interconnecting the first and second floors? How are pairs of fiber-optic cables numbered? Wiring scheme documentation should, therefore, complement a network’s physical topology map.
Although this section addressed some of the more common elements of configuration management, realize that configuration management entails any network activity (from documentation to using best practices) that helps ensure consistent configuration practices, helps document a network’s configuration, or helps preserve device configurations in the event of a device failure.
Monitoring Resources and Reports
Network administrators routinely monitor network resources and review reports to be proactive in their administration. For example, a potential network issue might be averted by spotting a trend (for example, increasing router CPU utilization or increasing bandwidth demand on a WAN link). Monitoring resources and reports come from various sources, such as a syslog server, a Simple Network Management Protocol (SNMP) server, Event Viewer logs found on a Microsoft Windows server, or packet captures from a network sniffer. This section introduces you to these resources for monitoring network information.
SNMP
The first Request For Comments (RFC) for SNMP came out in 1988. Since then, SNMP has become the de facto standard of network management protocols. The original intent for SNMP was to manage network nodes, such as network servers, routers, and switches. SNMP Version 1 (SNMPv1) and SNMP Version 2c (SNMPv2c) specify three major components of an SNMP solution, as detailed in Table 11-1.
Table 11-1 Components of an SNMPv1 and SNMPv2c Network-Management Solution
As depicted in Figure 11-9, an SNMP manager (an NMS) can send information to, receive request information from, or receive unsolicited information from a managed device (a managed router, in this example). The managed device runs an SNMP agent and contains the MIB.
Figure 11-9 SNMPv1 and SNMPv2c Network-Management Components and Messages
Even though multiple SNMP messages might be sent between an SNMP manager and a managed device, consider the three broad categories of SNMP message types:
Get: An SNMP get message retrieves information from a managed device.
Set: An SNMP set message sets a variable in a managed device or triggers an action on a managed device.
Trap: An SNMP trap message is an unsolicited message sent from a managed device to an SNMP manager, which can notify the SNMP manager about a significant event that occurred on the managed device.
SNMP management software can make requests for each of the MIB objects from an SNMP agent. This can be referred to as an SNMP walk because the management software is logically “walking” the entire MIB (also often called the tree) to gather information from the agent. SNMP offers security against malicious users attempting to collect information from a managed device, change the configuration of a managed device, or intercept information being sent to an NMS. However, the security integrated with SNMPv1 and SNMPv2c is considered weak. Specifically, SNMPv1 and SNMPv2c use community strings to gain read-only access or read-write access to a managed device. You can think of a community string like a password. Also, be aware that multiple SNMP-compliant devices on the market today have a default read-only community string of public and a default read-write community string of private. As a result, such devices, left at their default SNMP settings, could be compromised.
Note
Notice that this section refers to SNMPv2c as opposed to SNMPv2. SNMPv2 contained security enhancements, in addition to other performance enhancements. However, few network administrators adopted SNMPv2 because of the complexity of the newly proposed security system. Instead, Community-Based Simple Network Management Protocol (SNMPv2c) gained widespread acceptance because SNMPv2c included the performance enhancements of SNMPv2 without using SNMPv2’s complex security solution. Instead, SNMPv2c kept the SNMPv1 concept of community strings.
Fortunately, the security weaknesses of SNMPv1 and SNMPv2c are addressed in SNMPv3. To better understand these security enhancements, consider the concept of a security model and a security level:
Security model: Defines an approach for user and group authentications (for example, SNMPv1, SNMPv2c, and SNMPv3).
Security level: Defines the type of security algorithm performed on SNMP packets. The three security levels discussed here are the following:
noAuthNoPriv: The noAuthNoPriv (no authorization, no privacy) security level uses community strings for authorization and does not use encryption to provide privacy.
authNoPriv: The authNoPriv (authorization, no privacy) security level provides authorization using hashed message authentication code (HMAC) with message digest 5 (MD5) or Secure Hash Algorithm (SHA). However, no encryption is used.
authPriv: The authPriv (authorization, privacy) security level offers HMAC MD5 or SHA authentication and provides privacy through encryption. Specifically, the encryption uses the Cipher Block Chaining (CBC) Data Encryption Standard (DES) (DES-56) algorithm.
As summarized in Table 11-2, SNMPv3 supports all three security levels. Notice that SNMPv1 and SNMPv2 only support the noAuthNoPriv security level.
Table 11-2 Security Models and Security Levels Supported by Cisco IOS
Through the use of security algorithms, as shown in Table 11-2, SNMPv3 dramatically increases the security of network-management traffic, as compared to SNMPv1 and SNMPv2c. Specifically, SNMPv3 offers three primary security enhancements:
Integrity: Using hashing algorithms, SNMPv3 ensures that an SNMP message was not modified in transit.
Authentication: Hashing allows SNMPv3 to validate the source of an SNMP message.
Encryption: Using the CBC-DES (DES-56) encryption algorithm, SNMPv3 provides privacy for SNMP messages, making them unreadable by an attacker who might capture an SNMP packet.
Note
Many of the security concepts mentioned in this discussion are covered in more detail in Chapter 12, “Network Security.”
In addition to its security enhancements, SNMPv3 differs architecturally from SNMPv1 and SNMPv2c. SNMPv3 defines SNMP entities, which are groupings of individual SNMP components. As shown in Figure 11-10, SNMP applications and an SNMP manager combine into an NMS SNMP entity, while an SNMP agent and a MIB combine into a managed node SNMP entity.
Figure 11-10 SNMPv3 Entities
Syslog
A variety of network components (for example, routers, switches, and servers) can send their log information to a common syslog server. By having information for multiple devices in a common log and examining time stamps, network administrators can better correlate events occurring on one network device with events occurring on a different network device. Syslog messages and SNMP traps can be used to trigger notification messages that may be sent via email and SMS. A syslog logging solution consists of two primary components:
Syslog servers: A syslog server receives and stores log messages sent from syslog clients.
Syslog clients: As shown in Figure 11-11, various types of network devices can act as syslog clients and send logging information to a syslog server.
Figure 11-11 Sample Syslog Clients
Messages sent from a syslog client to a syslog server vary in their severity levels. Table 11-3 lists the eight severity levels of syslog messages. The higher the syslog level, the more detailed the logs. Keep in mind that more detailed logs require additional storage space on a syslog server.
Table 11-3 Syslog Severity Levels
Consider the format of a syslog message, as illustrated in Figure 11-12. The syslog log entries contain time stamps, which help you understand how one log message relates to another. The log entries also include severity level information, in addition to the text of the syslog messages.
Figure 11-12 Structure of a Syslog Message
Note
A variety of systems can act as syslog servers. You can download a free syslog utility from http://solarwinds.com/downloads.
Logs
In addition to logs generated by routers, switches, and other infrastructure gear, the operating systems powering network clients and servers generally have the capability to produce log output. Rather than containing general log information (meaning log information about all a system’s tracked components), Microsoft Windows incorporates an Event Viewer application that allows you to view various log types, including application, security, and system logs. These logs can be archived for later review. These history logs can be used to spot network trends and serve as data for creating baselines.
Application Logs
Microsoft Windows application logs contain information about software applications running on the underlying operating system. Notice, in Figure 11-13, the three levels of severity associated with the events in the log: Information, Warning, and Error. The events provide a collection of information about the event, such as the source (for example, the application) that caused the event, the severity level of the event, and a date/time stamp of the event.
Figure 11-13 Application Log
Security Logs
Figure 11-14 shows an example of a Microsoft Windows security log. In this example, successful and failed login attempts are shown.
Figure 11-14 Security Log
System Logs
A Microsoft Windows system log, an example of which is shown in Figure 11-15, lists events generated by the underlying operating system.
Figure 11-15 System Log
Real-World Case Study
Acme Inc. realizes the importance of a solid network infrastructure. That’s why it hired a cabling company that used testing tools to certify and print the results for each of the cable runs from the offices and cubes to the IDF in the wiring closets on each floor. The cabling between the IDFs and the data center (near the MDF in the basement) was also certified and guaranteed by the cable installation company. Prefabricated, certified Category 6 patch cables will be used between the computers and the RJ-45 jacks that are located in each office and cube on each floor.
To understand the traffic patterns and the most used protocols on its network, Acme is using a protocol analyzer to periodically collect information about the traffic flows on its network. This information can be used as a baseline and compared against future traffic patterns if there is a problem.
Network documentation has been created about the physical and logical topology, including the IP addressing used for the subnets. On the switches, routers, and other network devices, labeling has been implemented to clearly identify each connecter, port, and interface. The cross-connects on the patch panels have also been labeled for easy identification.
Administrative controls have been put in place on the network devices, and physical locks have been placed on the doors to the wiring closets. Environmental controls such as air conditioning have also been set up in the IDFs. Access to network devices in the IDF or in the MDF is being audited. Any changes made are logged to a syslog server. SNMP is also in place to report system events to a secure SNMP manager.
Change control procedures have been documented and communicated so that no changes will occur without the proper documented details about the changes that are proposed, their potential impact, the change control window, and the rollback procedure if needed. Changes must be approved by management before being implemented. Unauthorized changes are not acceptable and may be reason for the termination of an administrator. This policy has been agreed to in writing by the administrators.
Fault tolerance about power and fault tolerance for critical systems and network devices has been put in place, along with monitoring controls to alert an administrator in the event of a failure or degradation in performance.
Summary
The main topics covered in this chapter are as follows:
The purpose of various tools that could be used to physically maintain a network were identified. Examples include BERT, butt set, cable certifier, cable tester, connectivity software, crimper, ESD wrist strap, environmental monitor, loop back plug, multimeter, protocol analyzer, WiFi analyzer, looking-glass site, speed test site, punch-down tool, throughput tester, TDR, OTDR, and toner probe.
The operation of SNMP was discussed, as was the security enhancements available in SNMPv3.
The operation of syslog was reviewed, as was the syslog message severity levels.
Examples of logs collected by the Microsoft Windows Event Viewer application were provided. Specifically, examples of Microsoft Windows application, security, and system logs were presented.
Exam Preparation Tasks
Review All the Key Topics
Review the most important topics from inside the chapter, noted with the Key Topic icon in the outer margin of the page. Table 11-4 lists these key topics and the page numbers where each is found.
Table 11-4 Key Topics for Chapter 11
Complete Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables” (found on the DVD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Table Answer Key,” also on the DVD, includes the completed tables and lists so you can check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the Glossary:
bit-error rate tester (BERT)
butt set
cable certifier
cable tester
crimper
electrostatic discharge (ESD) wrist strap
punch-down tool
time domain reflectometer (TDR)
optical time domain reflectometer (OTDR)
toner probe
asset management
baseline
Simple Network Management Protocol (SNMP)
syslog
Review Questions
The answers to these review questions are in Appendix A, “Answers to Review Questions.”
1. One error occurred during the transmission of 8 bits. What is the BER?
a. .0125
b. .025
c. .125
d. .25
2. What device, traditionally used by telephone technicians, enables you to tap into a phone line to, for example, check a line for dial tone?
a. Tester
b. Butt set
c. TDR
d. Fox and hound
3. Which piece of test equipment can you use to test the throughput of a Cat 5 cable?
a. OTDR
b. Multimeter
c. BERT
d. Cable certifier
4. What is a best practice to prevent you from damaging a circuit board with static from your body?
a. Wear an ESD wrist strap.
b. Apply antistatic spray to the circuit board.
c. Ground the circuit board.
d. Stand on a carpeted floor (or a rug) when working on a circuit board to provide insulation between your body and an electric ground potential.
5. A toner probe is also known as what?
a. TDR
b. Fox and hound
c. Tip and ring
d. OTDR
6. What piece of test equipment enables you to locate a break in a fiber-optic cable?
a. TDR
b. Cable certifier
c. Crimper
d. OTDR
7. SNMP uses a series of objects to collect information about a managed device. The structure, similar to a database, containing these objects is referred to as what?
a. RIB
b. MIB
c. DUAL
d. LSA
8. A notification that a specific operation failed to complete successfully is classified as what syslog severity level?
a. Informational (1)
b. Critical (2)
c. Errors (5)
d. Warnings (4)
9. Identify the broad categories of SNMP message types. (Choose three.)
a. Get
b. Put
c. Set
d. Trap
10. What Microsoft Windows application enables you to view a variety of log types, including application, security, and system logs?
a. Event Viewer
b. Performance Monitor
c. Microsoft Management Console
d. Control Panel