PracticeStudy GuidesBlogFlashcardsEspañol

4.3 NTP, SNMP, and Syslog

Key Takeaways

  • NTP synchronizes clocks across network devices — critical for log correlation, certificates, and troubleshooting.
  • SNMP monitors and manages network devices using GET, SET, and TRAP operations.
  • Syslog centralizes log messages from network devices with severity levels 0 (Emergency) to 7 (Debugging).
  • SNMPv3 adds authentication and encryption — always use v3 for security.
  • NTP uses UDP port 123; SNMP uses UDP 161/162; Syslog uses UDP 514.
Last updated: March 2026

NTP, SNMP, and Syslog

These three services are essential for network operations, monitoring, and troubleshooting.

NTP (Network Time Protocol)

NTP synchronizes the system clocks of network devices. Accurate time is critical for:

  • Log correlation — matching events across devices during troubleshooting
  • Certificate validation — TLS/SSL certificates have validity periods
  • Authentication protocols — Kerberos, TACACS+, RADIUS depend on synchronized time
  • Legal compliance — accurate timestamps for audit trails

NTP Concepts

TermDescription
StratumDistance from the authoritative time source (stratum 0 = atomic clock)
Stratum 0Atomic clocks, GPS receivers
Stratum 1Servers directly connected to stratum 0
Stratum 2Servers synchronized with stratum 1
Stratum 15Maximum (stratum 16 = unsynchronized)

Lower stratum = more accurate time source. NTP always synchronizes with the lowest available stratum.

NTP Configuration

Router(config)# ntp server 10.0.0.1                     ! Point to NTP server
Router(config)# ntp server 10.0.0.2                     ! Backup NTP server
Router(config)# ntp master 3                             ! Configure this router as stratum 3 NTP server

Router# show ntp status                                  ! Verify NTP synchronization
Router# show ntp associations                            ! Show NTP server relationships
Router# show clock                                       ! Show current time

NTP uses UDP port 123.

SNMP (Simple Network Management Protocol)

SNMP enables centralized monitoring and management of network devices.

SNMP Components

ComponentRole
SNMP ManagerCentral server that collects data (e.g., SolarWinds, PRTG, Nagios)
SNMP AgentSoftware on each managed device that responds to queries
MIBManagement Information Base — database of manageable objects on the device
OIDObject Identifier — unique identifier for each managed variable

SNMP Operations

OperationDirectionDescription
GETManager → AgentRead a specific MIB variable
GET-NEXTManager → AgentRead the next variable in the MIB tree
GET-BULKManager → AgentRead many variables at once (v2c/v3)
SETManager → AgentChange a variable on the device
TRAPAgent → ManagerUnsolicited alert from device (e.g., link down)
INFORMAgent → ManagerLike TRAP but with acknowledgment (v2c/v3)

SNMP Versions

FeatureSNMPv1SNMPv2cSNMPv3
AuthenticationCommunity string (plain text)Community string (plain text)Username/password (encrypted)
EncryptionNoneNoneDES, 3DES, AES
GET-BULKNoYesYes
INFORMNoYesYes
SecurityWeakWeakStrong — always use v3
! SNMPv2c configuration
Router(config)# snmp-server community PUBLIC ro        ! Read-only community string
Router(config)# snmp-server community PRIVATE rw       ! Read-write community string
Router(config)# snmp-server host 10.0.0.100 PUBLIC     ! Send traps to NMS

! SNMPv3 configuration
Router(config)# snmp-server group MYGROUP v3 priv
Router(config)# snmp-server user ADMIN MYGROUP v3 auth sha MyPass priv aes 128 MyKey

SNMP uses UDP port 161 (queries) and UDP port 162 (traps).

Syslog

Syslog is a standard protocol for sending log messages from network devices to a centralized log server.

Syslog Severity Levels

LevelNameDescriptionKeyword
0EmergencySystem is unusableemergencies
1AlertImmediate action neededalerts
2CriticalCritical conditionscritical
3ErrorError conditionserrors
4WarningWarning conditionswarnings
5NotificationNormal but significantnotifications
6InformationalInformational messagesinformational
7DebuggingDebug-level messagesdebugging

Memory trick: "Every Awesome Cisco Engineer Will Need Ice-cream Daily" → Emergency, Alert, Critical, Error, Warning, Notification, Informational, Debugging (0-7).

Syslog Configuration

Router(config)# logging host 10.0.0.200                  ! Send logs to syslog server
Router(config)# logging trap informational                ! Send levels 0-6 to server
Router(config)# logging console warnings                  ! Show levels 0-4 on console
Router(config)# logging buffered 16384 debugging          ! Buffer levels 0-7 locally
Router(config)# service timestamps log datetime msec      ! Add timestamps to logs

Syslog uses UDP port 514.

On the Exam: Memorize the syslog severity levels (0-7). A common question: "Which logging level should you set to see errors and all more critical messages?" Answer: Level 3 (error) — this captures levels 0 through 3.

Test Your Knowledge

What is the syslog severity level for "Warning" messages?

A
B
C
D
Test Your Knowledge

Which SNMP version provides authentication and encryption?

A
B
C
D
Test Your Knowledge

Which UDP port does NTP use?

A
B
C
D
Test Your Knowledge

An SNMP TRAP message is sent in which direction?

A
B
C
D
Test Your Knowledge

What NTP stratum level indicates the device is directly connected to an authoritative time source like an atomic clock?

A
B
C
D
Up Next

4.4 QoS Fundamentals

Continue learning