What is the syslog severity level number for Warning messages?

Level 4. Warning is severity level 4. The scale is Emergency 0, Alert 1, Critical 2, Error 3, Warning 4, Notification 5, Informational 6, Debugging 7, so lower numbers are more severe.

Which SNMP version provides both authentication and encryption?

SNMPv3. SNMPv3 is the only version that authenticates with a username and password and encrypts the payload with DES, 3DES, or AES. SNMPv1 and v2c rely on community strings sent in clear text, which provides no real protection.

An SNMP TRAP message travels in which direction?

Agent to manager as an unsolicited notification. A TRAP is pushed from the agent on the managed device to the manager without being polled, alerting it to an event such as an interface going down. GET and SET, by contrast, are initiated by the manager toward the agent.

Which UDP port does NTP use?

UDP 123. NTP uses UDP 123. For comparison, DNS uses 53, SNMP polls use 161 with traps on 162, and Syslog uses 514 — a port set CCNA expects you to recall on sight.

NTP, SNMP, and Syslog — Free Study Guide 2026

These three management services keep a network observable and time-consistent, and each carries a specific port number the exam will ask for.

NTP — Network Time Protocol

NTP synchronizes the system clocks of network devices over UDP 123. Accurate, common time matters for:

Log correlation — matching an event across routers, switches, and firewalls.
Certificate validation — TLS certificates have not-before/not-after windows; a wrong clock breaks them.
Time-based authentication — Kerberos, RADIUS, and TACACS+ tolerate only small clock skew.
Audit/compliance — timestamps must be trustworthy for forensics.

Stratum

Stratum	Meaning
0	The reference clock itself (atomic clock, GPS) — not a network device
1	A server directly attached to a stratum 0 source
2	Synchronizes to a stratum 1 server
15	Maximum usable distance
16	Unsynchronized / invalid

Lower stratum = closer to the true source = more authoritative. A device picks the lowest reachable stratum.

R1(config)# ntp server 10.0.0.1          ! use this upstream source
R1(config)# ntp master 3                  ! act as a stratum-3 source if isolated
R1# show ntp status                       ! is the clock synchronized?
R1# show ntp associations                 ! peers and their stratum/offset

SNMP — Simple Network Management Protocol

SNMP lets a central station poll and manage devices. Components: the manager (e.g., SolarWinds, PRTG), the agent running on each device, the Management Information Base (MIB) — a tree of manageable objects, and the Object Identifier (OID) that names each object.

Operations and direction

Operation	Direction	Purpose
GET / GET-NEXT	Manager -> Agent	Read one / next variable
GET-BULK	Manager -> Agent	Read many at once (v2c/v3)
SET	Manager -> Agent	Change a variable
TRAP	Agent -> Manager	Unsolicited alert, no ACK
INFORM	Agent -> Manager	Like TRAP, but acknowledged (v2c/v3)

Polls and SETs travel on UDP 161; traps and informs arrive on UDP 162. The key direction fact: GET/SET start at the manager, while TRAP/INFORM are pushed by the agent.

Version security

Feature	v1	v2c	v3
Auth	community string (clear)	community string (clear)	username + password (hashed)
Encryption	none	none	DES/3DES/AES
GET-BULK / INFORM	no	yes	yes
Verdict	legacy	common but insecure	use this

! v2c (insecure, still common in labs)
R1(config)# snmp-server community READONLY ro
R1(config)# snmp-server host 10.0.0.100 version 2c READONLY
! v3 (authenticated + encrypted)
R1(config)# snmp-server group GRP v3 priv
R1(config)# snmp-server user ADMIN GRP v3 auth sha MyAuthPass priv aes 128 MyPrivKey

The v3 keyword priv means authPriv (both authenticate and encrypt); auth means authNoPriv; noauth means neither.

Syslog

Syslog ships log messages to a central collector over UDP 514. The severity scale runs 0 (worst) to 7 (most verbose).

Level	Name	Meaning	Keyword
0	Emergency	System unusable	emergencies
1	Alert	Act immediately	alerts
2	Critical	Critical condition	critical
3	Error	Error condition	errors
4	Warning	Warning condition	warnings
5	Notification	Normal but notable	notifications
6	Informational	Informational	informational
7	Debugging	Debug output	debugging

Mnemonic: "Every Awesome Cisco Engineer Will Need Ice-cream Daily" -> Emergency, Alert, Critical, Error, Warning, Notification, Informational, Debugging.

R1(config)# logging host 10.0.0.200
R1(config)# logging trap informational     ! send levels 0-6 to the server
R1(config)# logging console warnings       ! show 0-4 on the console
R1(config)# logging buffered 16384 debugging
R1(config)# service timestamps log datetime msec   ! pair with NTP for usable times

The crucial rule: setting a level captures that level and everything more severe (lower-numbered). logging trap informational (6) therefore forwards levels 0 through 6 but not debugging.

Reading a syslog message

A Cisco log line has a fixed shape: *Jun 14 10:32:01.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down. Decode it as timestamp, then %FACILITY-SEVERITY-MNEMONIC plus a description. The number in the middle (here 3) is the severity, so this is an Error-level event. Being able to extract severity from the %FACILITY-3-MNEMONIC format is a common exam micro-skill, and it is why service timestamps log datetime msec paired with NTP matters — without synchronized time the leading timestamp is useless for correlating across devices.

How These Three Work Together

These services reinforce one another in operations. NTP supplies the accurate clock; syslog stamps each event with that clock and ships it to a collector; SNMP polls health metrics and fires a trap the instant something crosses a threshold. During an outage you correlate the SNMP trap ("interface down at 10:32:01") with the matching syslog %LINK-3-UPDOWN on the neighbor, and because both clocks came from the same NTP source the timestamps line up to the millisecond. Break NTP and that whole workflow degrades into guesswork, which is exactly why the exam frames NTP as foundational rather than optional.

Security Notes

Management traffic is a juicy target, so the secure defaults matter. SNMPv2c community strings are the equivalent of a clear-text password that also doubles as the only access control, so a captured "public" or "private" string grants read or write to the device — always prefer SNMPv3 authPriv. NTP supports authentication keys (ntp authenticate plus ntp trusted-key) so a device only accepts time from a trusted source, preventing an attacker from skewing clocks to break certificates.

Syslog over plain UDP 514 is unauthenticated and can be spoofed, so high-security environments tunnel it or use TCP/TLS variants, though CCNA tests the classic UDP 514 fact.

On the exam: memorize the 0-7 scale, that v3 alone is secure, the GET/TRAP directions, the %FACILITY-SEVERITY-MNEMONIC log format, and the trio of ports — NTP 123, SNMP 161/162, Syslog 514.

Cisco Certified Network Associate

CCNA

4.3 NTP, SNMP, and Syslog

Key Takeaways

NTP — Network Time Protocol

Stratum

SNMP — Simple Network Management Protocol

Operations and direction

Version security

Syslog

Reading a syslog message

How These Three Work Together

Security Notes

Cisco Certified Network Associate

1Introduction

2Chapter 1: Network Fundamentals (20%)

3Chapter 2: Network Access (20%)

4Chapter 3: IP Connectivity (25%)

5Chapter 4: IP Services (10%)

6Chapter 5: Security Fundamentals (15%)

7Chapter 6: Automation and Programmability (10%)

CCNA

4.3 NTP, SNMP, and Syslog

Key Takeaways

NTP — Network Time Protocol

Stratum

SNMP — Simple Network Management Protocol

Operations and direction

Version security

Syslog

Reading a syslog message

How These Three Work Together

Security Notes