Back
Lesson 5 of 5

Monitoring Challenge

Lab Objectives

  • Configure NTP on the gateway router (R1) to synchronize time from the network NTP server.
  • Forward system logs from R1 to a centralized syslog server and verify log forwarding.
  • Verify Layer 2 neighbor discovery using CDP and LLDP and enable LLDP if not running.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Configure NTP on R1

Point R1 to the network NTP server at 10.10.101.230 so R1’s clock is synchronized. Do not change any other interfaces. After configuration, verify R1 is synchronized to that NTP server.

Parameters (do NOT show commands here): NTP server = 10.10.101.230. Verify with a show command that reports synchronization and the reference server IP.

Task 2: Configure Syslog Forwarding

Send system logs from R1 to the central syslog server at 10.10.101.230. Enable local logging so messages are generated and confirm log destination is set.

Parameters: Syslog server = 10.10.101.230. Ensure R1 is configured to forward logs to that destination and verify with a show command.

Task 3: Verify CDP/LLDP Neighbor Discovery

Verify CDP neighbors from R1 and check LLDP neighbors. If LLDP is not enabled, enable it and verify neighbors again.

Parameters: Use show commands to inspect CDP and LLDP neighbor information on R1.

Think About It: Why is correct time synchronization important for logging and security events in production? (Hint: consider log timestamps and correlation across devices.)

Lab Solution

Topology (BASE LAB TOPOLOGY — exact IPs)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

Task 1 Solution: Configure NTP on R1

What we are doing:

  • Point R1 at the authoritative NTP server (10.10.101.230) so R1’s clock is accurate. Accurate device clocks are critical for correct log timestamps, certificate validation, and troubleshooting across multiple devices (think of NTP like setting all clocks in an office to the same time zone).

Commands:

R1# configure terminal
R1(config)# ntp server 10.10.101.230
R1(config)# end
R1# write memory

What just happened:

  • configure terminal — enters global configuration mode to change device settings.
  • ntp server 10.10.101.230 — configures R1 to synchronize time from the NTP server at 10.10.101.230 (NTP uses UDP/123). This creates an NTP peer/association that the router will poll.
  • end — exits configuration mode.
  • write memory — persists the configuration so it survives reloads.

Why this matters:

  • With consistent time (NTP), logs from R1 can be correlated to logs from other devices and servers. In production, inconsistent clocks cause confusing timelines during incident investigations.

Verify:

R1# show ntp status
Clock is synchronized, stratum 2, reference is 10.10.101.230
nominal freq is 250.0000 Hz, actual freq is 249.9998 Hz, precision is 2**10
reference time is DA3C.9F28.1A52 (03:12:02.101 UTC Tue Apr  2 2026)
clock offset is 0.0012 msec, root delay is 0.12 msec, root dispersion is 1.23 msec
peer mode: client, stratum: 3, reach: 377

Tip: If show ntp status indicates “unsynchronized,” ensure the NTP server IP is reachable (ping) and that UDP/123 traffic is not blocked.

Task 2 Solution: Configure Syslog Forwarding

What we are doing:

  • Configure R1 to forward system logs to the centralized syslog server at 10.10.101.230. Centralized logging is used in production to retain, analyze, and correlate logs from multiple devices.

Commands:

R1# configure terminal
R1(config)# logging host 10.10.101.230
R1(config)# logging trap informational
R1(config)# service timestamps log datetime msec
R1(config)# end
R1# write memory

What just happened:

  • logging host 10.10.101.230 — tells R1 to send syslog messages to 10.10.101.230 (default UDP/514). This is the address of the centralized syslog collector.
  • logging trap informational — sets the lowest severity to forward (informational and above). Adjust this in production depending on verbosity and storage.
  • service timestamps log datetime msec — adds readable timestamps including milliseconds to local log messages so they are precise.
  • write memory — saves the configuration.

Why this matters:

  • Forwarding logs to a central collector avoids relying on a single device for long-term storage and enables centralized analysis and alerting. Timestamps (from Task 1) make these logs meaningful.

Verify:

R1# show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 512 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 0 messages logged
    Exception size (4096 bytes)
    Logging to 10.10.101.230 (udp port 514, traffic-class 0)
    Logging trap severity: informational (6)
    Timestamp logging: msec and uptime disabled

Expected lines to confirm:

  • A line showing Logging to 10.10.101.230 and the trap level confirms syslog forwarding is configured.

Real-world insight: In a production environment, ensure the syslog server has adequate retention and that network ACLs allow UDP/514 from network devices. Also consider TCP syslog or TLS-wrapped syslog for reliability and security where supported.

Task 3 Solution: Verify CDP/LLDP Neighbor Discovery

What we are doing:

  • Inspect Layer 2 neighbor discovery protocols so you can identify directly connected devices. CDP is Cisco-proprietary and often enabled by default. LLDP is the IEEE alternative; enable it if you rely on multi-vendor discovery.

Commands — show current state:

R1# show cdp neighbors detail
R1# show lldp neighbors

What just happened:

  • show cdp neighbors detail — shows detailed CDP information for neighbors discovered by CDP (device ID, IP, platform, local interface). CDP runs by default on Cisco devices.
  • show lldp neighbors — lists LLDP neighbors if LLDP is enabled. If LLDP is not enabled, this may show no entries.

If LLDP is not enabled and you want LLDP running:

R1# configure terminal
R1(config)# lldp run
R1(config)# end
R1# write memory

Why this matters:

  • Discovery protocols help you map topology and verify cabling and neighbor identities. In multi-vendor networks, LLDP is preferred because it’s vendor-neutral. Think of CDP/LLDP as a device “handshake” telling neighbors “who I am and how to reach me.”

Verify after enabling LLDP:

R1# show lldp neighbors
Capability codes:
  R - Router, B - Bridge, T - Telephone, C - DOCSIS Cable Device
  W - WLAN Access Point, P - Repeater, S - Station

Local Intf    Neighbor Dev ID       Neighbor Intf
Gi0/0         R2.example            Gi0/0
Gi0/1         R3.example            Gi0/0
Gi0/2         R4.example            Gi0/0

Example CDP output (detail):

R1# show cdp neighbors detail
Device ID: R2
Entry address(es):
  IP address: 10.10.10.2
Platform: cisco ISR, Capabilities: Router
Interface: GigabitEthernet0/0, Port ID (outgoing port): GigabitEthernet0/0

Protocol behavior: CDP sends advertisements every 60 seconds on most interfaces; LLDP default is every 30 seconds. These intervals determine how quickly neighbors appear/disappear in discovery tables.

Troubleshooting Scenario

Scenario: NTP not synchronizing

Symptom: show ntp status reports "unsynchronized" even though you configured an NTP server. Your task: Find and fix the issue. Hint: Check the configured server IP and reachability.

Solution:

  • Verify the configured server:
R1# show running-config | include ntp
ntp server 10.10.101.239
  • If you see .239 but the correct NTP server is .230, correct it:
R1# configure terminal
R1(config)# no ntp server 10.10.101.239
R1(config)# ntp server 10.10.101.230
R1(config)# end
R1# write memory
  • Re-check:
R1# show ntp status
Clock is synchronized, stratum 2, reference is 10.10.101.230

Explanation: A single-digit typo in the NTP server IP causes the router to poll the wrong host (or nothing), leaving the clock unsynchronized.

Verification Checklist

  • R1 shows NTP synchronized to 10.10.101.230 (show ntp status).
  • R1 forwards logs to 10.10.101.230 (show logging shows the host).
  • CDP neighbors are visible (show cdp neighbors detail) and LLDP is enabled and shows neighbors (show lldp neighbors).

Common Mistakes

SymptomCauseFix
NTP shows unsynchronizedWrong NTP IP or server unreachable (UDP/123 blocked)Verify ntp server IP, ping server, open UDP/123 through firewalls
show logging does not list destinationlogging host not configured or overwrittenConfigure logging host 10.10.101.230 and write memory
No LLDP neighborsLLDP not enabled (or neighbor devices not running LLDP)Enable with lldp run and verify peers support LLDP
CDP shows no neighbor detailCDP disabled on interface or deviceEnsure CDP is enabled (default on Cisco). Check interface level CDP settings

Challenge Task

Without step-by-step guidance: Configure R1 so that logs are only forwarded for severity warnings and above, ensure NTP is used for timestamps on all logging, and verify that both CDP and LLDP show neighbor IP addresses and management names. Use your knowledge from this lesson to complete and verify the configuration.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security