NTP and SNMP
Network Time Protocol (NTP) synchronizes clocks across network devices. Accurate time matters more than it sounds: when you correlate log files from a router, a switch, and a firewall to trace an attack, events that are off by even a few seconds become impossible to sequence correctly. NTP also affects certificate validation, authentication protocols, and scheduled tasks.
NTP uses a stratum hierarchy. Stratum 0 devices are atomic clocks and GPS receivers that do not participate directly in the network. Stratum 1 servers are directly connected to stratum 0 sources and are the most accurate network-accessible time sources. Stratum 2 servers synchronize from stratum 1. Each hop adds a stratum number and introduces a tiny amount of timing error. Stratum 16 means unsynchronized. Lower stratum number means a more accurate source.
SNMP (Simple Network Management Protocol) has three components: a Manager (the NMS that collects data), Agents (running on each monitored device), and a MIB (Management Information Base, the database of variables the agent can report). SNMPv1 and v2c use cleartext community strings, public for read access and private for write access. SNMPv3 adds authentication (MD5 or SHA) and encryption (AES), making it the only version appropriate for production use.
SNMP Traps are unsolicited messages from agents to the manager when something noteworthy happens, like an interface going down. Traps are not acknowledged. SNMP Informs are like Traps but require acknowledgment from the manager. If no acknowledgment arrives, the agent resends.
Syslog, CDP/LLDP, and QoS basics
Syslog sends log messages from network devices to a central syslog server over UDP port 514. The severity level attached to each message tells you how serious it is. Level 0 (Emergency) means the device is unusable. Level 1 (Alert) requires immediate action. Level 2 (Critical) indicates a hardware failure. Level 3 (Error) covers interface errors. Level 4 (Warning) covers configuration warnings. Level 5 (Notice) is significant but normal events. Level 6 (Informational) includes link state changes. Level 7 (Debug) is verbose output for troubleshooting. Remember the mnemonic: Every Awful Crisis Eventually Wears Nobody Down.
CDP (Cisco Discovery Protocol) is a Cisco-proprietary Layer 2 protocol that is on by default on all Cisco interfaces. It lets switches and routers learn directly connected neighbors' hostname, IP address, platform, IOS version, and native VLAN. Very useful for troubleshooting but a security risk on externally facing interfaces because it reveals device details. Disable it per interface with no cdp enable or globally with no cdp run.
LLDP (Link Layer Discovery Protocol, IEEE 802.1AB) is the open-standard equivalent of CDP. It works across multi-vendor environments. Disabled by default on some Cisco devices. Enable globally with lldp run.
QoS (Quality of Service) prioritizes delay-sensitive traffic like voice and video. Classification identifies traffic types. Marking stamps them with priority values (DSCP EF 46 for voice). Queuing serves high-priority traffic first. LLQ creates a strict priority queue for voice so it is always dequeued first. DSCP EF (Expedited Forwarding, value 46) marks voice traffic.
How to choose the correct answer
NTP stratum: lower number = more accurate. Stratum 1 is the most accurate network source. Stratum 16 = unsynchronized. NTP uses UDP port 123.
SNMP version for production: SNMPv3 authPriv. This is the only version with both authentication and encryption. SNMPv2c community strings are plaintext.
Syslog severity: lower number = more severe. Emergency (0) = worst. Debug (7) = least severe. Setting logging trap warnings sends levels 0 through 4 to the syslog server.
CDP vs LLDP: CDP = Cisco-only, on by default. LLDP = open standard, may need enabling. Both discover Layer 2 neighbors only, do not cross routers.
SNMP Trap = no acknowledgment. SNMP Inform = acknowledged, resent until confirmed.