in this lecture you'll see the
configuration for SNMP version 3
[Music]
so you saw earlier that in SNMP version
1 on to the SNMP manager
that's our NMS server and the SNMP agent
that server or switch they recognize
each other through simple unencrypted
community strings so it's not very
secure
Baggett's improved upon with SNMP
version 3 which does support
authentication and encryption with SNMP
version 3 the security model uses users
and groups so we're going to configure a
user on the right order switch and we
configure a matching user on the NMS
server that's how they recognize each
other there is also a group as well so
most of the settings are configured at
the group level and those settings are
going to be applied to the user
depending on which group it's actually
in there's three different security
levels available and these are
configured at the group level so
normally you're going to just use one
particular security level but it is
possible that you could have one NMS
server in one group it's got one
security level and a different enemy a
server and a different group but it's
got a different security level that
would be a pretty weird thing to do but
it is possible to do that these three
different security levels the first one
is no off no trip which means no
authentication and no privacy with no
off no proof no authentication password
is exchanged and the communications
between the agent and the server are not
encrypted so with no off no probe it
still doesn't use a community thing it
still uses a username because there's
SNMP version 3
but that username basically replaces
works with same eyes with community
string an SNMP version 1 and version 2
so there's not much point in doing that
doesn't really give you any advantage
over the old SNMP versions the next
security level we've got is off
no proof with off no proof password
authentication is used so the NMS server
and the network device we'll see
early authenticate each other when we do
that in staunton occasion the
authentication is encrypted so the user
and user name and password is encrypted
is not good in plaintext but after that
initial authentication no encryption is
used for communications between the
devices so if the server pulls some
information from the device but it's
going to go over the network unencrypted
so the last one is the one that we're
most likely gonna want to use which is
off prif with off proof password
authentication is used again the same as
it was in off no proof but
communications between the agent and the
server are also encrypted so with off
Prive the NMS server and the device are
going to securely authenticate each
other but does not go in plaintext and
also whenever for sharing information
that is also encrypted as well so this
is the most secure way of doing it if
we're using SNMP version 3 most likely
were going to be using off proof ok so
let's look at the configuration so you
saw earlier in this lecture we're gonna
have the group and we're gonna have the
user as well let's configure the group
first so a global config I say SNMP -
server group in this example I've called
the group black box - group then
actually v3 to say that we're using SNMP
version 3 and then the example I've used
the context-sensitive help I've hit the
question mark to see what the next key
word is and this is where we set the
security level of either off no off or
Prive then next thing that we do so in
an example I've set proof because I want
the most secure level then I've put the
question mark in again and see what the
next key word is next key words we've
got access context match no if I read
and write with access you can set an
access list I'll talk about that a bit
more in the next slide context and match
both apply to contexts and know if I
read and write are about views so let's
see what that means so the first key
word available there was access what you
can do is you can configure a normal
acts
on axis list on the rotor of a switch
where you specify the IP address of the
NMS server and then when you configure
your SNMP settings here you can
reference our access list which means
you're locking it down the vista drivers
or switch will only communicate with
SNMP with that particular IP address so
you're locking it down to the IP address
of your NMS server the next key words we
had in there were other contexts
contacts are used on switches to specify
which V lines are accessible via SNMP so
if you're configuring a switch you might
need to set that up so that your NMX
system cannot just other view lines not
just the default v1 and then the last
thing we could set there where our views
views can be used to limit what
information is accessible to the NMS
server and we had a review a right view
and a notify view are all available if
you don't specify a read view then all
MIB objects are accessible to read so by
default the NMS server can get all the
different SNMP information from that
particular device so if you want to lock
it down to only be able to gather a
person or maybe a pool a particular set
of information then you would use a
review for that next one was the right
view if you don't specify a right view
but no MIB objects are accessible to
right so this works the other way so by
default it can read everything but it
can write nothing so if you want to walk
down limit what it can read configure a
read view if you want it to be able to
write anything then you have to
configure a right view before it can
explicitly configuring a right view it
doesn't get any right access so by
default the NMS server gets read-only
access to all MIB s the last one was
been notified view notify view is used
to send notifications to members of the
group notification is a trap if you
don't specify anything it will be
disabled by default okay so those were
our views so when I configure the group
here in this example the fuel command
that I use is SNMP server guru
black box group v3 Prive so I haven't
configured any access lists or any views
or anything here they are all optional
and because I'm using the defaults here
the NMS server that is in this group
will have full read-only access to the
device
okay so I've configured my group the
next thing I'm gonna want to do is
configure my user so the first word I
use again is SNMP - server but I'm doing
the the user this thing so that's an NP
server user and then for my example user
I've called it black box - user next I
specify you the group that this user is
in and I'm putting it in the black box
group but I just configured a minute ago
I say v3 for SNMP version 3 and then off
is where I'm gonna specify the
authentication algorithm that I'm gonna
use I can either use md5 or sha-1 Shah
is more secure but it's a little bit
slower okay next up so I've set SNMP
server user flat box user in the flat
box group SNMP version 3 off I'm using
sha and I'm using an authentication
password of off password for this
example so you know we talked about the
three different security levels and
there you specify authentication and
privacy separately but we configure the
authentication and the privacy
separately as well so right now I've
already configured the authentication
next up I'm gonna configure the privacy
so I say Prive and I've used a question
mark again and see what options I've got
here and I can either use theirs Triple
DES or AES encryption AES is the most
modern of those it's the most secure but
it's a little bit slower okay
after I configure that so here and I
won't be like the whole the whole
community again I've got up to I'm using
AES encryption next up I specify whether
it's 128 192 or 256 bit obviously the
higher of a number the more secure it's
going to be but it's
take more CPU cycles be a little slower
so looking at the complete command
I've got SNMP server user black box user
in the black box group it's using SNMP
version 3 for authentication I'm using
shop as my algorithm my password is off
password and for Prive I'm using AES 128
bit encryption with a password of Prive
password so that is my user and my group
setup on my router or switch now what I
would do next as I would go on to my n
MF server and I would configure a user
there with matching settings here so I
would set it with the same username a
flat box user I would specify the off
password and reprove password and that's
me done my n MF server is now going to
be able to access my device and pull
information from it thanks for watching
if you want to get hands-on practice
with Cisco networks for free then you
can download my 400 page CCNA lab guide
which you can see above my head right
now also check out the video about my
CCNA course it's highest rated course
online thanks