0:00:00.030,0:00:02.310 in this lecture you'll see the 0:00:02.310,0:00:06.860 configuration for SNMP version 3 0:00:06.860,0:00:12.170 [Music] 0:00:12.990,0:00:17.350 so you saw earlier that in SNMP version 0:00:17.350,0:00:21.610 1 on to the SNMP manager 0:00:21.610,0:00:24.759 that's our NMS server and the SNMP agent 0:00:24.759,0:00:27.970 that server or switch they recognize 0:00:27.970,0:00:30.489 each other through simple unencrypted 0:00:30.489,0:00:32.980 community strings so it's not very 0:00:32.980,0:00:33.730 secure 0:00:33.730,0:00:36.550 Baggett's improved upon with SNMP 0:00:36.550,0:00:39.210 version 3 which does support 0:00:39.210,0:00:43.300 authentication and encryption with SNMP 0:00:43.300,0:00:46.750 version 3 the security model uses users 0:00:46.750,0:00:49.329 and groups so we're going to configure a 0:00:49.329,0:00:52.030 user on the right order switch and we 0:00:52.030,0:00:55.750 configure a matching user on the NMS 0:00:55.750,0:00:57.940 server that's how they recognize each 0:00:57.940,0:01:00.999 other there is also a group as well so 0:01:00.999,0:01:03.100 most of the settings are configured at 0:01:03.100,0:01:05.379 the group level and those settings are 0:01:05.379,0:01:06.940 going to be applied to the user 0:01:06.940,0:01:09.100 depending on which group it's actually 0:01:09.100,0:01:13.330 in there's three different security 0:01:13.330,0:01:15.670 levels available and these are 0:01:15.670,0:01:17.590 configured at the group level so 0:01:17.590,0:01:19.119 normally you're going to just use one 0:01:19.119,0:01:21.520 particular security level but it is 0:01:21.520,0:01:23.920 possible that you could have one NMS 0:01:23.920,0:01:26.259 server in one group it's got one 0:01:26.259,0:01:28.390 security level and a different enemy a 0:01:28.390,0:01:30.189 server and a different group but it's 0:01:30.189,0:01:31.990 got a different security level that 0:01:31.990,0:01:33.670 would be a pretty weird thing to do but 0:01:33.670,0:01:36.430 it is possible to do that these three 0:01:36.430,0:01:38.409 different security levels the first one 0:01:38.409,0:01:41.920 is no off no trip which means no 0:01:41.920,0:01:44.500 authentication and no privacy with no 0:01:44.500,0:01:47.170 off no proof no authentication password 0:01:47.170,0:01:49.479 is exchanged and the communications 0:01:49.479,0:01:51.820 between the agent and the server are not 0:01:51.820,0:01:54.909 encrypted so with no off no probe it 0:01:54.909,0:01:56.500 still doesn't use a community thing it 0:01:56.500,0:01:58.570 still uses a username because there's 0:01:58.570,0:02:00.130 SNMP version 3 0:02:00.130,0:02:02.920 but that username basically replaces 0:02:02.920,0:02:04.810 works with same eyes with community 0:02:04.810,0:02:08.619 string an SNMP version 1 and version 2 0:02:08.619,0:02:10.869 so there's not much point in doing that 0:02:10.869,0:02:12.220 doesn't really give you any advantage 0:02:12.220,0:02:15.490 over the old SNMP versions the next 0:02:15.490,0:02:17.230 security level we've got is off 0:02:17.230,0:02:20.290 no proof with off no proof password 0:02:20.290,0:02:23.380 authentication is used so the NMS server 0:02:23.380,0:02:25.450 and the network device we'll see 0:02:25.450,0:02:27.760 early authenticate each other when we do 0:02:27.760,0:02:28.980 that in staunton occasion the 0:02:28.980,0:02:31.239 authentication is encrypted so the user 0:02:31.239,0:02:33.610 and user name and password is encrypted 0:02:33.610,0:02:36.610 is not good in plaintext but after that 0:02:36.610,0:02:39.520 initial authentication no encryption is 0:02:39.520,0:02:41.440 used for communications between the 0:02:41.440,0:02:44.170 devices so if the server pulls some 0:02:44.170,0:02:46.030 information from the device but it's 0:02:46.030,0:02:47.980 going to go over the network unencrypted 0:02:47.980,0:02:50.500 so the last one is the one that we're 0:02:50.500,0:02:52.959 most likely gonna want to use which is 0:02:52.959,0:02:55.750 off prif with off proof password 0:02:55.750,0:02:57.940 authentication is used again the same as 0:02:57.940,0:03:00.000 it was in off no proof but 0:03:00.000,0:03:02.380 communications between the agent and the 0:03:02.380,0:03:05.080 server are also encrypted so with off 0:03:05.080,0:03:07.750 Prive the NMS server and the device are 0:03:07.750,0:03:09.730 going to securely authenticate each 0:03:09.730,0:03:11.890 other but does not go in plaintext and 0:03:11.890,0:03:14.170 also whenever for sharing information 0:03:14.170,0:03:16.900 that is also encrypted as well so this 0:03:16.900,0:03:18.700 is the most secure way of doing it if 0:03:18.700,0:03:21.640 we're using SNMP version 3 most likely 0:03:21.640,0:03:24.970 were going to be using off proof ok so 0:03:24.970,0:03:27.670 let's look at the configuration so you 0:03:27.670,0:03:29.380 saw earlier in this lecture we're gonna 0:03:29.380,0:03:31.060 have the group and we're gonna have the 0:03:31.060,0:03:33.760 user as well let's configure the group 0:03:33.760,0:03:37.690 first so a global config I say SNMP - 0:03:37.690,0:03:40.930 server group in this example I've called 0:03:40.930,0:03:43.329 the group black box - group then 0:03:43.329,0:03:45.730 actually v3 to say that we're using SNMP 0:03:45.730,0:03:48.130 version 3 and then the example I've used 0:03:48.130,0:03:49.959 the context-sensitive help I've hit the 0:03:49.959,0:03:51.790 question mark to see what the next key 0:03:51.790,0:03:53.799 word is and this is where we set the 0:03:53.799,0:03:57.130 security level of either off no off or 0:03:57.130,0:04:04.630 Prive then next thing that we do so in 0:04:04.630,0:04:06.579 an example I've set proof because I want 0:04:06.579,0:04:08.799 the most secure level then I've put the 0:04:08.799,0:04:10.569 question mark in again and see what the 0:04:10.569,0:04:12.730 next key word is next key words we've 0:04:12.730,0:04:16.030 got access context match no if I read 0:04:16.030,0:04:19.720 and write with access you can set an 0:04:19.720,0:04:21.700 access list I'll talk about that a bit 0:04:21.700,0:04:24.610 more in the next slide context and match 0:04:24.610,0:04:28.300 both apply to contexts and know if I 0:04:28.300,0:04:31.840 read and write are about views so let's 0:04:31.840,0:04:33.880 see what that means so the first key 0:04:33.880,0:04:35.950 word available there was access what you 0:04:35.950,0:04:38.020 can do is you can configure a normal 0:04:38.020,0:04:38.580 acts 0:04:38.580,0:04:41.220 on axis list on the rotor of a switch 0:04:41.220,0:04:44.159 where you specify the IP address of the 0:04:44.159,0:04:46.620 NMS server and then when you configure 0:04:46.620,0:04:49.620 your SNMP settings here you can 0:04:49.620,0:04:51.479 reference our access list which means 0:04:51.479,0:04:53.939 you're locking it down the vista drivers 0:04:53.939,0:04:55.800 or switch will only communicate with 0:04:55.800,0:04:59.669 SNMP with that particular IP address so 0:04:59.669,0:05:01.409 you're locking it down to the IP address 0:05:01.409,0:05:04.800 of your NMS server the next key words we 0:05:04.800,0:05:06.599 had in there were other contexts 0:05:06.599,0:05:09.900 contacts are used on switches to specify 0:05:09.900,0:05:13.530 which V lines are accessible via SNMP so 0:05:13.530,0:05:15.180 if you're configuring a switch you might 0:05:15.180,0:05:17.190 need to set that up so that your NMX 0:05:17.190,0:05:19.289 system cannot just other view lines not 0:05:19.289,0:05:22.590 just the default v1 and then the last 0:05:22.590,0:05:24.930 thing we could set there where our views 0:05:24.930,0:05:27.360 views can be used to limit what 0:05:27.360,0:05:30.180 information is accessible to the NMS 0:05:30.180,0:05:33.719 server and we had a review a right view 0:05:33.719,0:05:36.449 and a notify view are all available if 0:05:36.449,0:05:39.840 you don't specify a read view then all 0:05:39.840,0:05:43.080 MIB objects are accessible to read so by 0:05:43.080,0:05:45.810 default the NMS server can get all the 0:05:45.810,0:05:48.509 different SNMP information from that 0:05:48.509,0:05:50.729 particular device so if you want to lock 0:05:50.729,0:05:52.710 it down to only be able to gather a 0:05:52.710,0:05:55.440 person or maybe a pool a particular set 0:05:55.440,0:05:57.000 of information then you would use a 0:05:57.000,0:05:59.610 review for that next one was the right 0:05:59.610,0:06:01.979 view if you don't specify a right view 0:06:01.979,0:06:04.830 but no MIB objects are accessible to 0:06:04.830,0:06:06.779 right so this works the other way so by 0:06:06.779,0:06:09.270 default it can read everything but it 0:06:09.270,0:06:12.210 can write nothing so if you want to walk 0:06:12.210,0:06:14.370 down limit what it can read configure a 0:06:14.370,0:06:16.529 read view if you want it to be able to 0:06:16.529,0:06:18.930 write anything then you have to 0:06:18.930,0:06:21.330 configure a right view before it can 0:06:21.330,0:06:23.490 explicitly configuring a right view it 0:06:23.490,0:06:25.710 doesn't get any right access so by 0:06:25.710,0:06:27.930 default the NMS server gets read-only 0:06:27.930,0:06:31.349 access to all MIB s the last one was 0:06:31.349,0:06:33.750 been notified view notify view is used 0:06:33.750,0:06:36.120 to send notifications to members of the 0:06:36.120,0:06:38.759 group notification is a trap if you 0:06:38.759,0:06:40.440 don't specify anything it will be 0:06:40.440,0:06:43.529 disabled by default okay so those were 0:06:43.529,0:06:47.789 our views so when I configure the group 0:06:47.789,0:06:49.979 here in this example the fuel command 0:06:49.979,0:06:52.540 that I use is SNMP server guru 0:06:52.540,0:06:56.140 black box group v3 Prive so I haven't 0:06:56.140,0:06:58.420 configured any access lists or any views 0:06:58.420,0:07:00.850 or anything here they are all optional 0:07:00.850,0:07:03.250 and because I'm using the defaults here 0:07:03.250,0:07:06.250 the NMS server that is in this group 0:07:06.250,0:07:09.430 will have full read-only access to the 0:07:09.430,0:07:11.400 device 0:07:11.400,0:07:14.800 okay so I've configured my group the 0:07:14.800,0:07:16.570 next thing I'm gonna want to do is 0:07:16.570,0:07:21.310 configure my user so the first word I 0:07:21.310,0:07:24.490 use again is SNMP - server but I'm doing 0:07:24.490,0:07:26.530 the the user this thing so that's an NP 0:07:26.530,0:07:29.920 server user and then for my example user 0:07:29.920,0:07:33.190 I've called it black box - user next I 0:07:33.190,0:07:35.770 specify you the group that this user is 0:07:35.770,0:07:37.930 in and I'm putting it in the black box 0:07:37.930,0:07:40.420 group but I just configured a minute ago 0:07:40.420,0:07:45.010 I say v3 for SNMP version 3 and then off 0:07:45.010,0:07:47.520 is where I'm gonna specify the 0:07:47.520,0:07:49.660 authentication algorithm that I'm gonna 0:07:49.660,0:07:54.580 use I can either use md5 or sha-1 Shah 0:07:54.580,0:07:56.590 is more secure but it's a little bit 0:07:56.590,0:08:00.730 slower okay next up so I've set SNMP 0:08:00.730,0:08:03.040 server user flat box user in the flat 0:08:03.040,0:08:06.190 box group SNMP version 3 off I'm using 0:08:06.190,0:08:08.530 sha and I'm using an authentication 0:08:08.530,0:08:11.200 password of off password for this 0:08:11.200,0:08:13.510 example so you know we talked about the 0:08:13.510,0:08:15.280 three different security levels and 0:08:15.280,0:08:17.410 there you specify authentication and 0:08:17.410,0:08:20.380 privacy separately but we configure the 0:08:20.380,0:08:22.030 authentication and the privacy 0:08:22.030,0:08:24.070 separately as well so right now I've 0:08:24.070,0:08:26.560 already configured the authentication 0:08:26.560,0:08:30.010 next up I'm gonna configure the privacy 0:08:30.010,0:08:32.620 so I say Prive and I've used a question 0:08:32.620,0:08:34.750 mark again and see what options I've got 0:08:34.750,0:08:37.810 here and I can either use theirs Triple 0:08:37.810,0:08:41.229 DES or AES encryption AES is the most 0:08:41.229,0:08:43.720 modern of those it's the most secure but 0:08:43.720,0:08:47.020 it's a little bit slower okay 0:08:47.020,0:08:51.220 after I configure that so here and I 0:08:51.220,0:08:52.300 won't be like the whole the whole 0:08:52.300,0:08:54.970 community again I've got up to I'm using 0:08:54.970,0:08:58.630 AES encryption next up I specify whether 0:08:58.630,0:09:03.670 it's 128 192 or 256 bit obviously the 0:09:03.670,0:09:05.290 higher of a number the more secure it's 0:09:05.290,0:09:06.400 going to be but it's 0:09:06.400,0:09:09.750 take more CPU cycles be a little slower 0:09:09.750,0:09:12.940 so looking at the complete command 0:09:12.940,0:09:15.820 I've got SNMP server user black box user 0:09:15.820,0:09:18.280 in the black box group it's using SNMP 0:09:18.280,0:09:21.280 version 3 for authentication I'm using 0:09:21.280,0:09:24.730 shop as my algorithm my password is off 0:09:24.730,0:09:28.090 password and for Prive I'm using AES 128 0:09:28.090,0:09:30.880 bit encryption with a password of Prive 0:09:30.880,0:09:34.120 password so that is my user and my group 0:09:34.120,0:09:36.730 setup on my router or switch now what I 0:09:36.730,0:09:38.890 would do next as I would go on to my n 0:09:38.890,0:09:41.320 MF server and I would configure a user 0:09:41.320,0:09:44.170 there with matching settings here so I 0:09:44.170,0:09:46.510 would set it with the same username a 0:09:46.510,0:09:49.510 flat box user I would specify the off 0:09:49.510,0:09:52.180 password and reprove password and that's 0:09:52.180,0:09:54.880 me done my n MF server is now going to 0:09:54.880,0:09:57.130 be able to access my device and pull 0:09:57.130,0:09:59.500 information from it thanks for watching 0:09:59.500,0:10:01.690 if you want to get hands-on practice 0:10:01.690,0:10:05.170 with Cisco networks for free then you 0:10:05.170,0:10:09.310 can download my 400 page CCNA lab guide 0:10:09.310,0:10:11.320 which you can see above my head right 0:10:11.320,0:10:14.650 now also check out the video about my 0:10:14.650,0:10:17.320 CCNA course it's highest rated course 0:10:17.320,0:10:20.640 online thanks