1
00:00:00,030 --> 00:00:02,310
in this lecture you'll see the

2
00:00:02,310 --> 00:00:06,860
configuration for SNMP version 3

3
00:00:06,860 --> 00:00:12,170
[Music]

4
00:00:12,990 --> 00:00:17,350
so you saw earlier that in SNMP version

5
00:00:17,350 --> 00:00:21,610
1 on to the SNMP manager

6
00:00:21,610 --> 00:00:24,759
that's our NMS server and the SNMP agent

7
00:00:24,759 --> 00:00:27,970
that server or switch they recognize

8
00:00:27,970 --> 00:00:30,489
each other through simple unencrypted

9
00:00:30,489 --> 00:00:32,980
community strings so it's not very

10
00:00:32,980 --> 00:00:33,730
secure

11
00:00:33,730 --> 00:00:36,550
Baggett's improved upon with SNMP

12
00:00:36,550 --> 00:00:39,210
version 3 which does support

13
00:00:39,210 --> 00:00:43,300
authentication and encryption with SNMP

14
00:00:43,300 --> 00:00:46,750
version 3 the security model uses users

15
00:00:46,750 --> 00:00:49,329
and groups so we're going to configure a

16
00:00:49,329 --> 00:00:52,030
user on the right order switch and we

17
00:00:52,030 --> 00:00:55,750
configure a matching user on the NMS

18
00:00:55,750 --> 00:00:57,940
server that's how they recognize each

19
00:00:57,940 --> 00:01:00,999
other there is also a group as well so

20
00:01:00,999 --> 00:01:03,100
most of the settings are configured at

21
00:01:03,100 --> 00:01:05,379
the group level and those settings are

22
00:01:05,379 --> 00:01:06,940
going to be applied to the user

23
00:01:06,940 --> 00:01:09,100
depending on which group it's actually

24
00:01:09,100 --> 00:01:13,330
in there's three different security

25
00:01:13,330 --> 00:01:15,670
levels available and these are

26
00:01:15,670 --> 00:01:17,590
configured at the group level so

27
00:01:17,590 --> 00:01:19,119
normally you're going to just use one

28
00:01:19,119 --> 00:01:21,520
particular security level but it is

29
00:01:21,520 --> 00:01:23,920
possible that you could have one NMS

30
00:01:23,920 --> 00:01:26,259
server in one group it's got one

31
00:01:26,259 --> 00:01:28,390
security level and a different enemy a

32
00:01:28,390 --> 00:01:30,189
server and a different group but it's

33
00:01:30,189 --> 00:01:31,990
got a different security level that

34
00:01:31,990 --> 00:01:33,670
would be a pretty weird thing to do but

35
00:01:33,670 --> 00:01:36,430
it is possible to do that these three

36
00:01:36,430 --> 00:01:38,409
different security levels the first one

37
00:01:38,409 --> 00:01:41,920
is no off no trip which means no

38
00:01:41,920 --> 00:01:44,500
authentication and no privacy with no

39
00:01:44,500 --> 00:01:47,170
off no proof no authentication password

40
00:01:47,170 --> 00:01:49,479
is exchanged and the communications

41
00:01:49,479 --> 00:01:51,820
between the agent and the server are not

42
00:01:51,820 --> 00:01:54,909
encrypted so with no off no probe it

43
00:01:54,909 --> 00:01:56,500
still doesn't use a community thing it

44
00:01:56,500 --> 00:01:58,570
still uses a username because there's

45
00:01:58,570 --> 00:02:00,130
SNMP version 3

46
00:02:00,130 --> 00:02:02,920
but that username basically replaces

47
00:02:02,920 --> 00:02:04,810
works with same eyes with community

48
00:02:04,810 --> 00:02:08,619
string an SNMP version 1 and version 2

49
00:02:08,619 --> 00:02:10,869
so there's not much point in doing that

50
00:02:10,869 --> 00:02:12,220
doesn't really give you any advantage

51
00:02:12,220 --> 00:02:15,490
over the old SNMP versions the next

52
00:02:15,490 --> 00:02:17,230
security level we've got is off

53
00:02:17,230 --> 00:02:20,290
no proof with off no proof password

54
00:02:20,290 --> 00:02:23,380
authentication is used so the NMS server

55
00:02:23,380 --> 00:02:25,450
and the network device we'll see

56
00:02:25,450 --> 00:02:27,760
early authenticate each other when we do

57
00:02:27,760 --> 00:02:28,980
that in staunton occasion the

58
00:02:28,980 --> 00:02:31,239
authentication is encrypted so the user

59
00:02:31,239 --> 00:02:33,610
and user name and password is encrypted

60
00:02:33,610 --> 00:02:36,610
is not good in plaintext but after that

61
00:02:36,610 --> 00:02:39,520
initial authentication no encryption is

62
00:02:39,520 --> 00:02:41,440
used for communications between the

63
00:02:41,440 --> 00:02:44,170
devices so if the server pulls some

64
00:02:44,170 --> 00:02:46,030
information from the device but it's

65
00:02:46,030 --> 00:02:47,980
going to go over the network unencrypted

66
00:02:47,980 --> 00:02:50,500
so the last one is the one that we're

67
00:02:50,500 --> 00:02:52,959
most likely gonna want to use which is

68
00:02:52,959 --> 00:02:55,750
off prif with off proof password

69
00:02:55,750 --> 00:02:57,940
authentication is used again the same as

70
00:02:57,940 --> 00:03:00,000
it was in off no proof but

71
00:03:00,000 --> 00:03:02,380
communications between the agent and the

72
00:03:02,380 --> 00:03:05,080
server are also encrypted so with off

73
00:03:05,080 --> 00:03:07,750
Prive the NMS server and the device are

74
00:03:07,750 --> 00:03:09,730
going to securely authenticate each

75
00:03:09,730 --> 00:03:11,890
other but does not go in plaintext and

76
00:03:11,890 --> 00:03:14,170
also whenever for sharing information

77
00:03:14,170 --> 00:03:16,900
that is also encrypted as well so this

78
00:03:16,900 --> 00:03:18,700
is the most secure way of doing it if

79
00:03:18,700 --> 00:03:21,640
we're using SNMP version 3 most likely

80
00:03:21,640 --> 00:03:24,970
were going to be using off proof ok so

81
00:03:24,970 --> 00:03:27,670
let's look at the configuration so you

82
00:03:27,670 --> 00:03:29,380
saw earlier in this lecture we're gonna

83
00:03:29,380 --> 00:03:31,060
have the group and we're gonna have the

84
00:03:31,060 --> 00:03:33,760
user as well let's configure the group

85
00:03:33,760 --> 00:03:37,690
first so a global config I say SNMP -

86
00:03:37,690 --> 00:03:40,930
server group in this example I've called

87
00:03:40,930 --> 00:03:43,329
the group black box - group then

88
00:03:43,329 --> 00:03:45,730
actually v3 to say that we're using SNMP

89
00:03:45,730 --> 00:03:48,130
version 3 and then the example I've used

90
00:03:48,130 --> 00:03:49,959
the context-sensitive help I've hit the

91
00:03:49,959 --> 00:03:51,790
question mark to see what the next key

92
00:03:51,790 --> 00:03:53,799
word is and this is where we set the

93
00:03:53,799 --> 00:03:57,130
security level of either off no off or

94
00:03:57,130 --> 00:04:04,630
Prive then next thing that we do so in

95
00:04:04,630 --> 00:04:06,579
an example I've set proof because I want

96
00:04:06,579 --> 00:04:08,799
the most secure level then I've put the

97
00:04:08,799 --> 00:04:10,569
question mark in again and see what the

98
00:04:10,569 --> 00:04:12,730
next key word is next key words we've

99
00:04:12,730 --> 00:04:16,030
got access context match no if I read

100
00:04:16,030 --> 00:04:19,720
and write with access you can set an

101
00:04:19,720 --> 00:04:21,700
access list I'll talk about that a bit

102
00:04:21,700 --> 00:04:24,610
more in the next slide context and match

103
00:04:24,610 --> 00:04:28,300
both apply to contexts and know if I

104
00:04:28,300 --> 00:04:31,840
read and write are about views so let's

105
00:04:31,840 --> 00:04:33,880
see what that means so the first key

106
00:04:33,880 --> 00:04:35,950
word available there was access what you

107
00:04:35,950 --> 00:04:38,020
can do is you can configure a normal

108
00:04:38,020 --> 00:04:38,580
acts

109
00:04:38,580 --> 00:04:41,220
on axis list on the rotor of a switch

110
00:04:41,220 --> 00:04:44,159
where you specify the IP address of the

111
00:04:44,159 --> 00:04:46,620
NMS server and then when you configure

112
00:04:46,620 --> 00:04:49,620
your SNMP settings here you can

113
00:04:49,620 --> 00:04:51,479
reference our access list which means

114
00:04:51,479 --> 00:04:53,939
you're locking it down the vista drivers

115
00:04:53,939 --> 00:04:55,800
or switch will only communicate with

116
00:04:55,800 --> 00:04:59,669
SNMP with that particular IP address so

117
00:04:59,669 --> 00:05:01,409
you're locking it down to the IP address

118
00:05:01,409 --> 00:05:04,800
of your NMS server the next key words we

119
00:05:04,800 --> 00:05:06,599
had in there were other contexts

120
00:05:06,599 --> 00:05:09,900
contacts are used on switches to specify

121
00:05:09,900 --> 00:05:13,530
which V lines are accessible via SNMP so

122
00:05:13,530 --> 00:05:15,180
if you're configuring a switch you might

123
00:05:15,180 --> 00:05:17,190
need to set that up so that your NMX

124
00:05:17,190 --> 00:05:19,289
system cannot just other view lines not

125
00:05:19,289 --> 00:05:22,590
just the default v1 and then the last

126
00:05:22,590 --> 00:05:24,930
thing we could set there where our views

127
00:05:24,930 --> 00:05:27,360
views can be used to limit what

128
00:05:27,360 --> 00:05:30,180
information is accessible to the NMS

129
00:05:30,180 --> 00:05:33,719
server and we had a review a right view

130
00:05:33,719 --> 00:05:36,449
and a notify view are all available if

131
00:05:36,449 --> 00:05:39,840
you don't specify a read view then all

132
00:05:39,840 --> 00:05:43,080
MIB objects are accessible to read so by

133
00:05:43,080 --> 00:05:45,810
default the NMS server can get all the

134
00:05:45,810 --> 00:05:48,509
different SNMP information from that

135
00:05:48,509 --> 00:05:50,729
particular device so if you want to lock

136
00:05:50,729 --> 00:05:52,710
it down to only be able to gather a

137
00:05:52,710 --> 00:05:55,440
person or maybe a pool a particular set

138
00:05:55,440 --> 00:05:57,000
of information then you would use a

139
00:05:57,000 --> 00:05:59,610
review for that next one was the right

140
00:05:59,610 --> 00:06:01,979
view if you don't specify a right view

141
00:06:01,979 --> 00:06:04,830
but no MIB objects are accessible to

142
00:06:04,830 --> 00:06:06,779
right so this works the other way so by

143
00:06:06,779 --> 00:06:09,270
default it can read everything but it

144
00:06:09,270 --> 00:06:12,210
can write nothing so if you want to walk

145
00:06:12,210 --> 00:06:14,370
down limit what it can read configure a

146
00:06:14,370 --> 00:06:16,529
read view if you want it to be able to

147
00:06:16,529 --> 00:06:18,930
write anything then you have to

148
00:06:18,930 --> 00:06:21,330
configure a right view before it can

149
00:06:21,330 --> 00:06:23,490
explicitly configuring a right view it

150
00:06:23,490 --> 00:06:25,710
doesn't get any right access so by

151
00:06:25,710 --> 00:06:27,930
default the NMS server gets read-only

152
00:06:27,930 --> 00:06:31,349
access to all MIB s the last one was

153
00:06:31,349 --> 00:06:33,750
been notified view notify view is used

154
00:06:33,750 --> 00:06:36,120
to send notifications to members of the

155
00:06:36,120 --> 00:06:38,759
group notification is a trap if you

156
00:06:38,759 --> 00:06:40,440
don't specify anything it will be

157
00:06:40,440 --> 00:06:43,529
disabled by default okay so those were

158
00:06:43,529 --> 00:06:47,789
our views so when I configure the group

159
00:06:47,789 --> 00:06:49,979
here in this example the fuel command

160
00:06:49,979 --> 00:06:52,540
that I use is SNMP server guru

161
00:06:52,540 --> 00:06:56,140
black box group v3 Prive so I haven't

162
00:06:56,140 --> 00:06:58,420
configured any access lists or any views

163
00:06:58,420 --> 00:07:00,850
or anything here they are all optional

164
00:07:00,850 --> 00:07:03,250
and because I'm using the defaults here

165
00:07:03,250 --> 00:07:06,250
the NMS server that is in this group

166
00:07:06,250 --> 00:07:09,430
will have full read-only access to the

167
00:07:09,430 --> 00:07:11,400
device

168
00:07:11,400 --> 00:07:14,800
okay so I've configured my group the

169
00:07:14,800 --> 00:07:16,570
next thing I'm gonna want to do is

170
00:07:16,570 --> 00:07:21,310
configure my user so the first word I

171
00:07:21,310 --> 00:07:24,490
use again is SNMP - server but I'm doing

172
00:07:24,490 --> 00:07:26,530
the the user this thing so that's an NP

173
00:07:26,530 --> 00:07:29,920
server user and then for my example user

174
00:07:29,920 --> 00:07:33,190
I've called it black box - user next I

175
00:07:33,190 --> 00:07:35,770
specify you the group that this user is

176
00:07:35,770 --> 00:07:37,930
in and I'm putting it in the black box

177
00:07:37,930 --> 00:07:40,420
group but I just configured a minute ago

178
00:07:40,420 --> 00:07:45,010
I say v3 for SNMP version 3 and then off

179
00:07:45,010 --> 00:07:47,520
is where I'm gonna specify the

180
00:07:47,520 --> 00:07:49,660
authentication algorithm that I'm gonna

181
00:07:49,660 --> 00:07:54,580
use I can either use md5 or sha-1 Shah

182
00:07:54,580 --> 00:07:56,590
is more secure but it's a little bit

183
00:07:56,590 --> 00:08:00,730
slower okay next up so I've set SNMP

184
00:08:00,730 --> 00:08:03,040
server user flat box user in the flat

185
00:08:03,040 --> 00:08:06,190
box group SNMP version 3 off I'm using

186
00:08:06,190 --> 00:08:08,530
sha and I'm using an authentication

187
00:08:08,530 --> 00:08:11,200
password of off password for this

188
00:08:11,200 --> 00:08:13,510
example so you know we talked about the

189
00:08:13,510 --> 00:08:15,280
three different security levels and

190
00:08:15,280 --> 00:08:17,410
there you specify authentication and

191
00:08:17,410 --> 00:08:20,380
privacy separately but we configure the

192
00:08:20,380 --> 00:08:22,030
authentication and the privacy

193
00:08:22,030 --> 00:08:24,070
separately as well so right now I've

194
00:08:24,070 --> 00:08:26,560
already configured the authentication

195
00:08:26,560 --> 00:08:30,010
next up I'm gonna configure the privacy

196
00:08:30,010 --> 00:08:32,620
so I say Prive and I've used a question

197
00:08:32,620 --> 00:08:34,750
mark again and see what options I've got

198
00:08:34,750 --> 00:08:37,810
here and I can either use theirs Triple

199
00:08:37,810 --> 00:08:41,229
DES or AES encryption AES is the most

200
00:08:41,229 --> 00:08:43,720
modern of those it's the most secure but

201
00:08:43,720 --> 00:08:47,020
it's a little bit slower okay

202
00:08:47,020 --> 00:08:51,220
after I configure that so here and I

203
00:08:51,220 --> 00:08:52,300
won't be like the whole the whole

204
00:08:52,300 --> 00:08:54,970
community again I've got up to I'm using

205
00:08:54,970 --> 00:08:58,630
AES encryption next up I specify whether

206
00:08:58,630 --> 00:09:03,670
it's 128 192 or 256 bit obviously the

207
00:09:03,670 --> 00:09:05,290
higher of a number the more secure it's

208
00:09:05,290 --> 00:09:06,400
going to be but it's

209
00:09:06,400 --> 00:09:09,750
take more CPU cycles be a little slower

210
00:09:09,750 --> 00:09:12,940
so looking at the complete command

211
00:09:12,940 --> 00:09:15,820
I've got SNMP server user black box user

212
00:09:15,820 --> 00:09:18,280
in the black box group it's using SNMP

213
00:09:18,280 --> 00:09:21,280
version 3 for authentication I'm using

214
00:09:21,280 --> 00:09:24,730
shop as my algorithm my password is off

215
00:09:24,730 --> 00:09:28,090
password and for Prive I'm using AES 128

216
00:09:28,090 --> 00:09:30,880
bit encryption with a password of Prive

217
00:09:30,880 --> 00:09:34,120
password so that is my user and my group

218
00:09:34,120 --> 00:09:36,730
setup on my router or switch now what I

219
00:09:36,730 --> 00:09:38,890
would do next as I would go on to my n

220
00:09:38,890 --> 00:09:41,320
MF server and I would configure a user

221
00:09:41,320 --> 00:09:44,170
there with matching settings here so I

222
00:09:44,170 --> 00:09:46,510
would set it with the same username a

223
00:09:46,510 --> 00:09:49,510
flat box user I would specify the off

224
00:09:49,510 --> 00:09:52,180
password and reprove password and that's

225
00:09:52,180 --> 00:09:54,880
me done my n MF server is now going to

226
00:09:54,880 --> 00:09:57,130
be able to access my device and pull

227
00:09:57,130 --> 00:09:59,500
information from it thanks for watching

228
00:09:59,500 --> 00:10:01,690
if you want to get hands-on practice

229
00:10:01,690 --> 00:10:05,170
with Cisco networks for free then you

230
00:10:05,170 --> 00:10:09,310
can download my 400 page CCNA lab guide

231
00:10:09,310 --> 00:10:11,320
which you can see above my head right

232
00:10:11,320 --> 00:10:14,650
now also check out the video about my

233
00:10:14,650 --> 00:10:17,320
CCNA course it's highest rated course

234
00:10:17,320 --> 00:10:20,640
online thanks