in this lecture you'll see the

configuration for SNMP version 3

[Music]

so you saw earlier that in SNMP version

1 on to the SNMP manager

that's our NMS server and the SNMP agent

that server or switch they recognize

each other through simple unencrypted

community strings so it's not very

secure

Baggett's improved upon with SNMP

version 3 which does support

authentication and encryption with SNMP

version 3 the security model uses users

and groups so we're going to configure a

user on the right order switch and we

configure a matching user on the NMS

server that's how they recognize each

other there is also a group as well so

most of the settings are configured at

the group level and those settings are

going to be applied to the user

depending on which group it's actually

in there's three different security

levels available and these are

configured at the group level so

normally you're going to just use one

particular security level but it is

possible that you could have one NMS

server in one group it's got one

security level and a different enemy a

server and a different group but it's

got a different security level that

would be a pretty weird thing to do but

it is possible to do that these three

different security levels the first one

is no off no trip which means no

authentication and no privacy with no

off no proof no authentication password

is exchanged and the communications

between the agent and the server are not

encrypted so with no off no probe it

still doesn't use a community thing it

still uses a username because there's

SNMP version 3

but that username basically replaces

works with same eyes with community

string an SNMP version 1 and version 2

so there's not much point in doing that

doesn't really give you any advantage

over the old SNMP versions the next

security level we've got is off

no proof with off no proof password

authentication is used so the NMS server

and the network device we'll see

early authenticate each other when we do

that in staunton occasion the

authentication is encrypted so the user

and user name and password is encrypted

is not good in plaintext but after that

initial authentication no encryption is

used for communications between the

devices so if the server pulls some

information from the device but it's

going to go over the network unencrypted

so the last one is the one that we're

most likely gonna want to use which is

off prif with off proof password

authentication is used again the same as

it was in off no proof but

communications between the agent and the

server are also encrypted so with off

Prive the NMS server and the device are

going to securely authenticate each

other but does not go in plaintext and

also whenever for sharing information

that is also encrypted as well so this

is the most secure way of doing it if

we're using SNMP version 3 most likely

were going to be using off proof ok so

let's look at the configuration so you

saw earlier in this lecture we're gonna

have the group and we're gonna have the

user as well let's configure the group

first so a global config I say SNMP -

server group in this example I've called

the group black box - group then

actually v3 to say that we're using SNMP

version 3 and then the example I've used

the context-sensitive help I've hit the

question mark to see what the next key

word is and this is where we set the

security level of either off no off or

Prive then next thing that we do so in

an example I've set proof because I want

the most secure level then I've put the

question mark in again and see what the

next key word is next key words we've

got access context match no if I read

and write with access you can set an

access list I'll talk about that a bit

more in the next slide context and match

both apply to contexts and know if I

read and write are about views so let's

see what that means so the first key

word available there was access what you

can do is you can configure a normal

acts

on axis list on the rotor of a switch

where you specify the IP address of the

NMS server and then when you configure

your SNMP settings here you can

reference our access list which means

you're locking it down the vista drivers

or switch will only communicate with

SNMP with that particular IP address so

you're locking it down to the IP address

of your NMS server the next key words we

had in there were other contexts

contacts are used on switches to specify

which V lines are accessible via SNMP so

if you're configuring a switch you might

need to set that up so that your NMX

system cannot just other view lines not

just the default v1 and then the last

thing we could set there where our views

views can be used to limit what

information is accessible to the NMS

server and we had a review a right view

and a notify view are all available if

you don't specify a read view then all

MIB objects are accessible to read so by

default the NMS server can get all the

different SNMP information from that

particular device so if you want to lock

it down to only be able to gather a

person or maybe a pool a particular set

of information then you would use a

review for that next one was the right

view if you don't specify a right view

but no MIB objects are accessible to

right so this works the other way so by

default it can read everything but it

can write nothing so if you want to walk

down limit what it can read configure a

read view if you want it to be able to

write anything then you have to

configure a right view before it can

explicitly configuring a right view it

doesn't get any right access so by

default the NMS server gets read-only

access to all MIB s the last one was

been notified view notify view is used

to send notifications to members of the

group notification is a trap if you

don't specify anything it will be

disabled by default okay so those were

our views so when I configure the group

here in this example the fuel command

that I use is SNMP server guru

black box group v3 Prive so I haven't

configured any access lists or any views

or anything here they are all optional

and because I'm using the defaults here

the NMS server that is in this group

will have full read-only access to the

device

okay so I've configured my group the

next thing I'm gonna want to do is

configure my user so the first word I

use again is SNMP - server but I'm doing

the the user this thing so that's an NP

server user and then for my example user

I've called it black box - user next I

specify you the group that this user is

in and I'm putting it in the black box

group but I just configured a minute ago

I say v3 for SNMP version 3 and then off

is where I'm gonna specify the

authentication algorithm that I'm gonna

use I can either use md5 or sha-1 Shah

is more secure but it's a little bit

slower okay next up so I've set SNMP

server user flat box user in the flat

box group SNMP version 3 off I'm using

sha and I'm using an authentication

password of off password for this

example so you know we talked about the

three different security levels and

there you specify authentication and

privacy separately but we configure the

authentication and the privacy

separately as well so right now I've

already configured the authentication

next up I'm gonna configure the privacy

so I say Prive and I've used a question

mark again and see what options I've got

here and I can either use theirs Triple

DES or AES encryption AES is the most

modern of those it's the most secure but

it's a little bit slower okay

after I configure that so here and I

won't be like the whole the whole

community again I've got up to I'm using

AES encryption next up I specify whether

it's 128 192 or 256 bit obviously the

higher of a number the more secure it's

going to be but it's

take more CPU cycles be a little slower

so looking at the complete command

I've got SNMP server user black box user

in the black box group it's using SNMP

version 3 for authentication I'm using

shop as my algorithm my password is off

password and for Prive I'm using AES 128

bit encryption with a password of Prive

password so that is my user and my group

setup on my router or switch now what I

would do next as I would go on to my n

MF server and I would configure a user

there with matching settings here so I

would set it with the same username a

flat box user I would specify the off

password and reprove password and that's

me done my n MF server is now going to

be able to access my device and pull

information from it thanks for watching

if you want to get hands-on practice

with Cisco networks for free then you

can download my 400 page CCNA lab guide

which you can see above my head right

now also check out the video about my

CCNA course it's highest rated course

online thanks