WEBVTT

00:00:00.030 --> 00:00:02.310
in this lecture you'll see the

00:00:02.310 --> 00:00:06.860
configuration for SNMP version 3

00:00:06.860 --> 00:00:12.170
[Music]

00:00:12.990 --> 00:00:17.350
so you saw earlier that in SNMP version

00:00:17.350 --> 00:00:21.610
1 on to the SNMP manager

00:00:21.610 --> 00:00:24.759
that's our NMS server and the SNMP agent

00:00:24.759 --> 00:00:27.970
that server or switch they recognize

00:00:27.970 --> 00:00:30.489
each other through simple unencrypted

00:00:30.489 --> 00:00:32.980
community strings so it's not very

00:00:32.980 --> 00:00:33.730
secure

00:00:33.730 --> 00:00:36.550
Baggett's improved upon with SNMP

00:00:36.550 --> 00:00:39.210
version 3 which does support

00:00:39.210 --> 00:00:43.300
authentication and encryption with SNMP

00:00:43.300 --> 00:00:46.750
version 3 the security model uses users

00:00:46.750 --> 00:00:49.329
and groups so we're going to configure a

00:00:49.329 --> 00:00:52.030
user on the right order switch and we

00:00:52.030 --> 00:00:55.750
configure a matching user on the NMS

00:00:55.750 --> 00:00:57.940
server that's how they recognize each

00:00:57.940 --> 00:01:00.999
other there is also a group as well so

00:01:00.999 --> 00:01:03.100
most of the settings are configured at

00:01:03.100 --> 00:01:05.379
the group level and those settings are

00:01:05.379 --> 00:01:06.940
going to be applied to the user

00:01:06.940 --> 00:01:09.100
depending on which group it's actually

00:01:09.100 --> 00:01:13.330
in there's three different security

00:01:13.330 --> 00:01:15.670
levels available and these are

00:01:15.670 --> 00:01:17.590
configured at the group level so

00:01:17.590 --> 00:01:19.119
normally you're going to just use one

00:01:19.119 --> 00:01:21.520
particular security level but it is

00:01:21.520 --> 00:01:23.920
possible that you could have one NMS

00:01:23.920 --> 00:01:26.259
server in one group it's got one

00:01:26.259 --> 00:01:28.390
security level and a different enemy a

00:01:28.390 --> 00:01:30.189
server and a different group but it's

00:01:30.189 --> 00:01:31.990
got a different security level that

00:01:31.990 --> 00:01:33.670
would be a pretty weird thing to do but

00:01:33.670 --> 00:01:36.430
it is possible to do that these three

00:01:36.430 --> 00:01:38.409
different security levels the first one

00:01:38.409 --> 00:01:41.920
is no off no trip which means no

00:01:41.920 --> 00:01:44.500
authentication and no privacy with no

00:01:44.500 --> 00:01:47.170
off no proof no authentication password

00:01:47.170 --> 00:01:49.479
is exchanged and the communications

00:01:49.479 --> 00:01:51.820
between the agent and the server are not

00:01:51.820 --> 00:01:54.909
encrypted so with no off no probe it

00:01:54.909 --> 00:01:56.500
still doesn't use a community thing it

00:01:56.500 --> 00:01:58.570
still uses a username because there's

00:01:58.570 --> 00:02:00.130
SNMP version 3

00:02:00.130 --> 00:02:02.920
but that username basically replaces

00:02:02.920 --> 00:02:04.810
works with same eyes with community

00:02:04.810 --> 00:02:08.619
string an SNMP version 1 and version 2

00:02:08.619 --> 00:02:10.869
so there's not much point in doing that

00:02:10.869 --> 00:02:12.220
doesn't really give you any advantage

00:02:12.220 --> 00:02:15.490
over the old SNMP versions the next

00:02:15.490 --> 00:02:17.230
security level we've got is off

00:02:17.230 --> 00:02:20.290
no proof with off no proof password

00:02:20.290 --> 00:02:23.380
authentication is used so the NMS server

00:02:23.380 --> 00:02:25.450
and the network device we'll see

00:02:25.450 --> 00:02:27.760
early authenticate each other when we do

00:02:27.760 --> 00:02:28.980
that in staunton occasion the

00:02:28.980 --> 00:02:31.239
authentication is encrypted so the user

00:02:31.239 --> 00:02:33.610
and user name and password is encrypted

00:02:33.610 --> 00:02:36.610
is not good in plaintext but after that

00:02:36.610 --> 00:02:39.520
initial authentication no encryption is

00:02:39.520 --> 00:02:41.440
used for communications between the

00:02:41.440 --> 00:02:44.170
devices so if the server pulls some

00:02:44.170 --> 00:02:46.030
information from the device but it's

00:02:46.030 --> 00:02:47.980
going to go over the network unencrypted

00:02:47.980 --> 00:02:50.500
so the last one is the one that we're

00:02:50.500 --> 00:02:52.959
most likely gonna want to use which is

00:02:52.959 --> 00:02:55.750
off prif with off proof password

00:02:55.750 --> 00:02:57.940
authentication is used again the same as

00:02:57.940 --> 00:03:00.000
it was in off no proof but

00:03:00.000 --> 00:03:02.380
communications between the agent and the

00:03:02.380 --> 00:03:05.080
server are also encrypted so with off

00:03:05.080 --> 00:03:07.750
Prive the NMS server and the device are

00:03:07.750 --> 00:03:09.730
going to securely authenticate each

00:03:09.730 --> 00:03:11.890
other but does not go in plaintext and

00:03:11.890 --> 00:03:14.170
also whenever for sharing information

00:03:14.170 --> 00:03:16.900
that is also encrypted as well so this

00:03:16.900 --> 00:03:18.700
is the most secure way of doing it if

00:03:18.700 --> 00:03:21.640
we're using SNMP version 3 most likely

00:03:21.640 --> 00:03:24.970
were going to be using off proof ok so

00:03:24.970 --> 00:03:27.670
let's look at the configuration so you

00:03:27.670 --> 00:03:29.380
saw earlier in this lecture we're gonna

00:03:29.380 --> 00:03:31.060
have the group and we're gonna have the

00:03:31.060 --> 00:03:33.760
user as well let's configure the group

00:03:33.760 --> 00:03:37.690
first so a global config I say SNMP -

00:03:37.690 --> 00:03:40.930
server group in this example I've called

00:03:40.930 --> 00:03:43.329
the group black box - group then

00:03:43.329 --> 00:03:45.730
actually v3 to say that we're using SNMP

00:03:45.730 --> 00:03:48.130
version 3 and then the example I've used

00:03:48.130 --> 00:03:49.959
the context-sensitive help I've hit the

00:03:49.959 --> 00:03:51.790
question mark to see what the next key

00:03:51.790 --> 00:03:53.799
word is and this is where we set the

00:03:53.799 --> 00:03:57.130
security level of either off no off or

00:03:57.130 --> 00:04:04.630
Prive then next thing that we do so in

00:04:04.630 --> 00:04:06.579
an example I've set proof because I want

00:04:06.579 --> 00:04:08.799
the most secure level then I've put the

00:04:08.799 --> 00:04:10.569
question mark in again and see what the

00:04:10.569 --> 00:04:12.730
next key word is next key words we've

00:04:12.730 --> 00:04:16.030
got access context match no if I read

00:04:16.030 --> 00:04:19.720
and write with access you can set an

00:04:19.720 --> 00:04:21.700
access list I'll talk about that a bit

00:04:21.700 --> 00:04:24.610
more in the next slide context and match

00:04:24.610 --> 00:04:28.300
both apply to contexts and know if I

00:04:28.300 --> 00:04:31.840
read and write are about views so let's

00:04:31.840 --> 00:04:33.880
see what that means so the first key

00:04:33.880 --> 00:04:35.950
word available there was access what you

00:04:35.950 --> 00:04:38.020
can do is you can configure a normal

00:04:38.020 --> 00:04:38.580
acts

00:04:38.580 --> 00:04:41.220
on axis list on the rotor of a switch

00:04:41.220 --> 00:04:44.159
where you specify the IP address of the

00:04:44.159 --> 00:04:46.620
NMS server and then when you configure

00:04:46.620 --> 00:04:49.620
your SNMP settings here you can

00:04:49.620 --> 00:04:51.479
reference our access list which means

00:04:51.479 --> 00:04:53.939
you're locking it down the vista drivers

00:04:53.939 --> 00:04:55.800
or switch will only communicate with

00:04:55.800 --> 00:04:59.669
SNMP with that particular IP address so

00:04:59.669 --> 00:05:01.409
you're locking it down to the IP address

00:05:01.409 --> 00:05:04.800
of your NMS server the next key words we

00:05:04.800 --> 00:05:06.599
had in there were other contexts

00:05:06.599 --> 00:05:09.900
contacts are used on switches to specify

00:05:09.900 --> 00:05:13.530
which V lines are accessible via SNMP so

00:05:13.530 --> 00:05:15.180
if you're configuring a switch you might

00:05:15.180 --> 00:05:17.190
need to set that up so that your NMX

00:05:17.190 --> 00:05:19.289
system cannot just other view lines not

00:05:19.289 --> 00:05:22.590
just the default v1 and then the last

00:05:22.590 --> 00:05:24.930
thing we could set there where our views

00:05:24.930 --> 00:05:27.360
views can be used to limit what

00:05:27.360 --> 00:05:30.180
information is accessible to the NMS

00:05:30.180 --> 00:05:33.719
server and we had a review a right view

00:05:33.719 --> 00:05:36.449
and a notify view are all available if

00:05:36.449 --> 00:05:39.840
you don't specify a read view then all

00:05:39.840 --> 00:05:43.080
MIB objects are accessible to read so by

00:05:43.080 --> 00:05:45.810
default the NMS server can get all the

00:05:45.810 --> 00:05:48.509
different SNMP information from that

00:05:48.509 --> 00:05:50.729
particular device so if you want to lock

00:05:50.729 --> 00:05:52.710
it down to only be able to gather a

00:05:52.710 --> 00:05:55.440
person or maybe a pool a particular set

00:05:55.440 --> 00:05:57.000
of information then you would use a

00:05:57.000 --> 00:05:59.610
review for that next one was the right

00:05:59.610 --> 00:06:01.979
view if you don't specify a right view

00:06:01.979 --> 00:06:04.830
but no MIB objects are accessible to

00:06:04.830 --> 00:06:06.779
right so this works the other way so by

00:06:06.779 --> 00:06:09.270
default it can read everything but it

00:06:09.270 --> 00:06:12.210
can write nothing so if you want to walk

00:06:12.210 --> 00:06:14.370
down limit what it can read configure a

00:06:14.370 --> 00:06:16.529
read view if you want it to be able to

00:06:16.529 --> 00:06:18.930
write anything then you have to

00:06:18.930 --> 00:06:21.330
configure a right view before it can

00:06:21.330 --> 00:06:23.490
explicitly configuring a right view it

00:06:23.490 --> 00:06:25.710
doesn't get any right access so by

00:06:25.710 --> 00:06:27.930
default the NMS server gets read-only

00:06:27.930 --> 00:06:31.349
access to all MIB s the last one was

00:06:31.349 --> 00:06:33.750
been notified view notify view is used

00:06:33.750 --> 00:06:36.120
to send notifications to members of the

00:06:36.120 --> 00:06:38.759
group notification is a trap if you

00:06:38.759 --> 00:06:40.440
don't specify anything it will be

00:06:40.440 --> 00:06:43.529
disabled by default okay so those were

00:06:43.529 --> 00:06:47.789
our views so when I configure the group

00:06:47.789 --> 00:06:49.979
here in this example the fuel command

00:06:49.979 --> 00:06:52.540
that I use is SNMP server guru

00:06:52.540 --> 00:06:56.140
black box group v3 Prive so I haven't

00:06:56.140 --> 00:06:58.420
configured any access lists or any views

00:06:58.420 --> 00:07:00.850
or anything here they are all optional

00:07:00.850 --> 00:07:03.250
and because I'm using the defaults here

00:07:03.250 --> 00:07:06.250
the NMS server that is in this group

00:07:06.250 --> 00:07:09.430
will have full read-only access to the

00:07:09.430 --> 00:07:11.400
device

00:07:11.400 --> 00:07:14.800
okay so I've configured my group the

00:07:14.800 --> 00:07:16.570
next thing I'm gonna want to do is

00:07:16.570 --> 00:07:21.310
configure my user so the first word I

00:07:21.310 --> 00:07:24.490
use again is SNMP - server but I'm doing

00:07:24.490 --> 00:07:26.530
the the user this thing so that's an NP

00:07:26.530 --> 00:07:29.920
server user and then for my example user

00:07:29.920 --> 00:07:33.190
I've called it black box - user next I

00:07:33.190 --> 00:07:35.770
specify you the group that this user is

00:07:35.770 --> 00:07:37.930
in and I'm putting it in the black box

00:07:37.930 --> 00:07:40.420
group but I just configured a minute ago

00:07:40.420 --> 00:07:45.010
I say v3 for SNMP version 3 and then off

00:07:45.010 --> 00:07:47.520
is where I'm gonna specify the

00:07:47.520 --> 00:07:49.660
authentication algorithm that I'm gonna

00:07:49.660 --> 00:07:54.580
use I can either use md5 or sha-1 Shah

00:07:54.580 --> 00:07:56.590
is more secure but it's a little bit

00:07:56.590 --> 00:08:00.730
slower okay next up so I've set SNMP

00:08:00.730 --> 00:08:03.040
server user flat box user in the flat

00:08:03.040 --> 00:08:06.190
box group SNMP version 3 off I'm using

00:08:06.190 --> 00:08:08.530
sha and I'm using an authentication

00:08:08.530 --> 00:08:11.200
password of off password for this

00:08:11.200 --> 00:08:13.510
example so you know we talked about the

00:08:13.510 --> 00:08:15.280
three different security levels and

00:08:15.280 --> 00:08:17.410
there you specify authentication and

00:08:17.410 --> 00:08:20.380
privacy separately but we configure the

00:08:20.380 --> 00:08:22.030
authentication and the privacy

00:08:22.030 --> 00:08:24.070
separately as well so right now I've

00:08:24.070 --> 00:08:26.560
already configured the authentication

00:08:26.560 --> 00:08:30.010
next up I'm gonna configure the privacy

00:08:30.010 --> 00:08:32.620
so I say Prive and I've used a question

00:08:32.620 --> 00:08:34.750
mark again and see what options I've got

00:08:34.750 --> 00:08:37.810
here and I can either use theirs Triple

00:08:37.810 --> 00:08:41.229
DES or AES encryption AES is the most

00:08:41.229 --> 00:08:43.720
modern of those it's the most secure but

00:08:43.720 --> 00:08:47.020
it's a little bit slower okay

00:08:47.020 --> 00:08:51.220
after I configure that so here and I

00:08:51.220 --> 00:08:52.300
won't be like the whole the whole

00:08:52.300 --> 00:08:54.970
community again I've got up to I'm using

00:08:54.970 --> 00:08:58.630
AES encryption next up I specify whether

00:08:58.630 --> 00:09:03.670
it's 128 192 or 256 bit obviously the

00:09:03.670 --> 00:09:05.290
higher of a number the more secure it's

00:09:05.290 --> 00:09:06.400
going to be but it's

00:09:06.400 --> 00:09:09.750
take more CPU cycles be a little slower

00:09:09.750 --> 00:09:12.940
so looking at the complete command

00:09:12.940 --> 00:09:15.820
I've got SNMP server user black box user

00:09:15.820 --> 00:09:18.280
in the black box group it's using SNMP

00:09:18.280 --> 00:09:21.280
version 3 for authentication I'm using

00:09:21.280 --> 00:09:24.730
shop as my algorithm my password is off

00:09:24.730 --> 00:09:28.090
password and for Prive I'm using AES 128

00:09:28.090 --> 00:09:30.880
bit encryption with a password of Prive

00:09:30.880 --> 00:09:34.120
password so that is my user and my group

00:09:34.120 --> 00:09:36.730
setup on my router or switch now what I

00:09:36.730 --> 00:09:38.890
would do next as I would go on to my n

00:09:38.890 --> 00:09:41.320
MF server and I would configure a user

00:09:41.320 --> 00:09:44.170
there with matching settings here so I

00:09:44.170 --> 00:09:46.510
would set it with the same username a

00:09:46.510 --> 00:09:49.510
flat box user I would specify the off

00:09:49.510 --> 00:09:52.180
password and reprove password and that's

00:09:52.180 --> 00:09:54.880
me done my n MF server is now going to

00:09:54.880 --> 00:09:57.130
be able to access my device and pull

00:09:57.130 --> 00:09:59.500
information from it thanks for watching

00:09:59.500 --> 00:10:01.690
if you want to get hands-on practice

00:10:01.690 --> 00:10:05.170
with Cisco networks for free then you

00:10:05.170 --> 00:10:09.310
can download my 400 page CCNA lab guide

00:10:09.310 --> 00:10:11.320
which you can see above my head right

00:10:11.320 --> 00:10:14.650
now also check out the video about my

00:10:14.650 --> 00:10:17.320
CCNA course it's highest rated course

00:10:17.320 --> 00:10:20.640
online thanks