In this lecture, you'll see the
configuration for SNMP version 3.
[Music]
So you saw earlier that in SNMP version
1 and 2, the SNMP manager,
that's our NMS server, and the SNMP agent,
that's our router or switch, they recognize
each other through simple unencrypted
community strings. So it's not very
secure.
[inaudible] improved upon with SNMP
version 3 which does support
authentication and encryption. With SNMP
version 3, the security model uses users
and groups. So we're going to configure a
user on the router or switch, and we
configure a matching user on the NMS
server. That's how they recognize each
other. There is also a group as well. So
most of the settings are configured at
the group level, and those settings are
going to be applied to the user
depending on which group it's actually
in. There's three different security
levels available, and these are
configured at the group level. So
normally, you're going to just use one
particular security level. But it is
possible that you could have one NMS
server in one group, it's got one
security level, and a different NMS
server in a different group, but it's
got a different security level. That
would be a pretty weird thing to do, but
it is possible to do that. There's three
different security levels. The first one
is noAuthnoPriv which means no
authentication and no privacy. With
noAuthnoPriv, no authentication password
is exchanged, and the communications
between the agent and the server are not
encrypted. So with noAuthnoPriv, it
still doesn't use a community string, it
still uses a username because that's
SNMP version 3,
but that username basically replaces,
works the same as the community
string in SNMP version 1 and version 2.
So there's not much point in doing that,
doesn't really give you any advantage
over the old SNMP versions. The next
security level we've got is
AuthNoPriv. With AuthNoPriv, password
authentication is used. So the NMS server
and the network device will
securely authenticate each other. When we do
that authentication, the
authentication is encrypted, so the user
and- user name and password is encrypted,
does not go in plaintext. But after that
initial authentication, no encryption is
used for communications between the
devices. So if the server pulls some
information from the device, that's
going to go over the network unencrypted.
So the last one is the one that we're
most likely gonna want to use which is
AuthPriv. With AuthPriv, password
authentication is used, again, the same as
it was in AuthNoPriv, but
communications between the agent and the
server are also encrypted. So with AuthPriv,
the NMS server and the device are
going to securely authenticate each
other, that does not go in plaintext. And
also whenever they're sharing information,
that is also encrypted as well. So this
is the most secure way of doing it. If
we're using SNMP version 3, most likely
were going to be using AuthPriv. Okay, so
let's look at the configuration. So you
saw earlier in this lecture, we're gonna
have the group and we're gonna have the
user as well. Let's configure the group
first. So a global config, I say 'snmp-
server group', in this example, I've called
the group 'Flackbox-group', then
actually 'v3' to say that we're using SNMP
version 3. And in the example, I've used
the context-sensitive help, I've hit the
question mark to see what the next key
word is. And this is where we set the
security level of either auth, noAuth, or
priv. Then next thing that we do- so in
the example, I've set priv because I want
the most secure level. Then I've put the
question mark in again to see what the
next key word is. Next key word we've
got access, context, match, notify, read,
and write. With access, you can set an
access list. I'll talk about that a bit
more in the next slide. Context and match
both apply to contexts. And notify,
read, and write are about views. So let's
see what that means. So the first key
word available there was access. What you
can do is you can configure a normal
access-
access list on a router or of a switch
where you specify the IP address of the
NMS server. And then when you configure
your SNMP settings here, you can
reference that access list which means
you're locking it down, the [inaudible] router
or switch will only communicate with
SNMP with that particular IP address. So
you're locking it down to the IP address
of your NMS server. The next key words we
had in there were about contexts.
Contexts are used on switches to specify
which VLANs are accessible via SNMP. So
if you're configuring a switch, you might
need to set that up so that your NMS
system can access other VLANs, not
just the default VLAN. And then the last
thing we could set there were our views.
Views can be used to limit what
information is accessible to the NMS
server. And we had a read view, a write view,
and a notify view are all available. If
you don't specify a read view, then all
MIB objects are accessible to read. So by
default, the NMS server can get all the
different SNMP information from that
particular device. So if you want to lock
it down to only be able to gather a
particular- or maybe a pool, a particular set
of information, then you would use a
read view for that. Next one was write
view. If you don't specify a write view,
then no MIB objects are accessible to
write. So this works the other way. So by
default, it can read everything, but it
can write nothing. So if you want to lock
down, limit what it can read, configure a
read view. If you want it to be able to
write anything, then you have to
configure a write view. Without
explicitly configuring a write view, it
doesn't get any write access. So by
default, the NMS server gets read-only
access to all MIBs. The last one was
the notify view. Notify view is used
to send notifications to members of the
group. Notification is a trap. If you
don't specify anything, it will be
disabled by default. Okay, so those were
our views. So when I configure the group
here, in this example, the full command
that I use is 'snmp-server group
Flackbox-group v3 priv'. So I haven't
configured any access lists or any views
or anything here,1 they are all optional.
And because I'm using the defaults here,
the NMS server that is in this group
will have full read-only access to the
device.
Okay, so I've configured my group. The
next thing I'm gonna want to do is
configure my user. So the first word I
use again is 'snmp-server', but I'm doing
the user this time so 'snmp-server
user'. And then for my example user,
I've called it 'Flackbox-user'. Next I
specify the group that this user is
in, and I'm putting it in the Flackbox
group that I just configured a minute ago.
I say v3 for SNMP version 3, and then auth
is where I'm gonna specify the
authentication algorithm that I'm gonna
use. I can either use MD5 or SHA authentication.
SHA is more secure, but it's a little bit
slower. Okay, next up, so I've said 'snmp-
server user flackbox-user', in the flat
box group, SNMP version 3, auth, I'm using
SHA, and I'm using an authentication
password of 'AUTHPASSWORD' for this
example. So you know, we talked about the
three different security levels, and
there you specify authentication and
privacy separately, but we configure the
authentication and the privacy
separately as well. So right now I've
already configured the authentication,
next up, I'm gonna configure the privacy.
So I say priv, and I've used a question
mark again to see what options I've got
here. And I can either use DES, triple
DES or AES encryption. AES is the most
modern of those, it's the most secure, but
it's a little bit slower. Okay,
after I configure that- so here, and I
won't read out the whole
command to you again, I've got up to I'm using
AES encryption. Next up, I specify whether
it's 128, 192, or 256 bit. Obviously, the
higher of a number the more secure it's
going to be, but it's
take more CPU cycles, be a little slower.
So looking at the complete command,
I've got 'snmp-server user Flackbox-user'
in the Flackbox group, it's using SNMP
version 3, for authentication, I'm using
SHA as my algorithm, my password is AUTH
PASSWORD, and for priv, I'm using AES 128
bit encryption with a password of PRIVPASSWORD.
So that is my user and my group
setup on my router or switch. Now what I
would do next is I would go on to my NMS
server and I would configure a user
there with matching settings here. So I
would set it with the same username of
Flackbox-user. I would specify the auth
password and the priv password and that's
me done. My NMS server is now going to
be able to access my device and pull
information from it. Thanks for watching.
If you want to get hands-on practice
with Cisco networks for free, then you
can download my 400 page CCNA lab guide,
which you can see above my head right
now. Also, check out the video about my
CCNA course, it's highest rated course
online thanks.