0:00:00.030,0:00:02.310 In this lecture, you'll see the 0:00:02.310,0:00:06.249 configuration for SNMP version 3. 0:00:06.249,0:00:12.170 [Music] 0:00:12.990,0:00:17.630 So you saw earlier that in SNMP version 0:00:17.630,0:00:21.610 1 and 2, the SNMP manager, 0:00:21.610,0:00:24.759 that's our NMS server, and the SNMP agent, 0:00:24.759,0:00:27.970 that's our router or switch, they recognize 0:00:27.970,0:00:30.489 each other through simple unencrypted 0:00:30.489,0:00:32.980 community strings. So it's not very 0:00:32.980,0:00:33.730 secure. 0:00:33.730,0:00:36.550 [inaudible] improved upon with SNMP 0:00:36.550,0:00:39.210 version 3 which does support 0:00:39.210,0:00:43.300 authentication and encryption. With SNMP 0:00:43.300,0:00:46.750 version 3, the security model uses users 0:00:46.750,0:00:49.329 and groups. So we're going to configure a 0:00:49.329,0:00:52.030 user on the router or switch, and we 0:00:52.030,0:00:55.750 configure a matching user on the NMS 0:00:55.750,0:00:57.940 server. That's how they recognize each 0:00:57.940,0:01:00.999 other. There is also a group as well. So 0:01:00.999,0:01:03.100 most of the settings are configured at 0:01:03.100,0:01:05.379 the group level, and those settings are 0:01:05.379,0:01:06.940 going to be applied to the user 0:01:06.940,0:01:09.100 depending on which group it's actually 0:01:09.100,0:01:13.330 in. There's three different security 0:01:13.330,0:01:15.670 levels available, and these are 0:01:15.670,0:01:17.590 configured at the group level. So 0:01:17.590,0:01:19.119 normally, you're going to just use one 0:01:19.119,0:01:21.520 particular security level. But it is 0:01:21.520,0:01:23.920 possible that you could have one NMS 0:01:23.920,0:01:26.259 server in one group, it's got one 0:01:26.259,0:01:28.390 security level, and a different NMS 0:01:28.390,0:01:30.189 server in a different group, but it's 0:01:30.189,0:01:31.990 got a different security level. That 0:01:31.990,0:01:33.670 would be a pretty weird thing to do, but 0:01:33.670,0:01:36.430 it is possible to do that. There's three 0:01:36.430,0:01:38.409 different security levels. The first one 0:01:38.409,0:01:41.920 is noAuthnoPriv which means no 0:01:41.920,0:01:44.500 authentication and no privacy. With 0:01:44.500,0:01:47.170 noAuthnoPriv, no authentication password 0:01:47.170,0:01:49.479 is exchanged, and the communications 0:01:49.479,0:01:51.820 between the agent and the server are not 0:01:51.820,0:01:54.909 encrypted. So with noAuthnoPriv, it 0:01:54.909,0:01:56.500 still doesn't use a community string, it 0:01:56.500,0:01:58.570 still uses a username because that's 0:01:58.570,0:02:00.130 SNMP version 3, 0:02:00.130,0:02:02.920 but that username basically replaces, 0:02:02.920,0:02:04.810 works the same as the community 0:02:04.810,0:02:08.619 string in SNMP version 1 and version 2. 0:02:08.619,0:02:10.869 So there's not much point in doing that, 0:02:10.869,0:02:12.220 doesn't really give you any advantage 0:02:12.220,0:02:15.490 over the old SNMP versions. The next 0:02:15.490,0:02:16.845 security level we've got is 0:02:16.845,0:02:20.290 AuthNoPriv. With AuthNoPriv, password 0:02:20.290,0:02:23.380 authentication is used. So the NMS server 0:02:23.380,0:02:25.020 and the network device will 0:02:25.020,0:02:27.760 securely authenticate each other. When we do 0:02:27.760,0:02:28.980 that authentication, the 0:02:28.980,0:02:31.239 authentication is encrypted, so the user 0:02:31.239,0:02:33.610 and- user name and password is encrypted, 0:02:33.610,0:02:36.610 does not go in plaintext. But after that 0:02:36.610,0:02:39.520 initial authentication, no encryption is 0:02:39.520,0:02:41.440 used for communications between the 0:02:41.440,0:02:44.170 devices. So if the server pulls some 0:02:44.170,0:02:46.030 information from the device, that's 0:02:46.030,0:02:47.980 going to go over the network unencrypted. 0:02:47.980,0:02:50.500 So the last one is the one that we're 0:02:50.500,0:02:52.959 most likely gonna want to use which is 0:02:52.959,0:02:55.750 AuthPriv. With AuthPriv, password 0:02:55.750,0:02:57.940 authentication is used, again, the same as 0:02:57.940,0:03:00.000 it was in AuthNoPriv, but 0:03:00.000,0:03:02.380 communications between the agent and the 0:03:02.380,0:03:05.080 server are also encrypted. So with AuthPriv, 0:03:05.080,0:03:07.750 the NMS server and the device are 0:03:07.750,0:03:09.730 going to securely authenticate each 0:03:09.730,0:03:11.890 other, that does not go in plaintext. And 0:03:11.890,0:03:14.170 also whenever they're sharing information, 0:03:14.170,0:03:16.900 that is also encrypted as well. So this 0:03:16.900,0:03:18.700 is the most secure way of doing it. If 0:03:18.700,0:03:21.640 we're using SNMP version 3, most likely 0:03:21.640,0:03:24.970 were going to be using AuthPriv. Okay, so 0:03:24.970,0:03:27.670 let's look at the configuration. So you 0:03:27.670,0:03:29.380 saw earlier in this lecture, we're gonna 0:03:29.380,0:03:31.060 have the group and we're gonna have the 0:03:31.060,0:03:33.760 user as well. Let's configure the group 0:03:33.760,0:03:37.690 first. So a global config, I say 'snmp- 0:03:37.690,0:03:40.930 server group', in this example, I've called 0:03:40.930,0:03:43.329 the group 'Flackbox-group', then 0:03:43.329,0:03:45.730 actually 'v3' to say that we're using SNMP 0:03:45.730,0:03:48.130 version 3. And in the example, I've used 0:03:48.130,0:03:49.959 the context-sensitive help, I've hit the 0:03:49.959,0:03:51.790 question mark to see what the next key 0:03:51.790,0:03:53.799 word is. And this is where we set the 0:03:53.799,0:03:57.130 security level of either auth, noAuth, or 0:03:57.130,0:04:04.630 priv. Then next thing that we do- so in 0:04:04.630,0:04:06.579 the example, I've set priv because I want 0:04:06.579,0:04:08.799 the most secure level. Then I've put the 0:04:08.799,0:04:10.569 question mark in again to see what the 0:04:10.569,0:04:12.730 next key word is. Next key word we've 0:04:12.730,0:04:16.030 got access, context, match, notify, read, 0:04:16.030,0:04:19.720 and write. With access, you can set an 0:04:19.720,0:04:21.700 access list. I'll talk about that a bit 0:04:21.700,0:04:24.610 more in the next slide. Context and match 0:04:24.610,0:04:28.300 both apply to contexts. And notify, 0:04:28.300,0:04:31.840 read, and write are about views. So let's 0:04:31.840,0:04:33.880 see what that means. So the first key 0:04:33.880,0:04:35.950 word available there was access. What you 0:04:35.950,0:04:38.020 can do is you can configure a normal 0:04:38.020,0:04:39.270 access- 0:04:39.270,0:04:41.220 access list on a router or of a switch 0:04:41.220,0:04:44.159 where you specify the IP address of the 0:04:44.159,0:04:46.620 NMS server. And then when you configure 0:04:46.620,0:04:49.620 your SNMP settings here, you can 0:04:49.620,0:04:51.479 reference that access list which means 0:04:51.479,0:04:53.939 you're locking it down, the [inaudible] router 0:04:53.939,0:04:55.800 or switch will only communicate with 0:04:55.800,0:04:59.669 SNMP with that particular IP address. So 0:04:59.669,0:05:01.409 you're locking it down to the IP address 0:05:01.409,0:05:04.800 of your NMS server. The next key words we 0:05:04.800,0:05:06.599 had in there were about contexts. 0:05:06.599,0:05:09.900 Contexts are used on switches to specify 0:05:09.900,0:05:13.530 which VLANs are accessible via SNMP. So 0:05:13.530,0:05:15.180 if you're configuring a switch, you might 0:05:15.180,0:05:17.190 need to set that up so that your NMS 0:05:17.190,0:05:19.289 system can access other VLANs, not 0:05:19.289,0:05:22.590 just the default VLAN. And then the last 0:05:22.590,0:05:24.930 thing we could set there were our views. 0:05:24.930,0:05:27.360 Views can be used to limit what 0:05:27.360,0:05:30.180 information is accessible to the NMS 0:05:30.180,0:05:33.719 server. And we had a read view, a write view, 0:05:33.719,0:05:36.449 and a notify view are all available. If 0:05:36.449,0:05:39.840 you don't specify a read view, then all 0:05:39.840,0:05:43.080 MIB objects are accessible to read. So by 0:05:43.080,0:05:45.810 default, the NMS server can get all the 0:05:45.810,0:05:48.509 different SNMP information from that 0:05:48.509,0:05:50.729 particular device. So if you want to lock 0:05:50.729,0:05:52.710 it down to only be able to gather a 0:05:52.710,0:05:55.440 particular- or maybe a pool, a particular set 0:05:55.440,0:05:57.000 of information, then you would use a 0:05:57.000,0:05:59.610 read view for that. Next one was write 0:05:59.610,0:06:01.979 view. If you don't specify a write view, 0:06:01.979,0:06:04.830 then no MIB objects are accessible to 0:06:04.830,0:06:06.779 write. So this works the other way. So by 0:06:06.779,0:06:09.270 default, it can read everything, but it 0:06:09.270,0:06:12.210 can write nothing. So if you want to lock 0:06:12.210,0:06:14.370 down, limit what it can read, configure a 0:06:14.370,0:06:16.529 read view. If you want it to be able to 0:06:16.529,0:06:18.930 write anything, then you have to 0:06:18.930,0:06:21.330 configure a write view. Without 0:06:21.330,0:06:23.490 explicitly configuring a write view, it 0:06:23.490,0:06:25.710 doesn't get any write access. So by 0:06:25.710,0:06:27.930 default, the NMS server gets read-only 0:06:27.930,0:06:31.349 access to all MIBs. The last one was 0:06:31.349,0:06:33.750 the notify view. Notify view is used 0:06:33.750,0:06:36.120 to send notifications to members of the 0:06:36.120,0:06:38.759 group. Notification is a trap. If you 0:06:38.759,0:06:40.440 don't specify anything, it will be 0:06:40.440,0:06:43.529 disabled by default. Okay, so those were 0:06:43.529,0:06:47.789 our views. So when I configure the group 0:06:47.789,0:06:49.979 here, in this example, the full command 0:06:49.979,0:06:52.540 that I use is 'snmp-server group 0:06:52.540,0:06:56.140 Flackbox-group v3 priv'. So I haven't 0:06:56.140,0:06:58.420 configured any access lists or any views 0:06:58.420,0:07:00.850 or anything here,1 they are all optional. 0:07:00.850,0:07:03.250 And because I'm using the defaults here, 0:07:03.250,0:07:06.250 the NMS server that is in this group 0:07:06.250,0:07:09.430 will have full read-only access to the 0:07:09.430,0:07:11.400 device. 0:07:11.400,0:07:14.800 Okay, so I've configured my group. The 0:07:14.800,0:07:16.570 next thing I'm gonna want to do is 0:07:16.570,0:07:21.310 configure my user. So the first word I 0:07:21.310,0:07:24.490 use again is 'snmp-server', but I'm doing 0:07:24.490,0:07:26.360 the user this time so 'snmp-server 0:07:26.360,0:07:29.920 user'. And then for my example user, 0:07:29.920,0:07:33.190 I've called it 'Flackbox-user'. Next I 0:07:33.190,0:07:35.770 specify the group that this user is 0:07:35.770,0:07:37.930 in, and I'm putting it in the Flackbox 0:07:37.930,0:07:40.420 group that I just configured a minute ago. 0:07:40.420,0:07:45.010 I say v3 for SNMP version 3, and then auth 0:07:45.010,0:07:47.520 is where I'm gonna specify the 0:07:47.520,0:07:49.660 authentication algorithm that I'm gonna 0:07:49.660,0:07:54.320 use. I can either use MD5 or SHA authentication. 0:07:54.320,0:07:56.590 SHA is more secure, but it's a little bit 0:07:56.590,0:08:00.730 slower. Okay, next up, so I've said 'snmp- 0:08:00.730,0:08:03.040 server user flackbox-user', in the flat 0:08:03.040,0:08:06.190 box group, SNMP version 3, auth, I'm using 0:08:06.190,0:08:08.530 SHA, and I'm using an authentication 0:08:08.530,0:08:11.200 password of 'AUTHPASSWORD' for this 0:08:11.200,0:08:13.510 example. So you know, we talked about the 0:08:13.510,0:08:15.280 three different security levels, and 0:08:15.280,0:08:17.410 there you specify authentication and 0:08:17.410,0:08:20.380 privacy separately, but we configure the 0:08:20.380,0:08:22.030 authentication and the privacy 0:08:22.030,0:08:24.070 separately as well. So right now I've 0:08:24.070,0:08:26.560 already configured the authentication, 0:08:26.560,0:08:30.010 next up, I'm gonna configure the privacy. 0:08:30.010,0:08:32.620 So I say priv, and I've used a question 0:08:32.620,0:08:34.750 mark again to see what options I've got 0:08:34.750,0:08:37.810 here. And I can either use DES, triple 0:08:37.810,0:08:41.229 DES or AES encryption. AES is the most 0:08:41.229,0:08:43.720 modern of those, it's the most secure, but 0:08:43.720,0:08:47.020 it's a little bit slower. Okay, 0:08:47.020,0:08:51.220 after I configure that- so here, and I 0:08:51.220,0:08:52.300 won't read out the whole 0:08:52.300,0:08:54.970 command to you again, I've got up to I'm using 0:08:54.970,0:08:58.630 AES encryption. Next up, I specify whether 0:08:58.630,0:09:03.670 it's 128, 192, or 256 bit. Obviously, the 0:09:03.670,0:09:05.290 higher of a number the more secure it's 0:09:05.290,0:09:06.400 going to be, but it's 0:09:06.400,0:09:09.750 take more CPU cycles, be a little slower. 0:09:09.750,0:09:12.940 So looking at the complete command, 0:09:12.940,0:09:15.820 I've got 'snmp-server user Flackbox-user' 0:09:15.820,0:09:18.280 in the Flackbox group, it's using SNMP 0:09:18.280,0:09:21.280 version 3, for authentication, I'm using 0:09:21.280,0:09:24.730 SHA as my algorithm, my password is AUTH 0:09:24.730,0:09:28.090 PASSWORD, and for priv, I'm using AES 128 0:09:28.090,0:09:30.880 bit encryption with a password of PRIVPASSWORD. 0:09:30.880,0:09:34.120 So that is my user and my group 0:09:34.120,0:09:36.730 setup on my router or switch. Now what I 0:09:36.730,0:09:38.890 would do next is I would go on to my NMS 0:09:38.890,0:09:41.320 server and I would configure a user 0:09:41.320,0:09:44.170 there with matching settings here. So I 0:09:44.170,0:09:46.510 would set it with the same username of 0:09:46.510,0:09:49.510 Flackbox-user. I would specify the auth 0:09:49.510,0:09:52.180 password and the priv password and that's 0:09:52.180,0:09:54.880 me done. My NMS server is now going to 0:09:54.880,0:09:57.130 be able to access my device and pull 0:09:57.130,0:09:59.500 information from it. Thanks for watching. 0:09:59.500,0:10:01.690 If you want to get hands-on practice 0:10:01.690,0:10:05.170 with Cisco networks for free, then you 0:10:05.170,0:10:09.310 can download my 400 page CCNA lab guide, 0:10:09.310,0:10:11.320 which you can see above my head right 0:10:11.320,0:10:14.650 now. Also, check out the video about my 0:10:14.650,0:10:17.320 CCNA course, it's highest rated course 0:10:17.320,0:10:20.640 online thanks.