0:00:00.030,0:00:02.310
In this lecture, you'll see the

0:00:02.310,0:00:06.249
configuration for SNMP version 3.

0:00:06.249,0:00:12.170
[Music]

0:00:12.990,0:00:17.630
So you saw earlier that in SNMP version

0:00:17.630,0:00:21.610
1 and 2, the SNMP manager,

0:00:21.610,0:00:24.759
that's our NMS server, and the SNMP agent,

0:00:24.759,0:00:27.970
that's our router or switch, they recognize

0:00:27.970,0:00:30.489
each other through simple unencrypted

0:00:30.489,0:00:32.980
community strings. So it's not very

0:00:32.980,0:00:33.730
secure.

0:00:33.730,0:00:36.550
[inaudible] improved upon with SNMP

0:00:36.550,0:00:39.210
version 3 which does support

0:00:39.210,0:00:43.300
authentication and encryption. With SNMP

0:00:43.300,0:00:46.750
version 3, the security model uses users

0:00:46.750,0:00:49.329
and groups. So we're going to configure a

0:00:49.329,0:00:52.030
user on the router or switch, and we

0:00:52.030,0:00:55.750
configure a matching user on the NMS

0:00:55.750,0:00:57.940
server. That's how they recognize each

0:00:57.940,0:01:00.999
other. There is also a group as well. So

0:01:00.999,0:01:03.100
most of the settings are configured at

0:01:03.100,0:01:05.379
the group level, and those settings are

0:01:05.379,0:01:06.940
going to be applied to the user

0:01:06.940,0:01:09.100
depending on which group it's actually

0:01:09.100,0:01:13.330
in. There's three different security

0:01:13.330,0:01:15.670
levels available, and these are

0:01:15.670,0:01:17.590
configured at the group level. So

0:01:17.590,0:01:19.119
normally, you're going to just use one

0:01:19.119,0:01:21.520
particular security level. But it is

0:01:21.520,0:01:23.920
possible that you could have one NMS

0:01:23.920,0:01:26.259
server in one group, it's got one

0:01:26.259,0:01:28.390
security level, and a different NMS

0:01:28.390,0:01:30.189
server in a different group, but it's

0:01:30.189,0:01:31.990
got a different security level. That

0:01:31.990,0:01:33.670
would be a pretty weird thing to do, but

0:01:33.670,0:01:36.430
it is possible to do that. There's three

0:01:36.430,0:01:38.409
different security levels. The first one

0:01:38.409,0:01:41.920
is noAuthnoPriv which means no

0:01:41.920,0:01:44.500
authentication and no privacy. With

0:01:44.500,0:01:47.170
noAuthnoPriv, no authentication password

0:01:47.170,0:01:49.479
is exchanged, and the communications

0:01:49.479,0:01:51.820
between the agent and the server are not

0:01:51.820,0:01:54.909
encrypted. So with noAuthnoPriv, it

0:01:54.909,0:01:56.500
still doesn't use a community string, it

0:01:56.500,0:01:58.570
still uses a username because that's

0:01:58.570,0:02:00.130
SNMP version 3,

0:02:00.130,0:02:02.920
but that username basically replaces,

0:02:02.920,0:02:04.810
works the same as the community

0:02:04.810,0:02:08.619
string in SNMP version 1 and version 2.

0:02:08.619,0:02:10.869
So there's not much point in doing that,

0:02:10.869,0:02:12.220
doesn't really give you any advantage

0:02:12.220,0:02:15.490
over the old SNMP versions. The next

0:02:15.490,0:02:16.845
security level we've got is

0:02:16.845,0:02:20.290
AuthNoPriv. With AuthNoPriv, password

0:02:20.290,0:02:23.380
authentication is used. So the NMS server

0:02:23.380,0:02:25.020
and the network device will

0:02:25.020,0:02:27.760
securely authenticate each other. When we do

0:02:27.760,0:02:28.980
that authentication, the

0:02:28.980,0:02:31.239
authentication is encrypted, so the user

0:02:31.239,0:02:33.610
and- user name and password is encrypted,

0:02:33.610,0:02:36.610
does not go in plaintext. But after that

0:02:36.610,0:02:39.520
initial authentication, no encryption is

0:02:39.520,0:02:41.440
used for communications between the

0:02:41.440,0:02:44.170
devices. So if the server pulls some

0:02:44.170,0:02:46.030
information from the device, that's

0:02:46.030,0:02:47.980
going to go over the network unencrypted.

0:02:47.980,0:02:50.500
So the last one is the one that we're

0:02:50.500,0:02:52.959
most likely gonna want to use which is

0:02:52.959,0:02:55.750
AuthPriv. With AuthPriv, password

0:02:55.750,0:02:57.940
authentication is used, again, the same as

0:02:57.940,0:03:00.000
it was in AuthNoPriv, but

0:03:00.000,0:03:02.380
communications between the agent and the

0:03:02.380,0:03:05.080
server are also encrypted. So with AuthPriv,

0:03:05.080,0:03:07.750
the NMS server and the device are

0:03:07.750,0:03:09.730
going to securely authenticate each

0:03:09.730,0:03:11.890
other, that does not go in plaintext. And

0:03:11.890,0:03:14.170
also whenever they're sharing information,

0:03:14.170,0:03:16.900
that is also encrypted as well. So this

0:03:16.900,0:03:18.700
is the most secure way of doing it. If

0:03:18.700,0:03:21.640
we're using SNMP version 3, most likely

0:03:21.640,0:03:24.970
were going to be using AuthPriv. Okay, so

0:03:24.970,0:03:27.670
let's look at the configuration. So you

0:03:27.670,0:03:29.380
saw earlier in this lecture, we're gonna

0:03:29.380,0:03:31.060
have the group and we're gonna have the

0:03:31.060,0:03:33.760
user as well. Let's configure the group

0:03:33.760,0:03:37.690
first. So a global config, I say 'snmp-

0:03:37.690,0:03:40.930
server group', in this example, I've called

0:03:40.930,0:03:43.329
the group 'Flackbox-group', then

0:03:43.329,0:03:45.730
actually 'v3' to say that we're using SNMP

0:03:45.730,0:03:48.130
version 3. And in the example, I've used

0:03:48.130,0:03:49.959
the context-sensitive help, I've hit the

0:03:49.959,0:03:51.790
question mark to see what the next key

0:03:51.790,0:03:53.799
word is. And this is where we set the

0:03:53.799,0:03:57.130
security level of either auth, noAuth, or

0:03:57.130,0:04:04.630
priv. Then next thing that we do- so in

0:04:04.630,0:04:06.579
the example, I've set priv because I want

0:04:06.579,0:04:08.799
the most secure level. Then I've put the

0:04:08.799,0:04:10.569
question mark in again to see what the

0:04:10.569,0:04:12.730
next key word is. Next key word we've

0:04:12.730,0:04:16.030
got access, context, match, notify, read,

0:04:16.030,0:04:19.720
and write. With access, you can set an

0:04:19.720,0:04:21.700
access list. I'll talk about that a bit

0:04:21.700,0:04:24.610
more in the next slide. Context and match

0:04:24.610,0:04:28.300
both apply to contexts. And notify,

0:04:28.300,0:04:31.840
read, and write are about views. So let's

0:04:31.840,0:04:33.880
see what that means. So the first key

0:04:33.880,0:04:35.950
word available there was access. What you

0:04:35.950,0:04:38.020
can do is you can configure a normal

0:04:38.020,0:04:39.270
access-

0:04:39.270,0:04:41.220
access list on a router or of a switch

0:04:41.220,0:04:44.159
where you specify the IP address of the

0:04:44.159,0:04:46.620
NMS server. And then when you configure

0:04:46.620,0:04:49.620
your SNMP settings here, you can

0:04:49.620,0:04:51.479
reference that access list which means

0:04:51.479,0:04:53.939
you're locking it down, the [inaudible] router

0:04:53.939,0:04:55.800
or switch will only communicate with

0:04:55.800,0:04:59.669
SNMP with that particular IP address. So

0:04:59.669,0:05:01.409
you're locking it down to the IP address

0:05:01.409,0:05:04.800
of your NMS server. The next key words we

0:05:04.800,0:05:06.599
had in there were about contexts.

0:05:06.599,0:05:09.900
Contexts are used on switches to specify

0:05:09.900,0:05:13.530
which VLANs are accessible via SNMP. So

0:05:13.530,0:05:15.180
if you're configuring a switch, you might

0:05:15.180,0:05:17.190
need to set that up so that your NMS

0:05:17.190,0:05:19.289
system can access other VLANs, not

0:05:19.289,0:05:22.590
just the default VLAN. And then the last

0:05:22.590,0:05:24.930
thing we could set there were our views.

0:05:24.930,0:05:27.360
Views can be used to limit what

0:05:27.360,0:05:30.180
information is accessible to the NMS

0:05:30.180,0:05:33.719
server. And we had a read view, a write view,

0:05:33.719,0:05:36.449
and a notify view are all available. If

0:05:36.449,0:05:39.840
you don't specify a read view, then all

0:05:39.840,0:05:43.080
MIB objects are accessible to read. So by

0:05:43.080,0:05:45.810
default, the NMS server can get all the

0:05:45.810,0:05:48.509
different SNMP information from that

0:05:48.509,0:05:50.729
particular device. So if you want to lock

0:05:50.729,0:05:52.710
it down to only be able to gather a

0:05:52.710,0:05:55.440
particular- or maybe a pool, a particular set

0:05:55.440,0:05:57.000
of information, then you would use a

0:05:57.000,0:05:59.610
read view for that. Next one was write

0:05:59.610,0:06:01.979
view. If you don't specify a write view,

0:06:01.979,0:06:04.830
then no MIB objects are accessible to

0:06:04.830,0:06:06.779
write. So this works the other way. So by

0:06:06.779,0:06:09.270
default, it can read everything, but it

0:06:09.270,0:06:12.210
can write nothing. So if you want to lock

0:06:12.210,0:06:14.370
down, limit what it can read, configure a

0:06:14.370,0:06:16.529
read view. If you want it to be able to

0:06:16.529,0:06:18.930
write anything, then you have to

0:06:18.930,0:06:21.330
configure a write view. Without

0:06:21.330,0:06:23.490
explicitly configuring a write view, it

0:06:23.490,0:06:25.710
doesn't get any write access. So by

0:06:25.710,0:06:27.930
default, the NMS server gets read-only

0:06:27.930,0:06:31.349
access to all MIBs. The last one was

0:06:31.349,0:06:33.750
the notify view. Notify view is used

0:06:33.750,0:06:36.120
to send notifications to members of the

0:06:36.120,0:06:38.759
group. Notification is a trap. If you

0:06:38.759,0:06:40.440
don't specify anything, it will be

0:06:40.440,0:06:43.529
disabled by default. Okay, so those were

0:06:43.529,0:06:47.789
our views. So when I configure the group

0:06:47.789,0:06:49.979
here, in this example, the full command

0:06:49.979,0:06:52.540
that I use is 'snmp-server group

0:06:52.540,0:06:56.140
Flackbox-group v3 priv'. So I haven't

0:06:56.140,0:06:58.420
configured any access lists or any views

0:06:58.420,0:07:00.850
or anything here,1 they are all optional.

0:07:00.850,0:07:03.250
And because I'm using the defaults here,

0:07:03.250,0:07:06.250
the NMS server that is in this group

0:07:06.250,0:07:09.430
will have full read-only access to the

0:07:09.430,0:07:11.400
device.

0:07:11.400,0:07:14.800
Okay, so I've configured my group. The

0:07:14.800,0:07:16.570
next thing I'm gonna want to do is

0:07:16.570,0:07:21.310
configure my user. So the first word I

0:07:21.310,0:07:24.490
use again is 'snmp-server', but I'm doing

0:07:24.490,0:07:26.360
the user this time so 'snmp-server

0:07:26.360,0:07:29.920
user'. And then for my example user,

0:07:29.920,0:07:33.190
I've called it 'Flackbox-user'. Next I

0:07:33.190,0:07:35.770
specify the group that this user is

0:07:35.770,0:07:37.930
in, and I'm putting it in the Flackbox

0:07:37.930,0:07:40.420
group that I just configured a minute ago.

0:07:40.420,0:07:45.010
I say v3 for SNMP version 3, and then auth

0:07:45.010,0:07:47.520
is where I'm gonna specify the

0:07:47.520,0:07:49.660
authentication algorithm that I'm gonna

0:07:49.660,0:07:54.320
use. I can either use MD5 or SHA authentication.

0:07:54.320,0:07:56.590
SHA is more secure, but it's a little bit

0:07:56.590,0:08:00.730
slower. Okay, next up, so I've said 'snmp-

0:08:00.730,0:08:03.040
server user flackbox-user', in the flat

0:08:03.040,0:08:06.190
box group, SNMP version 3, auth, I'm using

0:08:06.190,0:08:08.530
SHA, and I'm using an authentication

0:08:08.530,0:08:11.200
password of 'AUTHPASSWORD' for this

0:08:11.200,0:08:13.510
example. So you know, we talked about the

0:08:13.510,0:08:15.280
three different security levels, and

0:08:15.280,0:08:17.410
there you specify authentication and

0:08:17.410,0:08:20.380
privacy separately, but we configure the

0:08:20.380,0:08:22.030
authentication and the privacy

0:08:22.030,0:08:24.070
separately as well. So right now I've

0:08:24.070,0:08:26.560
already configured the authentication,

0:08:26.560,0:08:30.010
next up, I'm gonna configure the privacy.

0:08:30.010,0:08:32.620
So I say priv, and I've used a question

0:08:32.620,0:08:34.750
mark again to see what options I've got

0:08:34.750,0:08:37.810
here. And I can either use DES, triple

0:08:37.810,0:08:41.229
DES or AES encryption. AES is the most

0:08:41.229,0:08:43.720
modern of those, it's the most secure, but

0:08:43.720,0:08:47.020
it's a little bit slower. Okay,

0:08:47.020,0:08:51.220
after I configure that- so here, and I

0:08:51.220,0:08:52.300
won't read out the whole

0:08:52.300,0:08:54.970
command to you again, I've got up to I'm using

0:08:54.970,0:08:58.630
AES encryption. Next up, I specify whether

0:08:58.630,0:09:03.670
it's 128, 192, or 256 bit. Obviously, the

0:09:03.670,0:09:05.290
higher of a number the more secure it's

0:09:05.290,0:09:06.400
going to be, but it's

0:09:06.400,0:09:09.750
take more CPU cycles, be a little slower.

0:09:09.750,0:09:12.940
So looking at the complete command,

0:09:12.940,0:09:15.820
I've got 'snmp-server user Flackbox-user'

0:09:15.820,0:09:18.280
in the Flackbox group, it's using SNMP

0:09:18.280,0:09:21.280
version 3, for authentication, I'm using

0:09:21.280,0:09:24.730
SHA as my algorithm, my password is AUTH

0:09:24.730,0:09:28.090
PASSWORD, and for priv, I'm using AES 128

0:09:28.090,0:09:30.880
bit encryption with a password of PRIVPASSWORD.

0:09:30.880,0:09:34.120
So that is my user and my group

0:09:34.120,0:09:36.730
setup on my router or switch. Now what I

0:09:36.730,0:09:38.890
would do next is I would go on to my NMS

0:09:38.890,0:09:41.320
server and I would configure a user

0:09:41.320,0:09:44.170
there with matching settings here. So I

0:09:44.170,0:09:46.510
would set it with the same username of

0:09:46.510,0:09:49.510
Flackbox-user. I would specify the auth

0:09:49.510,0:09:52.180
password and the priv password and that's

0:09:52.180,0:09:54.880
me done. My NMS server is now going to

0:09:54.880,0:09:57.130
be able to access my device and pull

0:09:57.130,0:09:59.500
information from it. Thanks for watching.

0:09:59.500,0:10:01.690
If you want to get hands-on practice

0:10:01.690,0:10:05.170
with Cisco networks for free, then you

0:10:05.170,0:10:09.310
can download my 400 page CCNA lab guide,

0:10:09.310,0:10:11.320
which you can see above my head right

0:10:11.320,0:10:14.650
now. Also, check out the video about my

0:10:14.650,0:10:17.320
CCNA course, it's highest rated course

0:10:17.320,0:10:20.640
online thanks.