1
00:00:00,030 --> 00:00:02,310
In this lecture, you'll see the

2
00:00:02,310 --> 00:00:06,249
configuration for SNMP version 3.

3
00:00:06,249 --> 00:00:12,170
[Music]

4
00:00:12,990 --> 00:00:17,630
So you saw earlier that in SNMP version

5
00:00:17,630 --> 00:00:21,610
1 and 2, the SNMP manager,

6
00:00:21,610 --> 00:00:24,759
that's our NMS server, and the SNMP agent,

7
00:00:24,759 --> 00:00:27,970
that's our router or switch, they recognize

8
00:00:27,970 --> 00:00:30,489
each other through simple unencrypted

9
00:00:30,489 --> 00:00:32,980
community strings. So it's not very

10
00:00:32,980 --> 00:00:33,730
secure.

11
00:00:33,730 --> 00:00:36,550
[inaudible] improved upon with SNMP

12
00:00:36,550 --> 00:00:39,210
version 3 which does support

13
00:00:39,210 --> 00:00:43,300
authentication and encryption. With SNMP

14
00:00:43,300 --> 00:00:46,750
version 3, the security model uses users

15
00:00:46,750 --> 00:00:49,329
and groups. So we're going to configure a

16
00:00:49,329 --> 00:00:52,030
user on the router or switch, and we

17
00:00:52,030 --> 00:00:55,750
configure a matching user on the NMS

18
00:00:55,750 --> 00:00:57,940
server. That's how they recognize each

19
00:00:57,940 --> 00:01:00,999
other. There is also a group as well. So

20
00:01:00,999 --> 00:01:03,100
most of the settings are configured at

21
00:01:03,100 --> 00:01:05,379
the group level, and those settings are

22
00:01:05,379 --> 00:01:06,940
going to be applied to the user

23
00:01:06,940 --> 00:01:09,100
depending on which group it's actually

24
00:01:09,100 --> 00:01:13,330
in. There's three different security

25
00:01:13,330 --> 00:01:15,670
levels available, and these are

26
00:01:15,670 --> 00:01:17,590
configured at the group level. So

27
00:01:17,590 --> 00:01:19,119
normally, you're going to just use one

28
00:01:19,119 --> 00:01:21,520
particular security level. But it is

29
00:01:21,520 --> 00:01:23,920
possible that you could have one NMS

30
00:01:23,920 --> 00:01:26,259
server in one group, it's got one

31
00:01:26,259 --> 00:01:28,390
security level, and a different NMS

32
00:01:28,390 --> 00:01:30,189
server in a different group, but it's

33
00:01:30,189 --> 00:01:31,990
got a different security level. That

34
00:01:31,990 --> 00:01:33,670
would be a pretty weird thing to do, but

35
00:01:33,670 --> 00:01:36,430
it is possible to do that. There's three

36
00:01:36,430 --> 00:01:38,409
different security levels. The first one

37
00:01:38,409 --> 00:01:41,920
is noAuthnoPriv which means no

38
00:01:41,920 --> 00:01:44,500
authentication and no privacy. With

39
00:01:44,500 --> 00:01:47,170
noAuthnoPriv, no authentication password

40
00:01:47,170 --> 00:01:49,479
is exchanged, and the communications

41
00:01:49,479 --> 00:01:51,820
between the agent and the server are not

42
00:01:51,820 --> 00:01:54,909
encrypted. So with noAuthnoPriv, it

43
00:01:54,909 --> 00:01:56,500
still doesn't use a community string, it

44
00:01:56,500 --> 00:01:58,570
still uses a username because that's

45
00:01:58,570 --> 00:02:00,130
SNMP version 3,

46
00:02:00,130 --> 00:02:02,920
but that username basically replaces,

47
00:02:02,920 --> 00:02:04,810
works the same as the community

48
00:02:04,810 --> 00:02:08,619
string in SNMP version 1 and version 2.

49
00:02:08,619 --> 00:02:10,869
So there's not much point in doing that,

50
00:02:10,869 --> 00:02:12,220
doesn't really give you any advantage

51
00:02:12,220 --> 00:02:15,490
over the old SNMP versions. The next

52
00:02:15,490 --> 00:02:16,845
security level we've got is

53
00:02:16,845 --> 00:02:20,290
AuthNoPriv. With AuthNoPriv, password

54
00:02:20,290 --> 00:02:23,380
authentication is used. So the NMS server

55
00:02:23,380 --> 00:02:25,020
and the network device will

56
00:02:25,020 --> 00:02:27,760
securely authenticate each other. When we do

57
00:02:27,760 --> 00:02:28,980
that authentication, the

58
00:02:28,980 --> 00:02:31,239
authentication is encrypted, so the user

59
00:02:31,239 --> 00:02:33,610
and- user name and password is encrypted,

60
00:02:33,610 --> 00:02:36,610
does not go in plaintext. But after that

61
00:02:36,610 --> 00:02:39,520
initial authentication, no encryption is

62
00:02:39,520 --> 00:02:41,440
used for communications between the

63
00:02:41,440 --> 00:02:44,170
devices. So if the server pulls some

64
00:02:44,170 --> 00:02:46,030
information from the device, that's

65
00:02:46,030 --> 00:02:47,980
going to go over the network unencrypted.

66
00:02:47,980 --> 00:02:50,500
So the last one is the one that we're

67
00:02:50,500 --> 00:02:52,959
most likely gonna want to use which is

68
00:02:52,959 --> 00:02:55,750
AuthPriv. With AuthPriv, password

69
00:02:55,750 --> 00:02:57,940
authentication is used, again, the same as

70
00:02:57,940 --> 00:03:00,000
it was in AuthNoPriv, but

71
00:03:00,000 --> 00:03:02,380
communications between the agent and the

72
00:03:02,380 --> 00:03:05,080
server are also encrypted. So with AuthPriv,

73
00:03:05,080 --> 00:03:07,750
the NMS server and the device are

74
00:03:07,750 --> 00:03:09,730
going to securely authenticate each

75
00:03:09,730 --> 00:03:11,890
other, that does not go in plaintext. And

76
00:03:11,890 --> 00:03:14,170
also whenever they're sharing information,

77
00:03:14,170 --> 00:03:16,900
that is also encrypted as well. So this

78
00:03:16,900 --> 00:03:18,700
is the most secure way of doing it. If

79
00:03:18,700 --> 00:03:21,640
we're using SNMP version 3, most likely

80
00:03:21,640 --> 00:03:24,970
were going to be using AuthPriv. Okay, so

81
00:03:24,970 --> 00:03:27,670
let's look at the configuration. So you

82
00:03:27,670 --> 00:03:29,380
saw earlier in this lecture, we're gonna

83
00:03:29,380 --> 00:03:31,060
have the group and we're gonna have the

84
00:03:31,060 --> 00:03:33,760
user as well. Let's configure the group

85
00:03:33,760 --> 00:03:37,690
first. So a global config, I say 'snmp-

86
00:03:37,690 --> 00:03:40,930
server group', in this example, I've called

87
00:03:40,930 --> 00:03:43,329
the group 'Flackbox-group', then

88
00:03:43,329 --> 00:03:45,730
actually 'v3' to say that we're using SNMP

89
00:03:45,730 --> 00:03:48,130
version 3. And in the example, I've used

90
00:03:48,130 --> 00:03:49,959
the context-sensitive help, I've hit the

91
00:03:49,959 --> 00:03:51,790
question mark to see what the next key

92
00:03:51,790 --> 00:03:53,799
word is. And this is where we set the

93
00:03:53,799 --> 00:03:57,130
security level of either auth, noAuth, or

94
00:03:57,130 --> 00:04:04,630
priv. Then next thing that we do- so in

95
00:04:04,630 --> 00:04:06,579
the example, I've set priv because I want

96
00:04:06,579 --> 00:04:08,799
the most secure level. Then I've put the

97
00:04:08,799 --> 00:04:10,569
question mark in again to see what the

98
00:04:10,569 --> 00:04:12,730
next key word is. Next key word we've

99
00:04:12,730 --> 00:04:16,030
got access, context, match, notify, read,

100
00:04:16,030 --> 00:04:19,720
and write. With access, you can set an

101
00:04:19,720 --> 00:04:21,700
access list. I'll talk about that a bit

102
00:04:21,700 --> 00:04:24,610
more in the next slide. Context and match

103
00:04:24,610 --> 00:04:28,300
both apply to contexts. And notify,

104
00:04:28,300 --> 00:04:31,840
read, and write are about views. So let's

105
00:04:31,840 --> 00:04:33,880
see what that means. So the first key

106
00:04:33,880 --> 00:04:35,950
word available there was access. What you

107
00:04:35,950 --> 00:04:38,020
can do is you can configure a normal

108
00:04:38,020 --> 00:04:39,270
access-

109
00:04:39,270 --> 00:04:41,220
access list on a router or of a switch

110
00:04:41,220 --> 00:04:44,159
where you specify the IP address of the

111
00:04:44,159 --> 00:04:46,620
NMS server. And then when you configure

112
00:04:46,620 --> 00:04:49,620
your SNMP settings here, you can

113
00:04:49,620 --> 00:04:51,479
reference that access list which means

114
00:04:51,479 --> 00:04:53,939
you're locking it down, the [inaudible] router

115
00:04:53,939 --> 00:04:55,800
or switch will only communicate with

116
00:04:55,800 --> 00:04:59,669
SNMP with that particular IP address. So

117
00:04:59,669 --> 00:05:01,409
you're locking it down to the IP address

118
00:05:01,409 --> 00:05:04,800
of your NMS server. The next key words we

119
00:05:04,800 --> 00:05:06,599
had in there were about contexts.

120
00:05:06,599 --> 00:05:09,900
Contexts are used on switches to specify

121
00:05:09,900 --> 00:05:13,530
which VLANs are accessible via SNMP. So

122
00:05:13,530 --> 00:05:15,180
if you're configuring a switch, you might

123
00:05:15,180 --> 00:05:17,190
need to set that up so that your NMS

124
00:05:17,190 --> 00:05:19,289
system can access other VLANs, not

125
00:05:19,289 --> 00:05:22,590
just the default VLAN. And then the last

126
00:05:22,590 --> 00:05:24,930
thing we could set there were our views.

127
00:05:24,930 --> 00:05:27,360
Views can be used to limit what

128
00:05:27,360 --> 00:05:30,180
information is accessible to the NMS

129
00:05:30,180 --> 00:05:33,719
server. And we had a read view, a write view,

130
00:05:33,719 --> 00:05:36,449
and a notify view are all available. If

131
00:05:36,449 --> 00:05:39,840
you don't specify a read view, then all

132
00:05:39,840 --> 00:05:43,080
MIB objects are accessible to read. So by

133
00:05:43,080 --> 00:05:45,810
default, the NMS server can get all the

134
00:05:45,810 --> 00:05:48,509
different SNMP information from that

135
00:05:48,509 --> 00:05:50,729
particular device. So if you want to lock

136
00:05:50,729 --> 00:05:52,710
it down to only be able to gather a

137
00:05:52,710 --> 00:05:55,440
particular- or maybe a pool, a particular set

138
00:05:55,440 --> 00:05:57,000
of information, then you would use a

139
00:05:57,000 --> 00:05:59,610
read view for that. Next one was write

140
00:05:59,610 --> 00:06:01,979
view. If you don't specify a write view,

141
00:06:01,979 --> 00:06:04,830
then no MIB objects are accessible to

142
00:06:04,830 --> 00:06:06,779
write. So this works the other way. So by

143
00:06:06,779 --> 00:06:09,270
default, it can read everything, but it

144
00:06:09,270 --> 00:06:12,210
can write nothing. So if you want to lock

145
00:06:12,210 --> 00:06:14,370
down, limit what it can read, configure a

146
00:06:14,370 --> 00:06:16,529
read view. If you want it to be able to

147
00:06:16,529 --> 00:06:18,930
write anything, then you have to

148
00:06:18,930 --> 00:06:21,330
configure a write view. Without

149
00:06:21,330 --> 00:06:23,490
explicitly configuring a write view, it

150
00:06:23,490 --> 00:06:25,710
doesn't get any write access. So by

151
00:06:25,710 --> 00:06:27,930
default, the NMS server gets read-only

152
00:06:27,930 --> 00:06:31,349
access to all MIBs. The last one was

153
00:06:31,349 --> 00:06:33,750
the notify view. Notify view is used

154
00:06:33,750 --> 00:06:36,120
to send notifications to members of the

155
00:06:36,120 --> 00:06:38,759
group. Notification is a trap. If you

156
00:06:38,759 --> 00:06:40,440
don't specify anything, it will be

157
00:06:40,440 --> 00:06:43,529
disabled by default. Okay, so those were

158
00:06:43,529 --> 00:06:47,789
our views. So when I configure the group

159
00:06:47,789 --> 00:06:49,979
here, in this example, the full command

160
00:06:49,979 --> 00:06:52,540
that I use is 'snmp-server group

161
00:06:52,540 --> 00:06:56,140
Flackbox-group v3 priv'. So I haven't

162
00:06:56,140 --> 00:06:58,420
configured any access lists or any views

163
00:06:58,420 --> 00:07:00,850
or anything here,1 they are all optional.

164
00:07:00,850 --> 00:07:03,250
And because I'm using the defaults here,

165
00:07:03,250 --> 00:07:06,250
the NMS server that is in this group

166
00:07:06,250 --> 00:07:09,430
will have full read-only access to the

167
00:07:09,430 --> 00:07:11,400
device.

168
00:07:11,400 --> 00:07:14,800
Okay, so I've configured my group. The

169
00:07:14,800 --> 00:07:16,570
next thing I'm gonna want to do is

170
00:07:16,570 --> 00:07:21,310
configure my user. So the first word I

171
00:07:21,310 --> 00:07:24,490
use again is 'snmp-server', but I'm doing

172
00:07:24,490 --> 00:07:26,360
the user this time so 'snmp-server

173
00:07:26,360 --> 00:07:29,920
user'. And then for my example user,

174
00:07:29,920 --> 00:07:33,190
I've called it 'Flackbox-user'. Next I

175
00:07:33,190 --> 00:07:35,770
specify the group that this user is

176
00:07:35,770 --> 00:07:37,930
in, and I'm putting it in the Flackbox

177
00:07:37,930 --> 00:07:40,420
group that I just configured a minute ago.

178
00:07:40,420 --> 00:07:45,010
I say v3 for SNMP version 3, and then auth

179
00:07:45,010 --> 00:07:47,520
is where I'm gonna specify the

180
00:07:47,520 --> 00:07:49,660
authentication algorithm that I'm gonna

181
00:07:49,660 --> 00:07:54,320
use. I can either use MD5 or SHA authentication.

182
00:07:54,320 --> 00:07:56,590
SHA is more secure, but it's a little bit

183
00:07:56,590 --> 00:08:00,730
slower. Okay, next up, so I've said 'snmp-

184
00:08:00,730 --> 00:08:03,040
server user flackbox-user', in the flat

185
00:08:03,040 --> 00:08:06,190
box group, SNMP version 3, auth, I'm using

186
00:08:06,190 --> 00:08:08,530
SHA, and I'm using an authentication

187
00:08:08,530 --> 00:08:11,200
password of 'AUTHPASSWORD' for this

188
00:08:11,200 --> 00:08:13,510
example. So you know, we talked about the

189
00:08:13,510 --> 00:08:15,280
three different security levels, and

190
00:08:15,280 --> 00:08:17,410
there you specify authentication and

191
00:08:17,410 --> 00:08:20,380
privacy separately, but we configure the

192
00:08:20,380 --> 00:08:22,030
authentication and the privacy

193
00:08:22,030 --> 00:08:24,070
separately as well. So right now I've

194
00:08:24,070 --> 00:08:26,560
already configured the authentication,

195
00:08:26,560 --> 00:08:30,010
next up, I'm gonna configure the privacy.

196
00:08:30,010 --> 00:08:32,620
So I say priv, and I've used a question

197
00:08:32,620 --> 00:08:34,750
mark again to see what options I've got

198
00:08:34,750 --> 00:08:37,810
here. And I can either use DES, triple

199
00:08:37,810 --> 00:08:41,229
DES or AES encryption. AES is the most

200
00:08:41,229 --> 00:08:43,720
modern of those, it's the most secure, but

201
00:08:43,720 --> 00:08:47,020
it's a little bit slower. Okay,

202
00:08:47,020 --> 00:08:51,220
after I configure that- so here, and I

203
00:08:51,220 --> 00:08:52,300
won't read out the whole

204
00:08:52,300 --> 00:08:54,970
command to you again, I've got up to I'm using

205
00:08:54,970 --> 00:08:58,630
AES encryption. Next up, I specify whether

206
00:08:58,630 --> 00:09:03,670
it's 128, 192, or 256 bit. Obviously, the

207
00:09:03,670 --> 00:09:05,290
higher of a number the more secure it's

208
00:09:05,290 --> 00:09:06,400
going to be, but it's

209
00:09:06,400 --> 00:09:09,750
take more CPU cycles, be a little slower.

210
00:09:09,750 --> 00:09:12,940
So looking at the complete command,

211
00:09:12,940 --> 00:09:15,820
I've got 'snmp-server user Flackbox-user'

212
00:09:15,820 --> 00:09:18,280
in the Flackbox group, it's using SNMP

213
00:09:18,280 --> 00:09:21,280
version 3, for authentication, I'm using

214
00:09:21,280 --> 00:09:24,730
SHA as my algorithm, my password is AUTH

215
00:09:24,730 --> 00:09:28,090
PASSWORD, and for priv, I'm using AES 128

216
00:09:28,090 --> 00:09:30,880
bit encryption with a password of PRIVPASSWORD.

217
00:09:30,880 --> 00:09:34,120
So that is my user and my group

218
00:09:34,120 --> 00:09:36,730
setup on my router or switch. Now what I

219
00:09:36,730 --> 00:09:38,890
would do next is I would go on to my NMS

220
00:09:38,890 --> 00:09:41,320
server and I would configure a user

221
00:09:41,320 --> 00:09:44,170
there with matching settings here. So I

222
00:09:44,170 --> 00:09:46,510
would set it with the same username of

223
00:09:46,510 --> 00:09:49,510
Flackbox-user. I would specify the auth

224
00:09:49,510 --> 00:09:52,180
password and the priv password and that's

225
00:09:52,180 --> 00:09:54,880
me done. My NMS server is now going to

226
00:09:54,880 --> 00:09:57,130
be able to access my device and pull

227
00:09:57,130 --> 00:09:59,500
information from it. Thanks for watching.

228
00:09:59,500 --> 00:10:01,690
If you want to get hands-on practice

229
00:10:01,690 --> 00:10:05,170
with Cisco networks for free, then you

230
00:10:05,170 --> 00:10:09,310
can download my 400 page CCNA lab guide,

231
00:10:09,310 --> 00:10:11,320
which you can see above my head right

232
00:10:11,320 --> 00:10:14,650
now. Also, check out the video about my

233
00:10:14,650 --> 00:10:17,320
CCNA course, it's highest rated course

234
00:10:17,320 --> 00:10:20,640
online thanks.