1 00:00:00,030 --> 00:00:02,310 In this lecture, you'll see the 2 00:00:02,310 --> 00:00:06,249 configuration for SNMP version 3. 3 00:00:06,249 --> 00:00:12,170 [Music] 4 00:00:12,990 --> 00:00:17,630 So you saw earlier that in SNMP version 5 00:00:17,630 --> 00:00:21,610 1 and 2, the SNMP manager, 6 00:00:21,610 --> 00:00:24,759 that's our NMS server, and the SNMP agent, 7 00:00:24,759 --> 00:00:27,970 that's our router or switch, they recognize 8 00:00:27,970 --> 00:00:30,489 each other through simple unencrypted 9 00:00:30,489 --> 00:00:32,980 community strings. So it's not very 10 00:00:32,980 --> 00:00:33,730 secure. 11 00:00:33,730 --> 00:00:36,550 [inaudible] improved upon with SNMP 12 00:00:36,550 --> 00:00:39,210 version 3 which does support 13 00:00:39,210 --> 00:00:43,300 authentication and encryption. With SNMP 14 00:00:43,300 --> 00:00:46,750 version 3, the security model uses users 15 00:00:46,750 --> 00:00:49,329 and groups. So we're going to configure a 16 00:00:49,329 --> 00:00:52,030 user on the router or switch, and we 17 00:00:52,030 --> 00:00:55,750 configure a matching user on the NMS 18 00:00:55,750 --> 00:00:57,940 server. That's how they recognize each 19 00:00:57,940 --> 00:01:00,999 other. There is also a group as well. So 20 00:01:00,999 --> 00:01:03,100 most of the settings are configured at 21 00:01:03,100 --> 00:01:05,379 the group level, and those settings are 22 00:01:05,379 --> 00:01:06,940 going to be applied to the user 23 00:01:06,940 --> 00:01:09,100 depending on which group it's actually 24 00:01:09,100 --> 00:01:13,330 in. There's three different security 25 00:01:13,330 --> 00:01:15,670 levels available, and these are 26 00:01:15,670 --> 00:01:17,590 configured at the group level. So 27 00:01:17,590 --> 00:01:19,119 normally, you're going to just use one 28 00:01:19,119 --> 00:01:21,520 particular security level. But it is 29 00:01:21,520 --> 00:01:23,920 possible that you could have one NMS 30 00:01:23,920 --> 00:01:26,259 server in one group, it's got one 31 00:01:26,259 --> 00:01:28,390 security level, and a different NMS 32 00:01:28,390 --> 00:01:30,189 server in a different group, but it's 33 00:01:30,189 --> 00:01:31,990 got a different security level. That 34 00:01:31,990 --> 00:01:33,670 would be a pretty weird thing to do, but 35 00:01:33,670 --> 00:01:36,430 it is possible to do that. There's three 36 00:01:36,430 --> 00:01:38,409 different security levels. The first one 37 00:01:38,409 --> 00:01:41,920 is noAuthnoPriv which means no 38 00:01:41,920 --> 00:01:44,500 authentication and no privacy. With 39 00:01:44,500 --> 00:01:47,170 noAuthnoPriv, no authentication password 40 00:01:47,170 --> 00:01:49,479 is exchanged, and the communications 41 00:01:49,479 --> 00:01:51,820 between the agent and the server are not 42 00:01:51,820 --> 00:01:54,909 encrypted. So with noAuthnoPriv, it 43 00:01:54,909 --> 00:01:56,500 still doesn't use a community string, it 44 00:01:56,500 --> 00:01:58,570 still uses a username because that's 45 00:01:58,570 --> 00:02:00,130 SNMP version 3, 46 00:02:00,130 --> 00:02:02,920 but that username basically replaces, 47 00:02:02,920 --> 00:02:04,810 works the same as the community 48 00:02:04,810 --> 00:02:08,619 string in SNMP version 1 and version 2. 49 00:02:08,619 --> 00:02:10,869 So there's not much point in doing that, 50 00:02:10,869 --> 00:02:12,220 doesn't really give you any advantage 51 00:02:12,220 --> 00:02:15,490 over the old SNMP versions. The next 52 00:02:15,490 --> 00:02:16,845 security level we've got is 53 00:02:16,845 --> 00:02:20,290 AuthNoPriv. With AuthNoPriv, password 54 00:02:20,290 --> 00:02:23,380 authentication is used. So the NMS server 55 00:02:23,380 --> 00:02:25,020 and the network device will 56 00:02:25,020 --> 00:02:27,760 securely authenticate each other. When we do 57 00:02:27,760 --> 00:02:28,980 that authentication, the 58 00:02:28,980 --> 00:02:31,239 authentication is encrypted, so the user 59 00:02:31,239 --> 00:02:33,610 and- user name and password is encrypted, 60 00:02:33,610 --> 00:02:36,610 does not go in plaintext. But after that 61 00:02:36,610 --> 00:02:39,520 initial authentication, no encryption is 62 00:02:39,520 --> 00:02:41,440 used for communications between the 63 00:02:41,440 --> 00:02:44,170 devices. So if the server pulls some 64 00:02:44,170 --> 00:02:46,030 information from the device, that's 65 00:02:46,030 --> 00:02:47,980 going to go over the network unencrypted. 66 00:02:47,980 --> 00:02:50,500 So the last one is the one that we're 67 00:02:50,500 --> 00:02:52,959 most likely gonna want to use which is 68 00:02:52,959 --> 00:02:55,750 AuthPriv. With AuthPriv, password 69 00:02:55,750 --> 00:02:57,940 authentication is used, again, the same as 70 00:02:57,940 --> 00:03:00,000 it was in AuthNoPriv, but 71 00:03:00,000 --> 00:03:02,380 communications between the agent and the 72 00:03:02,380 --> 00:03:05,080 server are also encrypted. So with AuthPriv, 73 00:03:05,080 --> 00:03:07,750 the NMS server and the device are 74 00:03:07,750 --> 00:03:09,730 going to securely authenticate each 75 00:03:09,730 --> 00:03:11,890 other, that does not go in plaintext. And 76 00:03:11,890 --> 00:03:14,170 also whenever they're sharing information, 77 00:03:14,170 --> 00:03:16,900 that is also encrypted as well. So this 78 00:03:16,900 --> 00:03:18,700 is the most secure way of doing it. If 79 00:03:18,700 --> 00:03:21,640 we're using SNMP version 3, most likely 80 00:03:21,640 --> 00:03:24,970 were going to be using AuthPriv. Okay, so 81 00:03:24,970 --> 00:03:27,670 let's look at the configuration. So you 82 00:03:27,670 --> 00:03:29,380 saw earlier in this lecture, we're gonna 83 00:03:29,380 --> 00:03:31,060 have the group and we're gonna have the 84 00:03:31,060 --> 00:03:33,760 user as well. Let's configure the group 85 00:03:33,760 --> 00:03:37,690 first. So a global config, I say 'snmp- 86 00:03:37,690 --> 00:03:40,930 server group', in this example, I've called 87 00:03:40,930 --> 00:03:43,329 the group 'Flackbox-group', then 88 00:03:43,329 --> 00:03:45,730 actually 'v3' to say that we're using SNMP 89 00:03:45,730 --> 00:03:48,130 version 3. And in the example, I've used 90 00:03:48,130 --> 00:03:49,959 the context-sensitive help, I've hit the 91 00:03:49,959 --> 00:03:51,790 question mark to see what the next key 92 00:03:51,790 --> 00:03:53,799 word is. And this is where we set the 93 00:03:53,799 --> 00:03:57,130 security level of either auth, noAuth, or 94 00:03:57,130 --> 00:04:04,630 priv. Then next thing that we do- so in 95 00:04:04,630 --> 00:04:06,579 the example, I've set priv because I want 96 00:04:06,579 --> 00:04:08,799 the most secure level. Then I've put the 97 00:04:08,799 --> 00:04:10,569 question mark in again to see what the 98 00:04:10,569 --> 00:04:12,730 next key word is. Next key word we've 99 00:04:12,730 --> 00:04:16,030 got access, context, match, notify, read, 100 00:04:16,030 --> 00:04:19,720 and write. With access, you can set an 101 00:04:19,720 --> 00:04:21,700 access list. I'll talk about that a bit 102 00:04:21,700 --> 00:04:24,610 more in the next slide. Context and match 103 00:04:24,610 --> 00:04:28,300 both apply to contexts. And notify, 104 00:04:28,300 --> 00:04:31,840 read, and write are about views. So let's 105 00:04:31,840 --> 00:04:33,880 see what that means. So the first key 106 00:04:33,880 --> 00:04:35,950 word available there was access. What you 107 00:04:35,950 --> 00:04:38,020 can do is you can configure a normal 108 00:04:38,020 --> 00:04:39,270 access- 109 00:04:39,270 --> 00:04:41,220 access list on a router or of a switch 110 00:04:41,220 --> 00:04:44,159 where you specify the IP address of the 111 00:04:44,159 --> 00:04:46,620 NMS server. And then when you configure 112 00:04:46,620 --> 00:04:49,620 your SNMP settings here, you can 113 00:04:49,620 --> 00:04:51,479 reference that access list which means 114 00:04:51,479 --> 00:04:53,939 you're locking it down, the [inaudible] router 115 00:04:53,939 --> 00:04:55,800 or switch will only communicate with 116 00:04:55,800 --> 00:04:59,669 SNMP with that particular IP address. So 117 00:04:59,669 --> 00:05:01,409 you're locking it down to the IP address 118 00:05:01,409 --> 00:05:04,800 of your NMS server. The next key words we 119 00:05:04,800 --> 00:05:06,599 had in there were about contexts. 120 00:05:06,599 --> 00:05:09,900 Contexts are used on switches to specify 121 00:05:09,900 --> 00:05:13,530 which VLANs are accessible via SNMP. So 122 00:05:13,530 --> 00:05:15,180 if you're configuring a switch, you might 123 00:05:15,180 --> 00:05:17,190 need to set that up so that your NMS 124 00:05:17,190 --> 00:05:19,289 system can access other VLANs, not 125 00:05:19,289 --> 00:05:22,590 just the default VLAN. And then the last 126 00:05:22,590 --> 00:05:24,930 thing we could set there were our views. 127 00:05:24,930 --> 00:05:27,360 Views can be used to limit what 128 00:05:27,360 --> 00:05:30,180 information is accessible to the NMS 129 00:05:30,180 --> 00:05:33,719 server. And we had a read view, a write view, 130 00:05:33,719 --> 00:05:36,449 and a notify view are all available. If 131 00:05:36,449 --> 00:05:39,840 you don't specify a read view, then all 132 00:05:39,840 --> 00:05:43,080 MIB objects are accessible to read. So by 133 00:05:43,080 --> 00:05:45,810 default, the NMS server can get all the 134 00:05:45,810 --> 00:05:48,509 different SNMP information from that 135 00:05:48,509 --> 00:05:50,729 particular device. So if you want to lock 136 00:05:50,729 --> 00:05:52,710 it down to only be able to gather a 137 00:05:52,710 --> 00:05:55,440 particular- or maybe a pool, a particular set 138 00:05:55,440 --> 00:05:57,000 of information, then you would use a 139 00:05:57,000 --> 00:05:59,610 read view for that. Next one was write 140 00:05:59,610 --> 00:06:01,979 view. If you don't specify a write view, 141 00:06:01,979 --> 00:06:04,830 then no MIB objects are accessible to 142 00:06:04,830 --> 00:06:06,779 write. So this works the other way. So by 143 00:06:06,779 --> 00:06:09,270 default, it can read everything, but it 144 00:06:09,270 --> 00:06:12,210 can write nothing. So if you want to lock 145 00:06:12,210 --> 00:06:14,370 down, limit what it can read, configure a 146 00:06:14,370 --> 00:06:16,529 read view. If you want it to be able to 147 00:06:16,529 --> 00:06:18,930 write anything, then you have to 148 00:06:18,930 --> 00:06:21,330 configure a write view. Without 149 00:06:21,330 --> 00:06:23,490 explicitly configuring a write view, it 150 00:06:23,490 --> 00:06:25,710 doesn't get any write access. So by 151 00:06:25,710 --> 00:06:27,930 default, the NMS server gets read-only 152 00:06:27,930 --> 00:06:31,349 access to all MIBs. The last one was 153 00:06:31,349 --> 00:06:33,750 the notify view. Notify view is used 154 00:06:33,750 --> 00:06:36,120 to send notifications to members of the 155 00:06:36,120 --> 00:06:38,759 group. Notification is a trap. If you 156 00:06:38,759 --> 00:06:40,440 don't specify anything, it will be 157 00:06:40,440 --> 00:06:43,529 disabled by default. Okay, so those were 158 00:06:43,529 --> 00:06:47,789 our views. So when I configure the group 159 00:06:47,789 --> 00:06:49,979 here, in this example, the full command 160 00:06:49,979 --> 00:06:52,540 that I use is 'snmp-server group 161 00:06:52,540 --> 00:06:56,140 Flackbox-group v3 priv'. So I haven't 162 00:06:56,140 --> 00:06:58,420 configured any access lists or any views 163 00:06:58,420 --> 00:07:00,850 or anything here,1 they are all optional. 164 00:07:00,850 --> 00:07:03,250 And because I'm using the defaults here, 165 00:07:03,250 --> 00:07:06,250 the NMS server that is in this group 166 00:07:06,250 --> 00:07:09,430 will have full read-only access to the 167 00:07:09,430 --> 00:07:11,400 device. 168 00:07:11,400 --> 00:07:14,800 Okay, so I've configured my group. The 169 00:07:14,800 --> 00:07:16,570 next thing I'm gonna want to do is 170 00:07:16,570 --> 00:07:21,310 configure my user. So the first word I 171 00:07:21,310 --> 00:07:24,490 use again is 'snmp-server', but I'm doing 172 00:07:24,490 --> 00:07:26,360 the user this time so 'snmp-server 173 00:07:26,360 --> 00:07:29,920 user'. And then for my example user, 174 00:07:29,920 --> 00:07:33,190 I've called it 'Flackbox-user'. Next I 175 00:07:33,190 --> 00:07:35,770 specify the group that this user is 176 00:07:35,770 --> 00:07:37,930 in, and I'm putting it in the Flackbox 177 00:07:37,930 --> 00:07:40,420 group that I just configured a minute ago. 178 00:07:40,420 --> 00:07:45,010 I say v3 for SNMP version 3, and then auth 179 00:07:45,010 --> 00:07:47,520 is where I'm gonna specify the 180 00:07:47,520 --> 00:07:49,660 authentication algorithm that I'm gonna 181 00:07:49,660 --> 00:07:54,320 use. I can either use MD5 or SHA authentication. 182 00:07:54,320 --> 00:07:56,590 SHA is more secure, but it's a little bit 183 00:07:56,590 --> 00:08:00,730 slower. Okay, next up, so I've said 'snmp- 184 00:08:00,730 --> 00:08:03,040 server user flackbox-user', in the flat 185 00:08:03,040 --> 00:08:06,190 box group, SNMP version 3, auth, I'm using 186 00:08:06,190 --> 00:08:08,530 SHA, and I'm using an authentication 187 00:08:08,530 --> 00:08:11,200 password of 'AUTHPASSWORD' for this 188 00:08:11,200 --> 00:08:13,510 example. So you know, we talked about the 189 00:08:13,510 --> 00:08:15,280 three different security levels, and 190 00:08:15,280 --> 00:08:17,410 there you specify authentication and 191 00:08:17,410 --> 00:08:20,380 privacy separately, but we configure the 192 00:08:20,380 --> 00:08:22,030 authentication and the privacy 193 00:08:22,030 --> 00:08:24,070 separately as well. So right now I've 194 00:08:24,070 --> 00:08:26,560 already configured the authentication, 195 00:08:26,560 --> 00:08:30,010 next up, I'm gonna configure the privacy. 196 00:08:30,010 --> 00:08:32,620 So I say priv, and I've used a question 197 00:08:32,620 --> 00:08:34,750 mark again to see what options I've got 198 00:08:34,750 --> 00:08:37,810 here. And I can either use DES, triple 199 00:08:37,810 --> 00:08:41,229 DES or AES encryption. AES is the most 200 00:08:41,229 --> 00:08:43,720 modern of those, it's the most secure, but 201 00:08:43,720 --> 00:08:47,020 it's a little bit slower. Okay, 202 00:08:47,020 --> 00:08:51,220 after I configure that- so here, and I 203 00:08:51,220 --> 00:08:52,300 won't read out the whole 204 00:08:52,300 --> 00:08:54,970 command to you again, I've got up to I'm using 205 00:08:54,970 --> 00:08:58,630 AES encryption. Next up, I specify whether 206 00:08:58,630 --> 00:09:03,670 it's 128, 192, or 256 bit. Obviously, the 207 00:09:03,670 --> 00:09:05,290 higher of a number the more secure it's 208 00:09:05,290 --> 00:09:06,400 going to be, but it's 209 00:09:06,400 --> 00:09:09,750 take more CPU cycles, be a little slower. 210 00:09:09,750 --> 00:09:12,940 So looking at the complete command, 211 00:09:12,940 --> 00:09:15,820 I've got 'snmp-server user Flackbox-user' 212 00:09:15,820 --> 00:09:18,280 in the Flackbox group, it's using SNMP 213 00:09:18,280 --> 00:09:21,280 version 3, for authentication, I'm using 214 00:09:21,280 --> 00:09:24,730 SHA as my algorithm, my password is AUTH 215 00:09:24,730 --> 00:09:28,090 PASSWORD, and for priv, I'm using AES 128 216 00:09:28,090 --> 00:09:30,880 bit encryption with a password of PRIVPASSWORD. 217 00:09:30,880 --> 00:09:34,120 So that is my user and my group 218 00:09:34,120 --> 00:09:36,730 setup on my router or switch. Now what I 219 00:09:36,730 --> 00:09:38,890 would do next is I would go on to my NMS 220 00:09:38,890 --> 00:09:41,320 server and I would configure a user 221 00:09:41,320 --> 00:09:44,170 there with matching settings here. So I 222 00:09:44,170 --> 00:09:46,510 would set it with the same username of 223 00:09:46,510 --> 00:09:49,510 Flackbox-user. I would specify the auth 224 00:09:49,510 --> 00:09:52,180 password and the priv password and that's 225 00:09:52,180 --> 00:09:54,880 me done. My NMS server is now going to 226 00:09:54,880 --> 00:09:57,130 be able to access my device and pull 227 00:09:57,130 --> 00:09:59,500 information from it. Thanks for watching. 228 00:09:59,500 --> 00:10:01,690 If you want to get hands-on practice 229 00:10:01,690 --> 00:10:05,170 with Cisco networks for free, then you 230 00:10:05,170 --> 00:10:09,310 can download my 400 page CCNA lab guide, 231 00:10:09,310 --> 00:10:11,320 which you can see above my head right 232 00:10:11,320 --> 00:10:14,650 now. Also, check out the video about my 233 00:10:14,650 --> 00:10:17,320 CCNA course, it's highest rated course 234 00:10:17,320 --> 00:10:20,640 online thanks.