In this lecture, you'll see the configuration for SNMP version 3. [Music] So you saw earlier that in SNMP version 1 and 2, the SNMP manager, that's our NMS server, and the SNMP agent, that's our router or switch, they recognize each other through simple unencrypted community strings. So it's not very secure. [inaudible] improved upon with SNMP version 3 which does support authentication and encryption. With SNMP version 3, the security model uses users and groups. So we're going to configure a user on the router or switch, and we configure a matching user on the NMS server. That's how they recognize each other. There is also a group as well. So most of the settings are configured at the group level, and those settings are going to be applied to the user depending on which group it's actually in. There's three different security levels available, and these are configured at the group level. So normally, you're going to just use one particular security level. But it is possible that you could have one NMS server in one group, it's got one security level, and a different NMS server in a different group, but it's got a different security level. That would be a pretty weird thing to do, but it is possible to do that. There's three different security levels. The first one is noAuthnoPriv which means no authentication and no privacy. With noAuthnoPriv, no authentication password is exchanged, and the communications between the agent and the server are not encrypted. So with noAuthnoPriv, it still doesn't use a community string, it still uses a username because that's SNMP version 3, but that username basically replaces, works the same as the community string in SNMP version 1 and version 2. So there's not much point in doing that, doesn't really give you any advantage over the old SNMP versions. The next security level we've got is AuthNoPriv. With AuthNoPriv, password authentication is used. So the NMS server and the network device will securely authenticate each other. When we do that authentication, the authentication is encrypted, so the user and- user name and password is encrypted, does not go in plaintext. But after that initial authentication, no encryption is used for communications between the devices. So if the server pulls some information from the device, that's going to go over the network unencrypted. So the last one is the one that we're most likely gonna want to use which is AuthPriv. With AuthPriv, password authentication is used, again, the same as it was in AuthNoPriv, but communications between the agent and the server are also encrypted. So with AuthPriv, the NMS server and the device are going to securely authenticate each other, that does not go in plaintext. And also whenever they're sharing information, that is also encrypted as well. So this is the most secure way of doing it. If we're using SNMP version 3, most likely were going to be using AuthPriv. Okay, so let's look at the configuration. So you saw earlier in this lecture, we're gonna have the group and we're gonna have the user as well. Let's configure the group first. So a global config, I say 'snmp- server group', in this example, I've called the group 'Flackbox-group', then actually 'v3' to say that we're using SNMP version 3. And in the example, I've used the context-sensitive help, I've hit the question mark to see what the next key word is. And this is where we set the security level of either auth, noAuth, or priv. Then next thing that we do- so in the example, I've set priv because I want the most secure level. Then I've put the question mark in again to see what the next key word is. Next key word we've got access, context, match, notify, read, and write. With access, you can set an access list. I'll talk about that a bit more in the next slide. Context and match both apply to contexts. And notify, read, and write are about views. So let's see what that means. So the first key word available there was access. What you can do is you can configure a normal access- access list on a router or of a switch where you specify the IP address of the NMS server. And then when you configure your SNMP settings here, you can reference that access list which means you're locking it down, the [inaudible] router or switch will only communicate with SNMP with that particular IP address. So you're locking it down to the IP address of your NMS server. The next key words we had in there were about contexts. Contexts are used on switches to specify which VLANs are accessible via SNMP. So if you're configuring a switch, you might need to set that up so that your NMS system can access other VLANs, not just the default VLAN. And then the last thing we could set there were our views. Views can be used to limit what information is accessible to the NMS server. And we had a read view, a write view, and a notify view are all available. If you don't specify a read view, then all MIB objects are accessible to read. So by default, the NMS server can get all the different SNMP information from that particular device. So if you want to lock it down to only be able to gather a particular- or maybe a pool, a particular set of information, then you would use a read view for that. Next one was write view. If you don't specify a write view, then no MIB objects are accessible to write. So this works the other way. So by default, it can read everything, but it can write nothing. So if you want to lock down, limit what it can read, configure a read view. If you want it to be able to write anything, then you have to configure a write view. Without explicitly configuring a write view, it doesn't get any write access. So by default, the NMS server gets read-only access to all MIBs. The last one was the notify view. Notify view is used to send notifications to members of the group. Notification is a trap. If you don't specify anything, it will be disabled by default. Okay, so those were our views. So when I configure the group here, in this example, the full command that I use is 'snmp-server group Flackbox-group v3 priv'. So I haven't configured any access lists or any views or anything here,1 they are all optional. And because I'm using the defaults here, the NMS server that is in this group will have full read-only access to the device. Okay, so I've configured my group. The next thing I'm gonna want to do is configure my user. So the first word I use again is 'snmp-server', but I'm doing the user this time so 'snmp-server user'. And then for my example user, I've called it 'Flackbox-user'. Next I specify the group that this user is in, and I'm putting it in the Flackbox group that I just configured a minute ago. I say v3 for SNMP version 3, and then auth is where I'm gonna specify the authentication algorithm that I'm gonna use. I can either use MD5 or SHA authentication. SHA is more secure, but it's a little bit slower. Okay, next up, so I've said 'snmp- server user flackbox-user', in the flat box group, SNMP version 3, auth, I'm using SHA, and I'm using an authentication password of 'AUTHPASSWORD' for this example. So you know, we talked about the three different security levels, and there you specify authentication and privacy separately, but we configure the authentication and the privacy separately as well. So right now I've already configured the authentication, next up, I'm gonna configure the privacy. So I say priv, and I've used a question mark again to see what options I've got here. And I can either use DES, triple DES or AES encryption. AES is the most modern of those, it's the most secure, but it's a little bit slower. Okay, after I configure that- so here, and I won't read out the whole command to you again, I've got up to I'm using AES encryption. Next up, I specify whether it's 128, 192, or 256 bit. Obviously, the higher of a number the more secure it's going to be, but it's take more CPU cycles, be a little slower. So looking at the complete command, I've got 'snmp-server user Flackbox-user' in the Flackbox group, it's using SNMP version 3, for authentication, I'm using SHA as my algorithm, my password is AUTH PASSWORD, and for priv, I'm using AES 128 bit encryption with a password of PRIVPASSWORD. So that is my user and my group setup on my router or switch. Now what I would do next is I would go on to my NMS server and I would configure a user there with matching settings here. So I would set it with the same username of Flackbox-user. I would specify the auth password and the priv password and that's me done. My NMS server is now going to be able to access my device and pull information from it. Thanks for watching. If you want to get hands-on practice with Cisco networks for free, then you can download my 400 page CCNA lab guide, which you can see above my head right now. Also, check out the video about my CCNA course, it's highest rated course online thanks.