WEBVTT

00:00:00.030 --> 00:00:02.310
In this lecture, you'll see the

00:00:02.310 --> 00:00:06.249
configuration for SNMP version 3.

00:00:06.249 --> 00:00:12.170
[Music]

00:00:12.990 --> 00:00:17.630
So you saw earlier that in SNMP version

00:00:17.630 --> 00:00:21.610
1 and 2, the SNMP manager,

00:00:21.610 --> 00:00:24.759
that's our NMS server, and the SNMP agent,

00:00:24.759 --> 00:00:27.970
that's our router or switch, they recognize

00:00:27.970 --> 00:00:30.489
each other through simple unencrypted

00:00:30.489 --> 00:00:32.980
community strings. So it's not very

00:00:32.980 --> 00:00:33.730
secure.

00:00:33.730 --> 00:00:36.550
[inaudible] improved upon with SNMP

00:00:36.550 --> 00:00:39.210
version 3 which does support

00:00:39.210 --> 00:00:43.300
authentication and encryption. With SNMP

00:00:43.300 --> 00:00:46.750
version 3, the security model uses users

00:00:46.750 --> 00:00:49.329
and groups. So we're going to configure a

00:00:49.329 --> 00:00:52.030
user on the router or switch, and we

00:00:52.030 --> 00:00:55.750
configure a matching user on the NMS

00:00:55.750 --> 00:00:57.940
server. That's how they recognize each

00:00:57.940 --> 00:01:00.999
other. There is also a group as well. So

00:01:00.999 --> 00:01:03.100
most of the settings are configured at

00:01:03.100 --> 00:01:05.379
the group level, and those settings are

00:01:05.379 --> 00:01:06.940
going to be applied to the user

00:01:06.940 --> 00:01:09.100
depending on which group it's actually

00:01:09.100 --> 00:01:13.330
in. There's three different security

00:01:13.330 --> 00:01:15.670
levels available, and these are

00:01:15.670 --> 00:01:17.590
configured at the group level. So

00:01:17.590 --> 00:01:19.119
normally, you're going to just use one

00:01:19.119 --> 00:01:21.520
particular security level. But it is

00:01:21.520 --> 00:01:23.920
possible that you could have one NMS

00:01:23.920 --> 00:01:26.259
server in one group, it's got one

00:01:26.259 --> 00:01:28.390
security level, and a different NMS

00:01:28.390 --> 00:01:30.189
server in a different group, but it's

00:01:30.189 --> 00:01:31.990
got a different security level. That

00:01:31.990 --> 00:01:33.670
would be a pretty weird thing to do, but

00:01:33.670 --> 00:01:36.430
it is possible to do that. There's three

00:01:36.430 --> 00:01:38.409
different security levels. The first one

00:01:38.409 --> 00:01:41.920
is noAuthnoPriv which means no

00:01:41.920 --> 00:01:44.500
authentication and no privacy. With

00:01:44.500 --> 00:01:47.170
noAuthnoPriv, no authentication password

00:01:47.170 --> 00:01:49.479
is exchanged, and the communications

00:01:49.479 --> 00:01:51.820
between the agent and the server are not

00:01:51.820 --> 00:01:54.909
encrypted. So with noAuthnoPriv, it

00:01:54.909 --> 00:01:56.500
still doesn't use a community string, it

00:01:56.500 --> 00:01:58.570
still uses a username because that's

00:01:58.570 --> 00:02:00.130
SNMP version 3,

00:02:00.130 --> 00:02:02.920
but that username basically replaces,

00:02:02.920 --> 00:02:04.810
works the same as the community

00:02:04.810 --> 00:02:08.619
string in SNMP version 1 and version 2.

00:02:08.619 --> 00:02:10.869
So there's not much point in doing that,

00:02:10.869 --> 00:02:12.220
doesn't really give you any advantage

00:02:12.220 --> 00:02:15.490
over the old SNMP versions. The next

00:02:15.490 --> 00:02:16.845
security level we've got is

00:02:16.845 --> 00:02:20.290
AuthNoPriv. With AuthNoPriv, password

00:02:20.290 --> 00:02:23.380
authentication is used. So the NMS server

00:02:23.380 --> 00:02:25.020
and the network device will

00:02:25.020 --> 00:02:27.760
securely authenticate each other. When we do

00:02:27.760 --> 00:02:28.980
that authentication, the

00:02:28.980 --> 00:02:31.239
authentication is encrypted, so the user

00:02:31.239 --> 00:02:33.610
and- user name and password is encrypted,

00:02:33.610 --> 00:02:36.610
does not go in plaintext. But after that

00:02:36.610 --> 00:02:39.520
initial authentication, no encryption is

00:02:39.520 --> 00:02:41.440
used for communications between the

00:02:41.440 --> 00:02:44.170
devices. So if the server pulls some

00:02:44.170 --> 00:02:46.030
information from the device, that's

00:02:46.030 --> 00:02:47.980
going to go over the network unencrypted.

00:02:47.980 --> 00:02:50.500
So the last one is the one that we're

00:02:50.500 --> 00:02:52.959
most likely gonna want to use which is

00:02:52.959 --> 00:02:55.750
AuthPriv. With AuthPriv, password

00:02:55.750 --> 00:02:57.940
authentication is used, again, the same as

00:02:57.940 --> 00:03:00.000
it was in AuthNoPriv, but

00:03:00.000 --> 00:03:02.380
communications between the agent and the

00:03:02.380 --> 00:03:05.080
server are also encrypted. So with AuthPriv,

00:03:05.080 --> 00:03:07.750
the NMS server and the device are

00:03:07.750 --> 00:03:09.730
going to securely authenticate each

00:03:09.730 --> 00:03:11.890
other, that does not go in plaintext. And

00:03:11.890 --> 00:03:14.170
also whenever they're sharing information,

00:03:14.170 --> 00:03:16.900
that is also encrypted as well. So this

00:03:16.900 --> 00:03:18.700
is the most secure way of doing it. If

00:03:18.700 --> 00:03:21.640
we're using SNMP version 3, most likely

00:03:21.640 --> 00:03:24.970
were going to be using AuthPriv. Okay, so

00:03:24.970 --> 00:03:27.670
let's look at the configuration. So you

00:03:27.670 --> 00:03:29.380
saw earlier in this lecture, we're gonna

00:03:29.380 --> 00:03:31.060
have the group and we're gonna have the

00:03:31.060 --> 00:03:33.760
user as well. Let's configure the group

00:03:33.760 --> 00:03:37.690
first. So a global config, I say 'snmp-

00:03:37.690 --> 00:03:40.930
server group', in this example, I've called

00:03:40.930 --> 00:03:43.329
the group 'Flackbox-group', then

00:03:43.329 --> 00:03:45.730
actually 'v3' to say that we're using SNMP

00:03:45.730 --> 00:03:48.130
version 3. And in the example, I've used

00:03:48.130 --> 00:03:49.959
the context-sensitive help, I've hit the

00:03:49.959 --> 00:03:51.790
question mark to see what the next key

00:03:51.790 --> 00:03:53.799
word is. And this is where we set the

00:03:53.799 --> 00:03:57.130
security level of either auth, noAuth, or

00:03:57.130 --> 00:04:04.630
priv. Then next thing that we do- so in

00:04:04.630 --> 00:04:06.579
the example, I've set priv because I want

00:04:06.579 --> 00:04:08.799
the most secure level. Then I've put the

00:04:08.799 --> 00:04:10.569
question mark in again to see what the

00:04:10.569 --> 00:04:12.730
next key word is. Next key word we've

00:04:12.730 --> 00:04:16.030
got access, context, match, notify, read,

00:04:16.030 --> 00:04:19.720
and write. With access, you can set an

00:04:19.720 --> 00:04:21.700
access list. I'll talk about that a bit

00:04:21.700 --> 00:04:24.610
more in the next slide. Context and match

00:04:24.610 --> 00:04:28.300
both apply to contexts. And notify,

00:04:28.300 --> 00:04:31.840
read, and write are about views. So let's

00:04:31.840 --> 00:04:33.880
see what that means. So the first key

00:04:33.880 --> 00:04:35.950
word available there was access. What you

00:04:35.950 --> 00:04:38.020
can do is you can configure a normal

00:04:38.020 --> 00:04:39.270
access-

00:04:39.270 --> 00:04:41.220
access list on a router or of a switch

00:04:41.220 --> 00:04:44.159
where you specify the IP address of the

00:04:44.159 --> 00:04:46.620
NMS server. And then when you configure

00:04:46.620 --> 00:04:49.620
your SNMP settings here, you can

00:04:49.620 --> 00:04:51.479
reference that access list which means

00:04:51.479 --> 00:04:53.939
you're locking it down, the [inaudible] router

00:04:53.939 --> 00:04:55.800
or switch will only communicate with

00:04:55.800 --> 00:04:59.669
SNMP with that particular IP address. So

00:04:59.669 --> 00:05:01.409
you're locking it down to the IP address

00:05:01.409 --> 00:05:04.800
of your NMS server. The next key words we

00:05:04.800 --> 00:05:06.599
had in there were about contexts.

00:05:06.599 --> 00:05:09.900
Contexts are used on switches to specify

00:05:09.900 --> 00:05:13.530
which VLANs are accessible via SNMP. So

00:05:13.530 --> 00:05:15.180
if you're configuring a switch, you might

00:05:15.180 --> 00:05:17.190
need to set that up so that your NMS

00:05:17.190 --> 00:05:19.289
system can access other VLANs, not

00:05:19.289 --> 00:05:22.590
just the default VLAN. And then the last

00:05:22.590 --> 00:05:24.930
thing we could set there were our views.

00:05:24.930 --> 00:05:27.360
Views can be used to limit what

00:05:27.360 --> 00:05:30.180
information is accessible to the NMS

00:05:30.180 --> 00:05:33.719
server. And we had a read view, a write view,

00:05:33.719 --> 00:05:36.449
and a notify view are all available. If

00:05:36.449 --> 00:05:39.840
you don't specify a read view, then all

00:05:39.840 --> 00:05:43.080
MIB objects are accessible to read. So by

00:05:43.080 --> 00:05:45.810
default, the NMS server can get all the

00:05:45.810 --> 00:05:48.509
different SNMP information from that

00:05:48.509 --> 00:05:50.729
particular device. So if you want to lock

00:05:50.729 --> 00:05:52.710
it down to only be able to gather a

00:05:52.710 --> 00:05:55.440
particular- or maybe a pool, a particular set

00:05:55.440 --> 00:05:57.000
of information, then you would use a

00:05:57.000 --> 00:05:59.610
read view for that. Next one was write

00:05:59.610 --> 00:06:01.979
view. If you don't specify a write view,

00:06:01.979 --> 00:06:04.830
then no MIB objects are accessible to

00:06:04.830 --> 00:06:06.779
write. So this works the other way. So by

00:06:06.779 --> 00:06:09.270
default, it can read everything, but it

00:06:09.270 --> 00:06:12.210
can write nothing. So if you want to lock

00:06:12.210 --> 00:06:14.370
down, limit what it can read, configure a

00:06:14.370 --> 00:06:16.529
read view. If you want it to be able to

00:06:16.529 --> 00:06:18.930
write anything, then you have to

00:06:18.930 --> 00:06:21.330
configure a write view. Without

00:06:21.330 --> 00:06:23.490
explicitly configuring a write view, it

00:06:23.490 --> 00:06:25.710
doesn't get any write access. So by

00:06:25.710 --> 00:06:27.930
default, the NMS server gets read-only

00:06:27.930 --> 00:06:31.349
access to all MIBs. The last one was

00:06:31.349 --> 00:06:33.750
the notify view. Notify view is used

00:06:33.750 --> 00:06:36.120
to send notifications to members of the

00:06:36.120 --> 00:06:38.759
group. Notification is a trap. If you

00:06:38.759 --> 00:06:40.440
don't specify anything, it will be

00:06:40.440 --> 00:06:43.529
disabled by default. Okay, so those were

00:06:43.529 --> 00:06:47.789
our views. So when I configure the group

00:06:47.789 --> 00:06:49.979
here, in this example, the full command

00:06:49.979 --> 00:06:52.540
that I use is 'snmp-server group

00:06:52.540 --> 00:06:56.140
Flackbox-group v3 priv'. So I haven't

00:06:56.140 --> 00:06:58.420
configured any access lists or any views

00:06:58.420 --> 00:07:00.850
or anything here,1 they are all optional.

00:07:00.850 --> 00:07:03.250
And because I'm using the defaults here,

00:07:03.250 --> 00:07:06.250
the NMS server that is in this group

00:07:06.250 --> 00:07:09.430
will have full read-only access to the

00:07:09.430 --> 00:07:11.400
device.

00:07:11.400 --> 00:07:14.800
Okay, so I've configured my group. The

00:07:14.800 --> 00:07:16.570
next thing I'm gonna want to do is

00:07:16.570 --> 00:07:21.310
configure my user. So the first word I

00:07:21.310 --> 00:07:24.490
use again is 'snmp-server', but I'm doing

00:07:24.490 --> 00:07:26.360
the user this time so 'snmp-server

00:07:26.360 --> 00:07:29.920
user'. And then for my example user,

00:07:29.920 --> 00:07:33.190
I've called it 'Flackbox-user'. Next I

00:07:33.190 --> 00:07:35.770
specify the group that this user is

00:07:35.770 --> 00:07:37.930
in, and I'm putting it in the Flackbox

00:07:37.930 --> 00:07:40.420
group that I just configured a minute ago.

00:07:40.420 --> 00:07:45.010
I say v3 for SNMP version 3, and then auth

00:07:45.010 --> 00:07:47.520
is where I'm gonna specify the

00:07:47.520 --> 00:07:49.660
authentication algorithm that I'm gonna

00:07:49.660 --> 00:07:54.320
use. I can either use MD5 or SHA authentication.

00:07:54.320 --> 00:07:56.590
SHA is more secure, but it's a little bit

00:07:56.590 --> 00:08:00.730
slower. Okay, next up, so I've said 'snmp-

00:08:00.730 --> 00:08:03.040
server user flackbox-user', in the flat

00:08:03.040 --> 00:08:06.190
box group, SNMP version 3, auth, I'm using

00:08:06.190 --> 00:08:08.530
SHA, and I'm using an authentication

00:08:08.530 --> 00:08:11.200
password of 'AUTHPASSWORD' for this

00:08:11.200 --> 00:08:13.510
example. So you know, we talked about the

00:08:13.510 --> 00:08:15.280
three different security levels, and

00:08:15.280 --> 00:08:17.410
there you specify authentication and

00:08:17.410 --> 00:08:20.380
privacy separately, but we configure the

00:08:20.380 --> 00:08:22.030
authentication and the privacy

00:08:22.030 --> 00:08:24.070
separately as well. So right now I've

00:08:24.070 --> 00:08:26.560
already configured the authentication,

00:08:26.560 --> 00:08:30.010
next up, I'm gonna configure the privacy.

00:08:30.010 --> 00:08:32.620
So I say priv, and I've used a question

00:08:32.620 --> 00:08:34.750
mark again to see what options I've got

00:08:34.750 --> 00:08:37.810
here. And I can either use DES, triple

00:08:37.810 --> 00:08:41.229
DES or AES encryption. AES is the most

00:08:41.229 --> 00:08:43.720
modern of those, it's the most secure, but

00:08:43.720 --> 00:08:47.020
it's a little bit slower. Okay,

00:08:47.020 --> 00:08:51.220
after I configure that- so here, and I

00:08:51.220 --> 00:08:52.300
won't read out the whole

00:08:52.300 --> 00:08:54.970
command to you again, I've got up to I'm using

00:08:54.970 --> 00:08:58.630
AES encryption. Next up, I specify whether

00:08:58.630 --> 00:09:03.670
it's 128, 192, or 256 bit. Obviously, the

00:09:03.670 --> 00:09:05.290
higher of a number the more secure it's

00:09:05.290 --> 00:09:06.400
going to be, but it's

00:09:06.400 --> 00:09:09.750
take more CPU cycles, be a little slower.

00:09:09.750 --> 00:09:12.940
So looking at the complete command,

00:09:12.940 --> 00:09:15.820
I've got 'snmp-server user Flackbox-user'

00:09:15.820 --> 00:09:18.280
in the Flackbox group, it's using SNMP

00:09:18.280 --> 00:09:21.280
version 3, for authentication, I'm using

00:09:21.280 --> 00:09:24.730
SHA as my algorithm, my password is AUTH

00:09:24.730 --> 00:09:28.090
PASSWORD, and for priv, I'm using AES 128

00:09:28.090 --> 00:09:30.880
bit encryption with a password of PRIVPASSWORD.

00:09:30.880 --> 00:09:34.120
So that is my user and my group

00:09:34.120 --> 00:09:36.730
setup on my router or switch. Now what I

00:09:36.730 --> 00:09:38.890
would do next is I would go on to my NMS

00:09:38.890 --> 00:09:41.320
server and I would configure a user

00:09:41.320 --> 00:09:44.170
there with matching settings here. So I

00:09:44.170 --> 00:09:46.510
would set it with the same username of

00:09:46.510 --> 00:09:49.510
Flackbox-user. I would specify the auth

00:09:49.510 --> 00:09:52.180
password and the priv password and that's

00:09:52.180 --> 00:09:54.880
me done. My NMS server is now going to

00:09:54.880 --> 00:09:57.130
be able to access my device and pull

00:09:57.130 --> 00:09:59.500
information from it. Thanks for watching.

00:09:59.500 --> 00:10:01.690
If you want to get hands-on practice

00:10:01.690 --> 00:10:05.170
with Cisco networks for free, then you

00:10:05.170 --> 00:10:09.310
can download my 400 page CCNA lab guide,

00:10:09.310 --> 00:10:11.320
which you can see above my head right

00:10:11.320 --> 00:10:14.650
now. Also, check out the video about my

00:10:14.650 --> 00:10:17.320
CCNA course, it's highest rated course

00:10:17.320 --> 00:10:20.640
online thanks.