-
In this lecture, you'll see the
-
configuration for SNMP version 3.
-
[Music]
-
So you saw earlier that in SNMP version
-
1 and 2, the SNMP manager,
-
that's our NMS server, and the SNMP agent,
-
that's our router or switch, they recognize
-
each other through simple unencrypted
-
community strings. So it's not very
-
secure.
-
[inaudible] improved upon with SNMP
-
version 3 which does support
-
authentication and encryption. With SNMP
-
version 3, the security model uses users
-
and groups. So we're going to configure a
-
user on the router or switch, and we
-
configure a matching user on the NMS
-
server. That's how they recognize each
-
other. There is also a group as well. So
-
most of the settings are configured at
-
the group level, and those settings are
-
going to be applied to the user
-
depending on which group it's actually
-
in. There's three different security
-
levels available, and these are
-
configured at the group level. So
-
normally, you're going to just use one
-
particular security level. But it is
-
possible that you could have one NMS
-
server in one group, it's got one
-
security level, and a different NMS
-
server in a different group, but it's
-
got a different security level. That
-
would be a pretty weird thing to do, but
-
it is possible to do that. There's three
-
different security levels. The first one
-
is noAuthnoPriv which means no
-
authentication and no privacy. With
-
noAuthnoPriv, no authentication password
-
is exchanged, and the communications
-
between the agent and the server are not
-
encrypted. So with noAuthnoPriv, it
-
still doesn't use a community string, it
-
still uses a username because that's
-
SNMP version 3,
-
but that username basically replaces,
-
works the same as the community
-
string in SNMP version 1 and version 2.
-
So there's not much point in doing that,
-
doesn't really give you any advantage
-
over the old SNMP versions. The next
-
security level we've got is
-
AuthNoPriv. With AuthNoPriv, password
-
authentication is used. So the NMS server
-
and the network device will
-
securely authenticate each other. When we do
-
that authentication, the
-
authentication is encrypted, so the user
-
and- user name and password is encrypted,
-
does not go in plaintext. But after that
-
initial authentication, no encryption is
-
used for communications between the
-
devices. So if the server pulls some
-
information from the device, that's
-
going to go over the network unencrypted.
-
So the last one is the one that we're
-
most likely gonna want to use which is
-
AuthPriv. With AuthPriv, password
-
authentication is used, again, the same as
-
it was in AuthNoPriv, but
-
communications between the agent and the
-
server are also encrypted. So with AuthPriv,
-
the NMS server and the device are
-
going to securely authenticate each
-
other, that does not go in plaintext. And
-
also whenever they're sharing information,
-
that is also encrypted as well. So this
-
is the most secure way of doing it. If
-
we're using SNMP version 3, most likely
-
were going to be using AuthPriv. Okay, so
-
let's look at the configuration. So you
-
saw earlier in this lecture, we're gonna
-
have the group and we're gonna have the
-
user as well. Let's configure the group
-
first. So a global config, I say 'snmp-
-
server group', in this example, I've called
-
the group 'Flackbox-group', then
-
actually 'v3' to say that we're using SNMP
-
version 3. And in the example, I've used
-
the context-sensitive help, I've hit the
-
question mark to see what the next key
-
word is. And this is where we set the
-
security level of either auth, noAuth, or
-
priv. Then next thing that we do- so in
-
the example, I've set priv because I want
-
the most secure level. Then I've put the
-
question mark in again to see what the
-
next key word is. Next key word we've
-
got access, context, match, notify, read,
-
and write. With access, you can set an
-
access list. I'll talk about that a bit
-
more in the next slide. Context and match
-
both apply to contexts. And notify,
-
read, and write are about views. So let's
-
see what that means. So the first key
-
word available there was access. What you
-
can do is you can configure a normal
-
access-
-
access list on a router or of a switch
-
where you specify the IP address of the
-
NMS server. And then when you configure
-
your SNMP settings here, you can
-
reference that access list which means
-
you're locking it down, the [inaudible] router
-
or switch will only communicate with
-
SNMP with that particular IP address. So
-
you're locking it down to the IP address
-
of your NMS server. The next key words we
-
had in there were about contexts.
-
Contexts are used on switches to specify
-
which VLANs are accessible via SNMP. So
-
if you're configuring a switch, you might
-
need to set that up so that your NMS
-
system can access other VLANs, not
-
just the default VLAN. And then the last
-
thing we could set there were our views.
-
Views can be used to limit what
-
information is accessible to the NMS
-
server. And we had a read view, a write view,
-
and a notify view are all available. If
-
you don't specify a read view, then all
-
MIB objects are accessible to read. So by
-
default, the NMS server can get all the
-
different SNMP information from that
-
particular device. So if you want to lock
-
it down to only be able to gather a
-
particular- or maybe a pool, a particular set
-
of information, then you would use a
-
read view for that. Next one was write
-
view. If you don't specify a write view,
-
then no MIB objects are accessible to
-
write. So this works the other way. So by
-
default, it can read everything, but it
-
can write nothing. So if you want to lock
-
down, limit what it can read, configure a
-
read view. If you want it to be able to
-
write anything, then you have to
-
configure a write view. Without
-
explicitly configuring a write view, it
-
doesn't get any write access. So by
-
default, the NMS server gets read-only
-
access to all MIBs. The last one was
-
the notify view. Notify view is used
-
to send notifications to members of the
-
group. Notification is a trap. If you
-
don't specify anything, it will be
-
disabled by default. Okay, so those were
-
our views. So when I configure the group
-
here, in this example, the full command
-
that I use is 'snmp-server group
-
Flackbox-group v3 priv'. So I haven't
-
configured any access lists or any views
-
or anything here,1 they are all optional.
-
And because I'm using the defaults here,
-
the NMS server that is in this group
-
will have full read-only access to the
-
device.
-
Okay, so I've configured my group. The
-
next thing I'm gonna want to do is
-
configure my user. So the first word I
-
use again is 'snmp-server', but I'm doing
-
the user this time so 'snmp-server
-
user'. And then for my example user,
-
I've called it 'Flackbox-user'. Next I
-
specify the group that this user is
-
in, and I'm putting it in the Flackbox
-
group that I just configured a minute ago.
-
I say v3 for SNMP version 3, and then auth
-
is where I'm gonna specify the
-
authentication algorithm that I'm gonna
-
use. I can either use MD5 or SHA authentication.
-
SHA is more secure, but it's a little bit
-
slower. Okay, next up, so I've said 'snmp-
-
server user flackbox-user', in the flat
-
box group, SNMP version 3, auth, I'm using
-
SHA, and I'm using an authentication
-
password of 'AUTHPASSWORD' for this
-
example. So you know, we talked about the
-
three different security levels, and
-
there you specify authentication and
-
privacy separately, but we configure the
-
authentication and the privacy
-
separately as well. So right now I've
-
already configured the authentication,
-
next up, I'm gonna configure the privacy.
-
So I say priv, and I've used a question
-
mark again to see what options I've got
-
here. And I can either use DES, triple
-
DES or AES encryption. AES is the most
-
modern of those, it's the most secure, but
-
it's a little bit slower. Okay,
-
after I configure that- so here, and I
-
won't read out the whole
-
command to you again, I've got up to I'm using
-
AES encryption. Next up, I specify whether
-
it's 128, 192, or 256 bit. Obviously, the
-
higher of a number the more secure it's
-
going to be, but it's
-
take more CPU cycles, be a little slower.
-
So looking at the complete command,
-
I've got 'snmp-server user Flackbox-user'
-
in the Flackbox group, it's using SNMP
-
version 3, for authentication, I'm using
-
SHA as my algorithm, my password is AUTH
-
PASSWORD, and for priv, I'm using AES 128
-
bit encryption with a password of PRIVPASSWORD.
-
So that is my user and my group
-
setup on my router or switch. Now what I
-
would do next is I would go on to my NMS
-
server and I would configure a user
-
there with matching settings here. So I
-
would set it with the same username of
-
Flackbox-user. I would specify the auth
-
password and the priv password and that's
-
me done. My NMS server is now going to
-
be able to access my device and pull
-
information from it. Thanks for watching.
-
If you want to get hands-on practice
-
with Cisco networks for free, then you
-
can download my 400 page CCNA lab guide,
-
which you can see above my head right
-
now. Also, check out the video about my
-
CCNA course, it's highest rated course
-
online thanks.
