< Return to Video

Cisco SNMP v3 Configuration

  • 0:00 - 0:02
    in this lecture you'll see the
  • 0:02 - 0:07
    configuration for SNMP version 3
  • 0:07 - 0:12
    [Music]
  • 0:13 - 0:17
    so you saw earlier that in SNMP version
  • 0:17 - 0:22
    1 on to the SNMP manager
  • 0:22 - 0:25
    that's our NMS server and the SNMP agent
  • 0:25 - 0:28
    that server or switch they recognize
  • 0:28 - 0:30
    each other through simple unencrypted
  • 0:30 - 0:33
    community strings so it's not very
  • 0:33 - 0:34
    secure
  • 0:34 - 0:37
    Baggett's improved upon with SNMP
  • 0:37 - 0:39
    version 3 which does support
  • 0:39 - 0:43
    authentication and encryption with SNMP
  • 0:43 - 0:47
    version 3 the security model uses users
  • 0:47 - 0:49
    and groups so we're going to configure a
  • 0:49 - 0:52
    user on the right order switch and we
  • 0:52 - 0:56
    configure a matching user on the NMS
  • 0:56 - 0:58
    server that's how they recognize each
  • 0:58 - 1:01
    other there is also a group as well so
  • 1:01 - 1:03
    most of the settings are configured at
  • 1:03 - 1:05
    the group level and those settings are
  • 1:05 - 1:07
    going to be applied to the user
  • 1:07 - 1:09
    depending on which group it's actually
  • 1:09 - 1:13
    in there's three different security
  • 1:13 - 1:16
    levels available and these are
  • 1:16 - 1:18
    configured at the group level so
  • 1:18 - 1:19
    normally you're going to just use one
  • 1:19 - 1:22
    particular security level but it is
  • 1:22 - 1:24
    possible that you could have one NMS
  • 1:24 - 1:26
    server in one group it's got one
  • 1:26 - 1:28
    security level and a different enemy a
  • 1:28 - 1:30
    server and a different group but it's
  • 1:30 - 1:32
    got a different security level that
  • 1:32 - 1:34
    would be a pretty weird thing to do but
  • 1:34 - 1:36
    it is possible to do that these three
  • 1:36 - 1:38
    different security levels the first one
  • 1:38 - 1:42
    is no off no trip which means no
  • 1:42 - 1:44
    authentication and no privacy with no
  • 1:44 - 1:47
    off no proof no authentication password
  • 1:47 - 1:49
    is exchanged and the communications
  • 1:49 - 1:52
    between the agent and the server are not
  • 1:52 - 1:55
    encrypted so with no off no probe it
  • 1:55 - 1:56
    still doesn't use a community thing it
  • 1:56 - 1:59
    still uses a username because there's
  • 1:59 - 2:00
    SNMP version 3
  • 2:00 - 2:03
    but that username basically replaces
  • 2:03 - 2:05
    works with same eyes with community
  • 2:05 - 2:09
    string an SNMP version 1 and version 2
  • 2:09 - 2:11
    so there's not much point in doing that
  • 2:11 - 2:12
    doesn't really give you any advantage
  • 2:12 - 2:15
    over the old SNMP versions the next
  • 2:15 - 2:17
    security level we've got is off
  • 2:17 - 2:20
    no proof with off no proof password
  • 2:20 - 2:23
    authentication is used so the NMS server
  • 2:23 - 2:25
    and the network device we'll see
  • 2:25 - 2:28
    early authenticate each other when we do
  • 2:28 - 2:29
    that in staunton occasion the
  • 2:29 - 2:31
    authentication is encrypted so the user
  • 2:31 - 2:34
    and user name and password is encrypted
  • 2:34 - 2:37
    is not good in plaintext but after that
  • 2:37 - 2:40
    initial authentication no encryption is
  • 2:40 - 2:41
    used for communications between the
  • 2:41 - 2:44
    devices so if the server pulls some
  • 2:44 - 2:46
    information from the device but it's
  • 2:46 - 2:48
    going to go over the network unencrypted
  • 2:48 - 2:50
    so the last one is the one that we're
  • 2:50 - 2:53
    most likely gonna want to use which is
  • 2:53 - 2:56
    off prif with off proof password
  • 2:56 - 2:58
    authentication is used again the same as
  • 2:58 - 3:00
    it was in off no proof but
  • 3:00 - 3:02
    communications between the agent and the
  • 3:02 - 3:05
    server are also encrypted so with off
  • 3:05 - 3:08
    Prive the NMS server and the device are
  • 3:08 - 3:10
    going to securely authenticate each
  • 3:10 - 3:12
    other but does not go in plaintext and
  • 3:12 - 3:14
    also whenever for sharing information
  • 3:14 - 3:17
    that is also encrypted as well so this
  • 3:17 - 3:19
    is the most secure way of doing it if
  • 3:19 - 3:22
    we're using SNMP version 3 most likely
  • 3:22 - 3:25
    were going to be using off proof ok so
  • 3:25 - 3:28
    let's look at the configuration so you
  • 3:28 - 3:29
    saw earlier in this lecture we're gonna
  • 3:29 - 3:31
    have the group and we're gonna have the
  • 3:31 - 3:34
    user as well let's configure the group
  • 3:34 - 3:38
    first so a global config I say SNMP -
  • 3:38 - 3:41
    server group in this example I've called
  • 3:41 - 3:43
    the group black box - group then
  • 3:43 - 3:46
    actually v3 to say that we're using SNMP
  • 3:46 - 3:48
    version 3 and then the example I've used
  • 3:48 - 3:50
    the context-sensitive help I've hit the
  • 3:50 - 3:52
    question mark to see what the next key
  • 3:52 - 3:54
    word is and this is where we set the
  • 3:54 - 3:57
    security level of either off no off or
  • 3:57 - 4:05
    Prive then next thing that we do so in
  • 4:05 - 4:07
    an example I've set proof because I want
  • 4:07 - 4:09
    the most secure level then I've put the
  • 4:09 - 4:11
    question mark in again and see what the
  • 4:11 - 4:13
    next key word is next key words we've
  • 4:13 - 4:16
    got access context match no if I read
  • 4:16 - 4:20
    and write with access you can set an
  • 4:20 - 4:22
    access list I'll talk about that a bit
  • 4:22 - 4:25
    more in the next slide context and match
  • 4:25 - 4:28
    both apply to contexts and know if I
  • 4:28 - 4:32
    read and write are about views so let's
  • 4:32 - 4:34
    see what that means so the first key
  • 4:34 - 4:36
    word available there was access what you
  • 4:36 - 4:38
    can do is you can configure a normal
  • 4:38 - 4:39
    acts
  • 4:39 - 4:41
    on axis list on the rotor of a switch
  • 4:41 - 4:44
    where you specify the IP address of the
  • 4:44 - 4:47
    NMS server and then when you configure
  • 4:47 - 4:50
    your SNMP settings here you can
  • 4:50 - 4:51
    reference our access list which means
  • 4:51 - 4:54
    you're locking it down the vista drivers
  • 4:54 - 4:56
    or switch will only communicate with
  • 4:56 - 5:00
    SNMP with that particular IP address so
  • 5:00 - 5:01
    you're locking it down to the IP address
  • 5:01 - 5:05
    of your NMS server the next key words we
  • 5:05 - 5:07
    had in there were other contexts
  • 5:07 - 5:10
    contacts are used on switches to specify
  • 5:10 - 5:14
    which V lines are accessible via SNMP so
  • 5:14 - 5:15
    if you're configuring a switch you might
  • 5:15 - 5:17
    need to set that up so that your NMX
  • 5:17 - 5:19
    system cannot just other view lines not
  • 5:19 - 5:23
    just the default v1 and then the last
  • 5:23 - 5:25
    thing we could set there where our views
  • 5:25 - 5:27
    views can be used to limit what
  • 5:27 - 5:30
    information is accessible to the NMS
  • 5:30 - 5:34
    server and we had a review a right view
  • 5:34 - 5:36
    and a notify view are all available if
  • 5:36 - 5:40
    you don't specify a read view then all
  • 5:40 - 5:43
    MIB objects are accessible to read so by
  • 5:43 - 5:46
    default the NMS server can get all the
  • 5:46 - 5:49
    different SNMP information from that
  • 5:49 - 5:51
    particular device so if you want to lock
  • 5:51 - 5:53
    it down to only be able to gather a
  • 5:53 - 5:55
    person or maybe a pool a particular set
  • 5:55 - 5:57
    of information then you would use a
  • 5:57 - 6:00
    review for that next one was the right
  • 6:00 - 6:02
    view if you don't specify a right view
  • 6:02 - 6:05
    but no MIB objects are accessible to
  • 6:05 - 6:07
    right so this works the other way so by
  • 6:07 - 6:09
    default it can read everything but it
  • 6:09 - 6:12
    can write nothing so if you want to walk
  • 6:12 - 6:14
    down limit what it can read configure a
  • 6:14 - 6:17
    read view if you want it to be able to
  • 6:17 - 6:19
    write anything then you have to
  • 6:19 - 6:21
    configure a right view before it can
  • 6:21 - 6:23
    explicitly configuring a right view it
  • 6:23 - 6:26
    doesn't get any right access so by
  • 6:26 - 6:28
    default the NMS server gets read-only
  • 6:28 - 6:31
    access to all MIB s the last one was
  • 6:31 - 6:34
    been notified view notify view is used
  • 6:34 - 6:36
    to send notifications to members of the
  • 6:36 - 6:39
    group notification is a trap if you
  • 6:39 - 6:40
    don't specify anything it will be
  • 6:40 - 6:44
    disabled by default okay so those were
  • 6:44 - 6:48
    our views so when I configure the group
  • 6:48 - 6:50
    here in this example the fuel command
  • 6:50 - 6:53
    that I use is SNMP server guru
  • 6:53 - 6:56
    black box group v3 Prive so I haven't
  • 6:56 - 6:58
    configured any access lists or any views
  • 6:58 - 7:01
    or anything here they are all optional
  • 7:01 - 7:03
    and because I'm using the defaults here
  • 7:03 - 7:06
    the NMS server that is in this group
  • 7:06 - 7:09
    will have full read-only access to the
  • 7:09 - 7:11
    device
  • 7:11 - 7:15
    okay so I've configured my group the
  • 7:15 - 7:17
    next thing I'm gonna want to do is
  • 7:17 - 7:21
    configure my user so the first word I
  • 7:21 - 7:24
    use again is SNMP - server but I'm doing
  • 7:24 - 7:27
    the the user this thing so that's an NP
  • 7:27 - 7:30
    server user and then for my example user
  • 7:30 - 7:33
    I've called it black box - user next I
  • 7:33 - 7:36
    specify you the group that this user is
  • 7:36 - 7:38
    in and I'm putting it in the black box
  • 7:38 - 7:40
    group but I just configured a minute ago
  • 7:40 - 7:45
    I say v3 for SNMP version 3 and then off
  • 7:45 - 7:48
    is where I'm gonna specify the
  • 7:48 - 7:50
    authentication algorithm that I'm gonna
  • 7:50 - 7:55
    use I can either use md5 or sha-1 Shah
  • 7:55 - 7:57
    is more secure but it's a little bit
  • 7:57 - 8:01
    slower okay next up so I've set SNMP
  • 8:01 - 8:03
    server user flat box user in the flat
  • 8:03 - 8:06
    box group SNMP version 3 off I'm using
  • 8:06 - 8:09
    sha and I'm using an authentication
  • 8:09 - 8:11
    password of off password for this
  • 8:11 - 8:14
    example so you know we talked about the
  • 8:14 - 8:15
    three different security levels and
  • 8:15 - 8:17
    there you specify authentication and
  • 8:17 - 8:20
    privacy separately but we configure the
  • 8:20 - 8:22
    authentication and the privacy
  • 8:22 - 8:24
    separately as well so right now I've
  • 8:24 - 8:27
    already configured the authentication
  • 8:27 - 8:30
    next up I'm gonna configure the privacy
  • 8:30 - 8:33
    so I say Prive and I've used a question
  • 8:33 - 8:35
    mark again and see what options I've got
  • 8:35 - 8:38
    here and I can either use theirs Triple
  • 8:38 - 8:41
    DES or AES encryption AES is the most
  • 8:41 - 8:44
    modern of those it's the most secure but
  • 8:44 - 8:47
    it's a little bit slower okay
  • 8:47 - 8:51
    after I configure that so here and I
  • 8:51 - 8:52
    won't be like the whole the whole
  • 8:52 - 8:55
    community again I've got up to I'm using
  • 8:55 - 8:59
    AES encryption next up I specify whether
  • 8:59 - 9:04
    it's 128 192 or 256 bit obviously the
  • 9:04 - 9:05
    higher of a number the more secure it's
  • 9:05 - 9:06
    going to be but it's
  • 9:06 - 9:10
    take more CPU cycles be a little slower
  • 9:10 - 9:13
    so looking at the complete command
  • 9:13 - 9:16
    I've got SNMP server user black box user
  • 9:16 - 9:18
    in the black box group it's using SNMP
  • 9:18 - 9:21
    version 3 for authentication I'm using
  • 9:21 - 9:25
    shop as my algorithm my password is off
  • 9:25 - 9:28
    password and for Prive I'm using AES 128
  • 9:28 - 9:31
    bit encryption with a password of Prive
  • 9:31 - 9:34
    password so that is my user and my group
  • 9:34 - 9:37
    setup on my router or switch now what I
  • 9:37 - 9:39
    would do next as I would go on to my n
  • 9:39 - 9:41
    MF server and I would configure a user
  • 9:41 - 9:44
    there with matching settings here so I
  • 9:44 - 9:47
    would set it with the same username a
  • 9:47 - 9:50
    flat box user I would specify the off
  • 9:50 - 9:52
    password and reprove password and that's
  • 9:52 - 9:55
    me done my n MF server is now going to
  • 9:55 - 9:57
    be able to access my device and pull
  • 9:57 - 10:00
    information from it thanks for watching
  • 10:00 - 10:02
    if you want to get hands-on practice
  • 10:02 - 10:05
    with Cisco networks for free then you
  • 10:05 - 10:09
    can download my 400 page CCNA lab guide
  • 10:09 - 10:11
    which you can see above my head right
  • 10:11 - 10:15
    now also check out the video about my
  • 10:15 - 10:17
    CCNA course it's highest rated course
  • 10:17 - 10:21
    online thanks
Title:
Cisco SNMP v3 Configuration
Description:
more » « less
Video Language:
English
Duration:
10:19

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.