-
in this lecture you'll see the
-
configuration for SNMP version 3
-
[Music]
-
so you saw earlier that in SNMP version
-
1 on to the SNMP manager
-
that's our NMS server and the SNMP agent
-
that server or switch they recognize
-
each other through simple unencrypted
-
community strings so it's not very
-
secure
-
Baggett's improved upon with SNMP
-
version 3 which does support
-
authentication and encryption with SNMP
-
version 3 the security model uses users
-
and groups so we're going to configure a
-
user on the right order switch and we
-
configure a matching user on the NMS
-
server that's how they recognize each
-
other there is also a group as well so
-
most of the settings are configured at
-
the group level and those settings are
-
going to be applied to the user
-
depending on which group it's actually
-
in there's three different security
-
levels available and these are
-
configured at the group level so
-
normally you're going to just use one
-
particular security level but it is
-
possible that you could have one NMS
-
server in one group it's got one
-
security level and a different enemy a
-
server and a different group but it's
-
got a different security level that
-
would be a pretty weird thing to do but
-
it is possible to do that these three
-
different security levels the first one
-
is no off no trip which means no
-
authentication and no privacy with no
-
off no proof no authentication password
-
is exchanged and the communications
-
between the agent and the server are not
-
encrypted so with no off no probe it
-
still doesn't use a community thing it
-
still uses a username because there's
-
SNMP version 3
-
but that username basically replaces
-
works with same eyes with community
-
string an SNMP version 1 and version 2
-
so there's not much point in doing that
-
doesn't really give you any advantage
-
over the old SNMP versions the next
-
security level we've got is off
-
no proof with off no proof password
-
authentication is used so the NMS server
-
and the network device we'll see
-
early authenticate each other when we do
-
that in staunton occasion the
-
authentication is encrypted so the user
-
and user name and password is encrypted
-
is not good in plaintext but after that
-
initial authentication no encryption is
-
used for communications between the
-
devices so if the server pulls some
-
information from the device but it's
-
going to go over the network unencrypted
-
so the last one is the one that we're
-
most likely gonna want to use which is
-
off prif with off proof password
-
authentication is used again the same as
-
it was in off no proof but
-
communications between the agent and the
-
server are also encrypted so with off
-
Prive the NMS server and the device are
-
going to securely authenticate each
-
other but does not go in plaintext and
-
also whenever for sharing information
-
that is also encrypted as well so this
-
is the most secure way of doing it if
-
we're using SNMP version 3 most likely
-
were going to be using off proof ok so
-
let's look at the configuration so you
-
saw earlier in this lecture we're gonna
-
have the group and we're gonna have the
-
user as well let's configure the group
-
first so a global config I say SNMP -
-
server group in this example I've called
-
the group black box - group then
-
actually v3 to say that we're using SNMP
-
version 3 and then the example I've used
-
the context-sensitive help I've hit the
-
question mark to see what the next key
-
word is and this is where we set the
-
security level of either off no off or
-
Prive then next thing that we do so in
-
an example I've set proof because I want
-
the most secure level then I've put the
-
question mark in again and see what the
-
next key word is next key words we've
-
got access context match no if I read
-
and write with access you can set an
-
access list I'll talk about that a bit
-
more in the next slide context and match
-
both apply to contexts and know if I
-
read and write are about views so let's
-
see what that means so the first key
-
word available there was access what you
-
can do is you can configure a normal
-
acts
-
on axis list on the rotor of a switch
-
where you specify the IP address of the
-
NMS server and then when you configure
-
your SNMP settings here you can
-
reference our access list which means
-
you're locking it down the vista drivers
-
or switch will only communicate with
-
SNMP with that particular IP address so
-
you're locking it down to the IP address
-
of your NMS server the next key words we
-
had in there were other contexts
-
contacts are used on switches to specify
-
which V lines are accessible via SNMP so
-
if you're configuring a switch you might
-
need to set that up so that your NMX
-
system cannot just other view lines not
-
just the default v1 and then the last
-
thing we could set there where our views
-
views can be used to limit what
-
information is accessible to the NMS
-
server and we had a review a right view
-
and a notify view are all available if
-
you don't specify a read view then all
-
MIB objects are accessible to read so by
-
default the NMS server can get all the
-
different SNMP information from that
-
particular device so if you want to lock
-
it down to only be able to gather a
-
person or maybe a pool a particular set
-
of information then you would use a
-
review for that next one was the right
-
view if you don't specify a right view
-
but no MIB objects are accessible to
-
right so this works the other way so by
-
default it can read everything but it
-
can write nothing so if you want to walk
-
down limit what it can read configure a
-
read view if you want it to be able to
-
write anything then you have to
-
configure a right view before it can
-
explicitly configuring a right view it
-
doesn't get any right access so by
-
default the NMS server gets read-only
-
access to all MIB s the last one was
-
been notified view notify view is used
-
to send notifications to members of the
-
group notification is a trap if you
-
don't specify anything it will be
-
disabled by default okay so those were
-
our views so when I configure the group
-
here in this example the fuel command
-
that I use is SNMP server guru
-
black box group v3 Prive so I haven't
-
configured any access lists or any views
-
or anything here they are all optional
-
and because I'm using the defaults here
-
the NMS server that is in this group
-
will have full read-only access to the
-
device
-
okay so I've configured my group the
-
next thing I'm gonna want to do is
-
configure my user so the first word I
-
use again is SNMP - server but I'm doing
-
the the user this thing so that's an NP
-
server user and then for my example user
-
I've called it black box - user next I
-
specify you the group that this user is
-
in and I'm putting it in the black box
-
group but I just configured a minute ago
-
I say v3 for SNMP version 3 and then off
-
is where I'm gonna specify the
-
authentication algorithm that I'm gonna
-
use I can either use md5 or sha-1 Shah
-
is more secure but it's a little bit
-
slower okay next up so I've set SNMP
-
server user flat box user in the flat
-
box group SNMP version 3 off I'm using
-
sha and I'm using an authentication
-
password of off password for this
-
example so you know we talked about the
-
three different security levels and
-
there you specify authentication and
-
privacy separately but we configure the
-
authentication and the privacy
-
separately as well so right now I've
-
already configured the authentication
-
next up I'm gonna configure the privacy
-
so I say Prive and I've used a question
-
mark again and see what options I've got
-
here and I can either use theirs Triple
-
DES or AES encryption AES is the most
-
modern of those it's the most secure but
-
it's a little bit slower okay
-
after I configure that so here and I
-
won't be like the whole the whole
-
community again I've got up to I'm using
-
AES encryption next up I specify whether
-
it's 128 192 or 256 bit obviously the
-
higher of a number the more secure it's
-
going to be but it's
-
take more CPU cycles be a little slower
-
so looking at the complete command
-
I've got SNMP server user black box user
-
in the black box group it's using SNMP
-
version 3 for authentication I'm using
-
shop as my algorithm my password is off
-
password and for Prive I'm using AES 128
-
bit encryption with a password of Prive
-
password so that is my user and my group
-
setup on my router or switch now what I
-
would do next as I would go on to my n
-
MF server and I would configure a user
-
there with matching settings here so I
-
would set it with the same username a
-
flat box user I would specify the off
-
password and reprove password and that's
-
me done my n MF server is now going to
-
be able to access my device and pull
-
information from it thanks for watching
-
if you want to get hands-on practice
-
with Cisco networks for free then you
-
can download my 400 page CCNA lab guide
-
which you can see above my head right
-
now also check out the video about my
-
CCNA course it's highest rated course
-
online thanks