Cisco CCNA 200-301 – Network Device Management Part 3

6. SNMP Lab Demo

In this lecture, you’ll see how to configure SNMP on a Cisco device using a lab demo. I’ve got the same topology again. I’ve got my router R One at 100 one, and the SNMP server is my NMS system at 100 100, which is the PC that I’m working on right now. So let’s go into R one to configure it for SNMP. So I’ll go to global config. Actually, just one thing to tell you before I do this is that the router has just been reset. It doesn’t have any login configuration on it at all. Now everything’s at the default. So let’s set up SNMP. So a global config. I’ll enter the command SNMP server contact is me.

That’s Neil@flatbox. com and SNMP serverlocation. I’ll see it in the flatbox lab. So that’s purely informational information, but that will show up on the NMS system and identify the system. So it’s useful when I’m looking at the logs later on. Next, I need to set my communities. So that is SNMP server community. And for my read only community, I’ll call that flat box one and I say Ro for read only. And I’ll also configure my read write community. So SNMP Server community, and I’ll make this one flat box two, and that’s going to be the read write community string. Then I’ll set up where the SNMP server is. So SNMP server, the host is at 1001 hundred.

And when I’m sending traps to that SNMP server, I want to use my read only community string, which is flatbox one. And let’s try that without the typo in there. I missed out an R in the middle. That looks better now. And then I need to specify what actual traps I want to send to that server as well. So I’ll see SNMP server traps. I want to do a question mark. I’ve missed out the enable command. Okay, I’m a typo king today. All right, let’s try that again. She can see there’s a whole bunch of options you’ve got on trap messages that will be sent to the SNMP system. For example, if something changes with OSPF, you can send traps about that if it’s ISDN, et cetera.

The one I’m going to use for this example is traps config, and that will send an SNMP trap, a message to the SNMP server when somebody invokes configuration mode on the router. So let’s open up my NMS system. I’m using the Kiwi server for this again. And I’ll go back to the router and make this window a bit smaller so we can see both. And in my router window, I will exit out of the configuration mode and then I’ll reenter global configuration again. And this should send a trap to my SNMP server saying that I’ve entered global configuration. And there we go. It took a few seconds to come in, but I can now see that trap is showing up in my SRP SNMP server. Okay, that was how you configure SNMP. See you in the next lecture.

7. SNMPv3 Configuration

So you saw earlier that in SNMP version one and two, the SNMP manager, that’s our NMS server and the SNMP agent, that’s our router or switch. They recognize each other through simple unencrypted community strings. So it’s not very secure baggage improved upon. With SNMP version three, which does support authentication and encryption. With SNMP version three, the security model uses users and groups. So we’re going to configure a user on the router or switch and we configure a matching user on the NMS server. That’s how they recognize each other. There’s also a group as well. So most of the settings are configured at the group level and those settings are going to be applied to the user depending on which group it’s actually in.

There’s three different security levels available and these are configured at the group level. So normally you’re going to just use one particular security level, but it is possible that you could have one NMS server in one group that’s got one security level and a different NMS server in a different group that’s got a different security level. That would be a pretty weird thing to do, but it is possible to do that. The three different security levels. The first one is no off no Priv, which means no authentication and no privacy. With no off no Priv, no authentication password is exchanged and the communications between the agent and the server are not encrypted.

So with no off no Priv, it still doesn’t use a community string. It still uses a username because it’s SNMP version three. But that username basically replaces works the same as the community string in SNMP version one and version two. So there’s not much point in doing that. It doesn’t really give you any advantage over the old SNMP versions. The next security level we’ve got is off no Priv. With off no Priv, password authentication is used. So the NMS server and the network device will securely authenticate each other. When we do that authentication, the authentication is encrypted. So the username and password is encrypted does not go in plain text. But after that initial authentication, no encryption is used for communications between the devices.

So if the server pulls some information from the device, that’s going to go over the network unencrypted. So the last one is the one that we’re most likely going to want to use, which is Offpriv. With offpriv password, authentication is used again the same as it was in off no Priv. But communications between the agent and the server are also encrypted. So with off prove, the NMS server and the device are going to securely authenticate each other. That does not go in plain text and also whenever they’re sharing information that is also encrypted as well. So this is the most secure way of doing it. If we’re using SNMP version three, most likely we’re going to be using off Priv. Okay, so let’s look at the configuration you saw earlier in this lecture, we’re going to have the group and we’re going to have the user as well. Let’s configure the group first. So a global config. I say. SNMP Server group. In this example I’ve called the group flatbox group.

Then I say v three to say that we’re using SNMP version three. And in the example I’ve used the context sensitive help, I’ve hit the question mark to see what the next keyword is. And this is where we set the security level of either off, no off or prove. Then next thing that we do. So in the example I’ve set prev because I want the most secure level, then I’ve put the question mark in again and see what the next keyword is. Next keyword we’ve got access, context, match, notify read and write. With access you can set an access list, talk about that a bit more in the next slide. Context and match both apply to contexts and notify read and write are about views. So let’s see what that means. So the first keyword available there was access. What you can do is you can configure a normal access list under router or the switch where you specify the IP address of the NMS server.

And then when you configure your SNMP settings here you can reference that access list, which means you’re locking it down that this router or switch will only communicate with SNMP with that particular IP address. So you’re locking it down to the IP address of your NMS server. The next keywords we had in there were about contexts. Contexts are used on switches to specify which VLANs are accessible via SNMPs. If you’re configuring a switch you might need to set that up so that your NMS system can access other VLANs, not just the default VLAN. And then the last thing we could set there were our views. Views can be used to limit what information is accessible to the NMS server and we had a read view, a write view and a notify view are all available. If you don’t specify a read view, then all MIB objects are accessible to read. So by default the NMS server can get all the different SNMP information from that particular device.

So if you want to lock it down to only be able to gather, only be able to pool a particular set of information, then you would use a read view for that. Next one was a write view. If you don’t specify a write view then no MIB objects are accessible to write. So this works the other way. So by default it can read everything, but it can write nothing.

So if you want to lock down limit what it can read, configure a read view. If you want it to be able to write anything, then you have to configure a write view. Without explicitly configuring a write view, it doesn’t get any right access. So by default the NMS server gets read only access to all MIBs. The last one has been notified view notify view is used to send notifications to members of the group. Notification is a trap. If you don’t specify any, then it will be disabled by default. Okay, so those were our views. So when I configured the group here in this example, the full command that I use is SNMP server group, flatbox group, v three, priv.

So I haven’t configured any access list or any views or anything here. They are all optional. And because I’m using the defaults here, the NMS server that is in this group will have full read only access to the device. Okay? So I’ve configured my group. The next thing I’m going to want to do is configure my user. So the first word I use again is SNMP server, but I’m doing the user of this thing.

So SNMP server user, and then for my example user, I’ve called it flatbox user. Next I specify the group that this user is in and I’m putting it in the Flackbox group that I just configured a minute ago. I say v three for SNMP version three. And then off is where I’m going to specify the authentication algorithm that I’m going to use. I can either use MD five or Sha authentication. Sha is more secure, but it’s a little bit slower. Next up. So I’ve said SNMP server user, flatbox user in the flatbox group, SNMP version three off, I’m using Sha and I’m using an authentication password of off password for this example. So, you know, we talked about the three different security levels and there you specified authentication and privacy separately, but we configure the authentication and the privacy separately as well. So right now I’ve already configured the authentication.

Next up, I’m going to configure the privacy. So I say priv, and I’ve used a question mark again to see what options I’ve got here. And I can either use Des, triple des, or AES encryption. AES is the most modern of those. It’s the most secure. It’s a little bit slower. Okay, after I configure that. So here I won’t read out the whole command again. I’ve got up to I’m using AES encryption. Next up, I specify whether it’s 128, 192, or 256 bit. Obviously the higher of a number, the more secure it’s going to be, but it’s going to take more CPU cycles, be a little slower. So looking at the complete command, I’ve got SNMP server user, flatbox user. In the flatbox group, it’s using SNMP version three. For authentication, I’m using Sharp as my algorithm. My password is off password.

• Category: Uncategorized