SNMPv3 was introduced to increase security over the previous version SNMPv2c which used clear text communities to authorize SNMP operations by introducing a new security model.
The security model consists of two mains parameters,
Both Auth and Priv can be combined to form the security model that SNMPv3 uses to operate which can be illustrated in those three methods:
Now let's start configuring SNMPv3
First you have to define a view, which is the part or the MIB tree you want use, in our exmple here we will use two views, ISO view for for read only and we will call it READ and SYSTEM view for read/write and we will call it WRITE
One thing you'll notice that when you're showing the running-configuration, the user's line will not be shown, in order to see what SNMPv3 users configured you'll have to use the command show snmp user.
That looks promising, we have now configured SNMPv3 and NMS servers can pull SNMP info from the router or switch. How about configuring the router to push traps incase of a BGP event using SNMPv3, we will use user READUSER that was configured previously for that task
The security model consists of two mains parameters,
- Authentication (Auth):Which makes sure the proper user is using the service and it is hashed with either MD5 or SHA1.
- Privacy (Priv): Which encrypts the data between the host and the server and it utilizes DES, 3DES or AES as an encryption methods.
Both Auth and Priv can be combined to form the security model that SNMPv3 uses to operate which can be illustrated in those three methods:
- NOAuthPriv: No authentication and No Privacy
- AuthNoPriv: Authentication and No Privacy
- AuthPriv: Authentication and Privacy
The Structure of SNMPv3 consists of Groups and Users attached to those groups
- SNMP Groups: they contain access control policies to which users with certain privileges. these privileges mainly are the SNMP view they are going to either read or read/write to.
- SNMP Users: The users are assigned with a group, along with the security models they will be using ( Auth and Priv)
- SNMP Hosts: SNMP hosts are servers that recieves pushed SNMP notifications and traps. Since notifications and traps are pushed to the server, each server can be associated with only one user.
Note: SNMP uses either pull or push communication with the server. Pull is when the server requests to read or write something to the router or switch. Push is when the router or switch sends trap or notification to the server. Both are not dependent on each other, you can configure one or both of them
Now let's start configuring SNMPv3
First you have to define a view, which is the part or the MIB tree you want use, in our exmple here we will use two views, ISO view for for read only and we will call it READ and SYSTEM view for read/write and we will call it WRITE
snmp-server view READ iso includedsnmp-server view WRITE system includedNow we need to configure the SNMP group called MANAGMENT that uses both the READ and WRITE views for its associated users
snmp-server group MANAGMENT v3 priv read READ write WRITENow let's confirm that with show snmp group
R1#show snmp groupLets associate two users to the MANAGMENT group. READUSER and WRITEUSER
groupname: ILMI security model:v1
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: ILMI security model:v2c
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: READGROUP security model:v3 priv
readview : READ writeview: WRITE
notifyview: <no notifyview specified>
row status: active
snmp-server user READUSER MANAGMENT v3 auth sha READuserAUTHENTICATIONpassword priv aes 128 READuserPRIVACYpassword
snmp-server user WRITEUSER MANAGMENT v3 auth sha WRITEuserAUTHENTICATIONpassword priv aes 128 WRITEuserPRIVACYpassword
One thing you'll notice that when you're showing the running-configuration, the user's line will not be shown, in order to see what SNMPv3 users configured you'll have to use the command show snmp user.
R1#show snmp user
User name: READUSER
Engine ID: 800000090300C2000F940000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: MANAGMENT
User name: WRITEUSER
Engine ID: 800000090300C2000F940000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: MANAGMENT
That looks promising, we have now configured SNMPv3 and NMS servers can pull SNMP info from the router or switch. How about configuring the router to push traps incase of a BGP event using SNMPv3, we will use user READUSER that was configured previously for that task
snmp-server host 200.0.0.1 version 3 priv READUSER bgplet's verify that
R1#show snmp host
Notification host: 200.0.0.1 udp-port: 162 type: trapuser: READUSER security model: v3 priv
No comments:
Post a Comment