Blog Home | INE Home | Members | Contact Us | Subscribe

Free Resources

View Archives

All Access Pass

CCIE Bloggers

19 SNMPv3 Tutorial in CCIE R&S,CCIE Workbooks,System Management Posted by Petr Lapukhov, 4xCCIE/CCDE
Jul

Search
6 Comments Search Submit

The tutorial presented below is a small excerpt from the System Management section of beta IEWBRS Vol I version 5. SNMPv3 protocol a security model, defining new concepts to replace the old community-based pseudoauthentication and provide communication privacy by means of encryption. The new concepts are: user, group and security level. A group defines the access policy for a set of users. An access policy defines which SNMP objects can be accessed for reading and writing or which SNMP objects can generate notifications to the members of a group. Policy is defined by associating the respective read, write or notify view with a group. By using a notify view, a group determines the list of notifications its users can receive. A group also defines the security model and security level for its users. Essentially, all groups form a table, which maps users to their read/write/notify views and security models. Note that if a group is defined without a read view than all objects are available to read. Contrary to that, if no write or notify view is defined, no write access is granted and no objects can send notifications to members of the group. The notify view is usually not configured manually. Rather, its added by the snmp-server host command automatically, when a users in a group is bound to a notification target host. Note that SNMP will use the username configured with snmp-server host along with the security model specified to authenticate and possibly encrypt the notifications. If the security model is set to noauth then a plain username is sent in a manner resembling the old community string. The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security levels exits: noAuthNoPriv (no authentiation and no encryption noauth keyword in CLI), AuthNoPriv (messages are authenticated but not encrypted auth keyword in CLI), AuthPriv (messages are authenticated and encrypted priv keyword in CLI). SNMPv1 and SNMPv2 models only support the noAuthNoPriv model since they use plain community string to match the incoming packets. The SNMPv3 implementations could be configured to use either of the models on per-group basis (in case if noAuthNoPriv is configured, username serves as a replacement for community string). All users sharing a group utilize the same security model, however, the specific model settings (password, encryption key) are sep per-user. Note that SNMPv3 does not send passwords in clear-text and uses hash-based authentication with either MD5 or SHA1 functions (HMAC authentication the packet conted is hashed along with authentication key to produce the authentication string). For encryption, statically configured keys are used along with DES56 symmetric cipher (that mean the same key should be configured on NMS for the particular user). Consider the example below. Three groups are created. Groups NORMAL and RESTRICTED are used to control remote users access and group TRAP is used to send notifications. Note that only read-view is specified for group RESTRICTED and its limited to IfEntry fields for a fixed interface index. The group RESTRICTED has an access-list applied to control the NMS stations the users can access from. Note that the groups have different security levels. Next, three users are created, one for each group respectively, with their authentication and encryption keys. Finally, SNMP link up and down notifications are enabled and SNMP trap destination host is configured. This operation automatically creates and assigns the notify view for the respective group (will appear in show commands output below).

Categories
Select Category

! ! Access-List to control users in the RESTRICTED group. ! access-list 99 permit 155.1.146.0 0.0.0.255

CCIE Bloggers
! ! Set ifIndexes persistent, for view definition is based on IfIndexes ! snmp-server ifindex persist ! ! The first view covers the ISO sub-branch and the second one covers ! all lifEntry fields for interface with IfIndex 3 (Serial 0/0). ! snmp-server view NORMAL iso included snmp-server view RESTRICTED ifEntry.*.3 included ! ! Define three groups. The first one allows to read and write ! into a large portion of the MIB tree. The second one allows reading ! just information specific to Serial 0/0 interface, and limits user ! access based on access-list ! ! The third group is for sending traps. A user belonging to this group ! will be utilized to send trap messages. Its name and password ! will be used to create authentication credentials in a trap message ! and the users privacy password will be used to encrypt the packet. ! Note that this group has NO notify view defined, which is done on ! on purpose. The notify view will be automatically populated when ! notification hosts are configured and bound to users ! snmp-server group NORMAL v3 priv read NORMAL write NORMAL snmp-server group RESTRICTED v3 auth read RESTRICTED access 99 snmp-server group TRAP v3 priv ! ! Users, their passwords and encryption keys are defined now ! snmp-server user NORMAL NORMAL v3 auth sha CISCO priv des56 CISCO snmp-server user RESTRICTED RESTRICTED v3 auth sha CISCO snmp-server user TRAP TRAP v3 auth sha CISCO priv des56 CISCO ! ! Allow sending traps and configure a destination host. Note that when ! a host is configured and bound to SNMPv3 username, the corresponding ! group notify view is populated based on traps allowed for this ! particular destination. This is why its not required to configure ! the notify view for a group. ! snmp-server enable traps snmp linkup linkdown snmp-server host 155.1.146.100 traps version 3 priv TRAP
Brian Dennis CCIE #2210 Routing & Sw itching ISP Dial Security Service Provider Voice Brian McGahan CCIE #8593 Routing & Sw itching Security Service Provider Petr Lapukhov CCIE #16379 Routing & Sw itching Security Service Provider Voice Mark Snow CCIE #14073 Voice Security

Popular Posts
INE CCIE Voice Bootcamp Now Includes Everything You Need To Pass and New Dates in Dubai & London INE's CCNA Voice Product Left Free CCIE SPv3 Rack Rentals Now Available and New CCIE SPv3 Workbook Updates

Perform some basic verifications next using the show commands. Note that SNMPv3 users do not appear in the running configuration for security reason (different management channel) but you can see some information using show snmp users command. Also, pay attention to the automatic view assigned to the TRAP group.

Rack1R6#show snmp user User name: TRAP Engine ID: 80000009030000119221DA80 storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: DES Group-name: TRAP User name: NORMAL Engine ID: 80000009030000119221DA80 storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: DES Group-name: NORMAL User name: RESTRICTED Engine ID: 80000009030000119221DA80 storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: None Group-name: RESTRICTED Rack1R6#show snmp group groupname: ILMI readview : *ilmi notifyview: row status: active groupname: ILMI readview : *ilmi notifyview: row status: active groupname: TRAP readview : row status: active groupname: TRAP readview : v1default notifyview: row status: active groupname: NORMAL readview : NORMAL notifyview: row status: active groupname: RESTRICTED readview : RESTRICTED notifyview: row status: active Rack1R6#show snmp view *ilmi system - included permanent active *ilmi atmForumUni - included permanent active NORMAL iso - included nonvolatile active v1default iso - included permanent active v1default internet.6.3.15 - excluded permanent active v1default internet.6.3.16 - excluded permanent active v1default internet.6.3.18 - excluded permanent active v1default ciscoMgmt.394 - excluded permanent active v1default ciscoMgmt.395 - excluded permanent active v1default ciscoMgmt.399 - excluded permanent active v1default ciscoMgmt.400 - excluded permanent active RESTRICTED ifEntry.0.3 FF:EF included nonvolatile active *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F iso.2.840.10036 - included volatile active *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F internet - included volatile active access-list: 99 security model:v3 auth writeview: security model:v3 priv writeview: NORMAL security model:v3 priv writeview: writeview: security model:v3 noauth security model:v2c writeview: *ilmi security model:v1 writeview: *ilmi active active active

notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

Tags: authentication, community, iewb, notify, privacy, sample, snmp, v5, view Download this page as a PDF
About Petr Lapukhov, 4xCCIE/CCDE:
Petr Lapukhov's career in IT begain in 1988 w ith a focus on computer programming, and progressed into netw orking w ith his first exposure to Novell NetWare in 1991. Initially involved w ith Kazan State University's campus netw ork support and UNIX system administration, he w ent through the path of becoming a netw orking consultant, taking part in many netw ork deployment projects. Petr currently has over 12 years of experience w orking in the Cisco netw orking field, and is the only person in the w orld to have obtained four CCIEs in under tw o years, passing each on his first attempt. Petr is an exceptional case in that he has been w orking w ith all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics. Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website

You can leave a response, or trackback from your own site.

6 Responses to SNMPv3 Tutorial

July 27, 2008 at 10:12 am

Karsten
A very good introduction. But you should mention, that newer IOS-Versions also support a stronger encryption than the old DES.

Reply
August 26, 2009 at 5:49 pm

Frans Indo
Dear Petr and friends, I am a little bit confusing. 1. Why we must use snmp-server ifindex persist? Must we use this command when SNMP v3 is required to use? 2. About snmp-server view RESTRICTED ifEntry.*.3 included, how to determine that S0/0 has an index of 3 instead of 1 or 2. Lets say there are 3 interfaces such as f0/0, s0/0, g0/0. How to know the index of each interface? Thanks and looking forward to your kindly advice. Cheers.

Reply
October 2, 2009 at 11:12 pm

dan
1. snmp-server ifindex persist is not a part of SNMPv3. That is IOS enhancement for ifIndex persistence. 2. It depends on ifIndex assignment. ifIndex and interface name (ifName) can be found in ifTable. If the ifIndex persistence is enabled, I guess there exists a text file to show the mapping between ifIndex and ifName or ifDesc.

Reply
November 1, 2009 at 2:24 am

sovanvichet
Dear all About snmp-server view RESTRICTED ifEntry.*.3 included, how to determine that S0/0 has an index of 3 instead of 1 or 2. Lets say there are 3 interfaces such as f0/0, s0/0, g0/0. How to know the index of each interface? show snmp mib if if detail will told you what the index of the interface

Reply
Oc tober 21, 2010 at 12:40 am

Alex
Thanks a lot for this post. It was very helpful for me. I read a lot of docs but I didnt understand ow to configure SNMPv3. Here I found all that I need to accomplish my task.

Reply
February 5, 2011 at 8:08 pm

Skye Greif
Exceptional tutorial! It saved me a hell of a lot of time. Honestly, thank you.

Reply

Leave a Reply
Name (required)

Mail (will not be published) (required)

Submit Comment

Check out our #CCIE Infographic http://t.co/dQhGNDXs

Check out our INE Cisco Careers Infographic - http://t.co/j6RNsNn3 http://t.co/g2HmIkfu via @sharethis

twitter.com/inetraining

Free streaming access for CCNA Associate Course 640-802. Limited time! Find out more http://t.co/dnTJk1xZ #CCNA

2011 INE, Inc., All Rights Reserved

pdfcrowd.com