Join Greg Sowell for an in-depth discussion in this video SNMP and NTP basics and configuration, part of Cisco ICND2 Cert Prep: Infrastructure Maintenance.
- [Greg] Collecting network statistics, long term can be one of the most important troubleshooting steps an Admin takes. The majority of this is done via, the Simple Network Management Protocol. SNMP is a system to request information from a device but can also allow control options. An SNMP Get will make an informational request, where a Set command will change information or trigger an action on a device. SNMP Traps are unsolicited messages which are sent based on device triggers.
Security for SNMP is something of a mixed bag however. SNMP versions 1 and 2c both utilize a password known as a community, this password is also completely plain-text so interception can be a problem. To further help infrastructures SNMP communities can be set as read only or can be granted read/write permissions. Not only can read/write options be set, but access lists can also be utilized to limit what subnets can use SNMP.
Here's an example of a community strings configured using read and write options as well as access lists. Here I've employed read-only on the first, with read/write on the second. I've also specified the ACL as number 10. These features only offer so much protection as SNMP utilizes UDP for transmission which means spoofed UDP packets could be used to access Set commands, granted it would take a lot of work to one, gain the required information, and two be able to spoof traffic inside the network.
SNMP version 3, overcomes previous limitations to offer the ability to secure communications. It comes in three flavors, noAuthNoPriv uses only a username for authentication and provides no encryption. AuthNoPriv performs user authentication via a hash message authentication code, with MD5 or SHA-1 though it still provides no encryption of messages. AuthPriv not only does user authentication, but also encrypts transmissions via DES, 3DES or AES.
I've cleared the screen to keep this next command a little bit more simple, as it's a very long one. We're now going to attach a user to this group. SNMP, server, user TestUser. Now we're going to attach the group, TestGroup version 3. Authentication we're gonna do MD5, I'm gonna create a password now. Test Pass privilege, and we'll set it as des56.
Another password, now I'm gonna attach an access list for this user, and we'll set it as 10. Alright after clearing the screen again let's do some verification, we can verify SNMP groups with show SNMP group. Here you can see our test group that we created. Moving on we can also show our users with show SNMP user. Take note that when showing the user, it shows the authentication protocol, privacy protocol and the group it's attached to, as well as the active access list.
Network Time Protocol or NTP is a system that synchronizes clocks on network gear. This in conjunction with the time zone settings on routers, makes for very accurate timekeeping. NTP employs a concept of master and client. The client synchronizes their clock with the master. NTP version 4 adds support for IPv6 and is backwards compatible with version 3. NTP utilizes stratums in the form of a number from one to 15 to indicated how trusted a NTP source is.
With lower being better, think of stratum as a hop count. If device A has a stratum of one, and device B uses A as it's NTP source, then B's stratum is now two. NTP can be protected by adding authentication between the NTP server and NTP clients. Alright before I begin configuration, I'm gonna show the clock to see that they're different. I'll do show clock on both routers.
I'm gonna do it very quickly on the two so I can show that there's a difference. Alright, router one we've got 20:31, router two 20:35 so there's a four minute difference. I'm gonna go head and clear the screen on both. Master authentication configuration begins with the NTP, authentication-key command.
I'm gonna give it a key ID of one, MD5 is the hash and I'll make the key GregSowell. Next I'm gonna instruct the NTP services to use authentication with the NTP authenticate command. Next I'm gonna use the NTP trusted command to specify which key to use. NTP trusted-key and then key ID of one. If the server's going to be using its own clock as the time source for NTP requests, the NTP master and then stratum command should be used.
I'll make it stratum three, and this completes the master configuration. On the client side, the same NTP authentication key information is entered. We'll enter configuration mode, authentication-key, key of one MD5, GregSowell. Just as configured on the server, I'll use the NTP authenticate command. Now I'll associate the trusted key with the NTP service.
NTP trusted-key, and key ID of one. The client differs at the very last command and this is where I specify who the server is. NTP server IP address 192.168.0.1 key and then the key ID of one. I'm gonna go head and clear the screen before verification. NTP verification is done via the show NTP status command.
Here we can see that the clock is synchronized, our new stratum, the master was three, hence we learn from him so we're stratum four and the referenced server IP address. Let me clear the screen again. We can also issue the show NTP associations detail command. As you can see this spits out a lot more information. I use SNMP and the results of NTP on a daily basis, without them I couldn't perform my job and it's likely you will learn to rely on them too.