Cisco Talk

A lot of companies use SNMP to monitor their devices. If your devices and software support it, it’s best to use SNMPv3 because of it’s authentication and encryption capabilities. With traditional SNMP, your community string is transmitted in plain text. This would allow an attacker to sniff your traffic, retrive your string and be able to query your devices for information.

Configuring SNMPv3 is a snap! I recommend using a password generator to generate your SNMPv3 usernames and passwords. The website I use is http://www.testyourpassword.com/. I then use http://www.passwordmeter.com/ to check the strengh because it provides you with a report of complexity. I would alter the password until you receive 100% score with all expectional in the additions section and 0 deductions. Although it’s a good idea to generate a complex username and password for each device, your network management software may not allow you to configure creditionals for each one in which case, you’ll have to make do with only one.

Now, the first thing to do is remove snmp from your current config. I can’t show you how to do this because its specific to each device because of configuration diferences. It doesn’t do any good to configure SNMPv3 and leave SNMPv1 or SNMPv2c running also.

Once you have disabled SNMPv1 and SNMPv2c, you must create a SNMPV3 group. You can do this with the following command:

     Router(config)# snmp-server group AUTHPRIV v3 priv

AUTHPRIV is the name of the group and can be anything you want to use. By stating “priv” we are telling the router we want to authentication AND encryption. There are other modes but this article will not go into them.

Once you have created the group, we need to create users. To do this, type:

     Router(config)# snmp-server user SNMPV3 AUTHPRIV v3 auth md5 <username> priv des56 <password>

This command makes a user named “SNMPV3″ in the group “AUTHPRIV” using md5 for authentication and uses DES 56-BIT encryption for the packets.

That’s it!

This article breifly discuess SNMPv3 and its capabilities. If you NEED to use SNMPv1 or SNMPv2c, I recommend not using SNMP RW strings, using different complex strings (if possible, No Private or Public strings), and using ACL’s to prevent unauthorized access.

The configuration show is a basic configuration. There are many more options that can be used. For more information see: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html#wp1001086

A great way to logically organize your ports is define interface macros. For example, assume that you use ports 30-48 for your servers. These servers should have their switch ports configured alike. You could define a macro to group these logically. When you do this, you are allowed to call the interface range command with a name.

Here’s how it works:

define interface-range macro-name type module/number [, type module/number ...] [type module/first-number - last-number]  [...]

Although this command looks daunting at first, it’s not.

In our case, we would simply use:

     switch(config)# define interface-range SERVERS FastEthernet0/30 - 48

Although this example only has one range, you could add a comma at the end and note another range. We are now allowed to use the name SERVERS as an interface range. This shown below.

     switch(config)# interface range macro SERVERS

     switch(config-if-range)#

As you can see, when configuring a large number of ports, this command can be very useful. I personally think it’s a good way to label ports. In the future you could see these definitions in your configuration.

Hello and welcome to Cisco Talk!

I’ve been looking for a blog that is update regularly and could provide me with great tips on using Cisco devices. I also wanted a place that I could ask questions and have answers from other people that were interested in getting Cisco certified. At first glance, obtaining a Cisco certification can be pretty overwhelming. I think with a good support group and great study habits, anyone can do it!

I currently have my CCNA and I’m studying for my CCNP. I’ve finished my readings for BCMSN and continuing starting to do lab work. My lab consists of 3 - 2621 w/ 2FXS-2FXO WICS, 1 Catalyst 3550, and 2 Catalyst 2950’s. I don’t know how much larger my lab will grow, but I plan to add more!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!