Configuring SNMP Security

16 Mar

Configuring SNMP Security
There is no specific command that you use to enable SNMP. To configure SNMP support, perform the tasks described in the following steps, only the first two steps are mandatory:

1.Enable the SNMP community string to define the relationship between the network management station and the agent with the following command:
snmp−server community <string> {ro|rw} {number} The number value references an optional access−list.

2.Use this command to configure the router to send traps to an NMS host: snmp−server host host [version {1|2c}] <community string> <notification type>

3.Configure the type of traps for which a notification is sent to the NMS. You do so with the following command: snmp−server enable traps [notification type] –[notification option]

4.Set the system contact, location, and serial number. You can set the systems contact with the snmp−server contact [text] command. You set the location with the snmp−server location [text] command, and you set the serial number with the snmp−server chassis−id [text] command.

5.Use the access−list command to specify a list of hosts that are allowed read−, read/write, or write−only access to the router.

Figure 1.2 shows Router A, which is configured to allow SNMP read−only access and read/write access from two separate hosts. Router A is also configured to send SNMP trap information to the same two hosts. The following lines show how Router A should be configured so SNMP access from both host 192.168.40.1 and 192.168.40.2 is allowed and SNMP trap information is sent to both hosts:

access−list 12 permit 192.168.40.1
access−list 13 permit 192.168.40.2
snmp−server contact Harris
snmp−server location Network Engineering
snmp−server chassis−id 100000333
snmp−server community observe RO 12
snmp−server community adjust RW 13
snmp−server host 192.168.40.1 observe snmp
snmp−server host 192.168.40.2 adjust snmp

Figure 1.2: Router A configured for SNMP.
Configuring RIP Authentication
There are two versions of Routing Information Protocol (RIP): version 1 and version 2. RIP version 1 does not support authentication of routing updates; however, RIP version 2 supports both plain text and MD5 authentication. Figure 1.3 shows two routers, Router A and Router B, that exchange RIP version 2 MD5 authentication updates.

Figure 1.3: Router A and Router B configured for RIP authentication. Configuring authentication of RIP version 2 updates is fairly easy and very uniform. The basic configuration includes the following steps:

1.Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2.Specify the key number with the key < number> command in key chain configuration mode. You can configure multiple keys.

3.For each key, identify the key string with the key−string < string> command.

4.Configure the period for which the key can be sent and received. Use the following commands:

accept−lifetime <starttime> {infinite|end−time|duration −
seconds}
send−lifetime <starttime> {infinite|end−time|duration seconds}

5.Exit key chain configuration mode with the exit command.

6.Under interface configuration mode, enable the authentication of RIP updates with this command:

ip rip authentication key−chain <key chain name>

This command is all that is needed to use plain text authentication.
7.Optionally, under interface configuration mode, enable MD5 authentication of RIP updates using the ip rip authentication mode md5 command.

The listings that follow show how Router A and Router B in Figure 1.3 should be configured to authenticate updates from one another using RIP MD5 authentication. Listing 1.1 shows the configuration of Router A, and Listing 1.2 shows the configuration of Router B.

Listing 1.1: Router A’s configuration with MD5 authentication.

key chain systems
key 1
key−string router
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain systems
clockrate 64000
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

Listing 1.2: Router B’s configuration with MD5 authentication.

key chain cisco
key 1
key−string router
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!

interface FastEthernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain cisco
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

The configuration in Listing 1.1 displays Router A’s MD5 configuration. Router A is configured with a key chain value of systems, a key value of 1, and a key−string value of router. Listing 1.2 displays Router B’s MD5 configuration. Router B is configured with a key chain value of cisco, a key value of 1, and a key−string value of router.

Note Notice that the key−chain <name> command of each router can have a different value; however, the key−string <string> command must match for each key <number> that is configured on each neighbor.

You can use the command debug ip rip to examine how RIP receives the encrypted routing updates. Entering this command on Router A and Router B displays the output shown in Listing 1.3 and Listing 1.4, respectively.

Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing updates from Router B.

Router−A#debug ip rip
RIP protocol debugging is on
Router−A#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.2 on Serial0/0
10.10.12.0/24 −> 0.0.0.0 in 1 hops
10.10.13.0/24 −> 0.0.0.0 in 1 hops

Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing updates from Router A.

Router−B#debug ip rip
RIP protocol debugging is on
Router−B#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.1 on Serial0/0
10.10.10.0/24 via 0.0.0.0 in 1 hops
10.10.11.0/24 via 0.0.0.0 in 1 hops


Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.