Back to Dashboard
Module 47
NTP and SNMP (Advanced)
β Previous Module
Next Module β
# π CCNA 200-301 - Video 47: NTP and SNMP (Advanced) ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - NTP (Network Time Protocol) advanced features - NTP authentication and security - NTP server/client configuration - SNMP (Simple Network Management Protocol) advanced features - SNMP versions and security (v1, v2c, v3) - SNMP MIBs and OIDs - SNMP traps and informs - SNMP configuration and verification --- ## π§ Core Concepts - NTP ### 1. NTP Review and Advanced Features **NTP Hierarchy Recap:** | Stratum | Description | |---------|-------------| | **Stratum 0** | Reference clock (atomic clock, GPS) - not on network | | **Stratum 1** | Directly connected to stratum 0 (primary time server) | | **Stratum 2** | Synchronizes from stratum 1 | | **Stratum 3-15** | Synchronizes from higher stratum | | **Stratum 16** | Unsynchronized (invalid) | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NTP HIERARCHY (STRATUM) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββ β β β Stratum 0 β β β β Atomic Clock β β β β GPS β β β ββββββββββ¬βββββββββ β β β β β ββββββββββΌβββββββββ β β β Stratum 1 β β β β Public NTP β β β β (pool.ntp.org) β β β ββββββββββ¬βββββββββ β β β β β ββββββββββββββββββββββββΌβββββββββββββββββββββββ β β β β β β β βΌ βΌ βΌ β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β β Stratum 2 β β Stratum 2 β β Stratum 2 β β β β Corp NTP β β Corp NTP β β Corp NTP β β β β Server A β β Server B β β Server C β β β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β β β β β β β ββββββββββββββββββββββββΌβββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββ β β β Stratum 3 β β β β Routers β β β β Switches β β β βββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. NTP Authentication **Purpose:** Prevent unauthorized or malicious time updates by authenticating NTP packets. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NTP AUTHENTICATION β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β NTP Authentication Process: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β NTP Client NTP Server β β β β βββββββββββ βββββββββββ β β β β β β β β β β β β β 1. NTP Request β β β β β β β (with authentication) β β β β β β β βββββββββββββββββββββββββββββΊ β β β β β β β β β β β β β β 2. Verify authentication β β β β β β β (match key, algorithm) β β β β β β β β β β β β β β 3. NTP Response β β β β β β β (with authentication) β β β β β β β βββββββββββββββββββββββββββββ β β β β β β β β β β β β β β 4. Verify authentication β β β β β β β (match key, algorithm) β β β β β β β β β β β β β βββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββ β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Authentication Methods: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ MD5: Most common, uses shared secret key β β β β β’ SHA-1: More secure than MD5 β β β β β’ Autokey: Public-key cryptography (deprecated) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **NTP Authentication Configuration:** ```cisco ! Configure NTP authentication Router(config)# ntp authenticate Router(config)# ntp authentication-key 1 md5 SecureNTPKey123 Router(config)# ntp trusted-key 1 Router(config)# ntp server 192.168.1.100 key 1 ! Verify authentication Router# show ntp status Router# show ntp associations ``` --- ### 3. NTP Access Control **NTP Access Groups:** | Access Level | Description | |--------------|-------------| | **peer** | Full access (can synchronize and query) | | **serve** | Can provide time but not synchronize | | **serve-only** | Can only provide time (no synchronization) | | **query-only** | Can only query (no time sync) | ```cisco ! Configure NTP access control access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 deny any ! Allow peers from 192.168.1.0/24 Router(config)# ntp access-group peer 10 ! Allow serve-only from specific subnet access-list 20 permit 10.1.1.0 0.0.0.255 Router(config)# ntp access-group serve-only 20 ``` --- ### 4. NTP as Master (Stratum) ```cisco ! Configure router as NTP master (stratum 3) Router(config)# ntp master 3 ! Configure with external reference Router(config)# ntp server 0.pool.ntp.org prefer Router(config)# ntp master 4 ``` --- ### 5. NTP Verification Commands | Command | Purpose | |---------|---------| | `show ntp status` | Display NTP synchronization status | | `show ntp associations` | Display NTP peers and servers | | `show ntp associations detail` | Detailed NTP association info | | `show ntp statistics` | Display NTP statistics | | `debug ntp all` | Debug NTP (use cautiously) | | `debug ntp authentication` | Debug NTP authentication | **Example Outputs:** ```cisco Router# show ntp status Clock is synchronized, stratum 3, reference is 192.168.1.100 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10 reference time is E6C3D9A5.8C9E8C34 (10:30:45.123 EST Mar 21 2024) clock offset is 0.1234 msec, root delay is 0.05 msec root dispersion is 0.02 msec, peer dispersion is 0.01 msec loopfilter state is 'CTRL' (Normal), drift is 0.000000000 s/s Router# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.1.100 127.127.1.1 2 34 64 377 0.456 -0.123 0.125 +~192.168.1.101 192.168.1.100 3 45 64 377 0.789 0.456 0.234 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ``` --- ## π§ Core Concepts - SNMP ### 6. SNMP Review and Advanced Features **SNMP Components Recap:** | Component | Description | |-----------|-------------| | **SNMP Manager** | Central management system (e.g., SolarWinds, PRTG, Cisco Prime) | | **SNMP Agent** | Software on managed device that responds to queries | | **MIB (Management Information Base)** | Database of managed objects | | **OID (Object Identifier)** | Unique identifier for each managed object | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SNMP ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β SNMP Manager β β β β (NMS - Network Management) β β β β β β β β β’ Polls devices for statistics β β β β β’ Receives traps/informs β β β β β’ Displays network status β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β SNMP (UDP 161 - Polling) β β β SNMP (UDP 162 - Traps) β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β SNMP Agents β β β β β β β β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β β β β β Router β β Switch β β Firewallβ β Server β β β β β β Agent β β Agent β β Agent β β Agent β β β β β β MIB β β MIB β β MIB β β MIB β β β β β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 7. SNMP Versions Comparison | Feature | SNMPv1 | SNMPv2c | SNMPv3 | |---------|--------|---------|--------| | **Security** | Community strings (clear text) | Community strings (clear text) | Authentication + Encryption | | **Authentication** | None | None | MD5, SHA | | **Encryption** | None | None | DES, AES | | **Bulk Operations** | No | Yes (GETBULK) | Yes | | **Error Handling** | Basic | Enhanced | Enhanced | | **Use Case** | Legacy | Basic monitoring | Secure monitoring | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SNMP SECURITY COMPARISON β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β SNMPv1 / SNMPv2c: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Packet: [Community: public] [Command] [Data] β β β β β β β β β’ Community string sent in clear text β β β β β’ No encryption β β β β β’ No authentication β β β β β’ Vulnerable to sniffing β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β SNMPv3: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Packet: [Auth Header] [Encrypted Payload] β β β β β β β β β’ Authentication (MD5, SHA) β β β β β’ Encryption (DES, AES) β β β β β’ User-based security β β β β β’ Message integrity β β β β β’ Anti-replay protection β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 8. SNMPv3 Security Models | Security Level | Authentication | Encryption | Description | |----------------|----------------|------------|-------------| | **noAuthNoPriv** | No | No | No security | | **authNoPriv** | Yes (MD5/SHA) | No | Authentication only | | **authPriv** | Yes (MD5/SHA) | Yes (DES/AES) | Full security | **SNMPv3 Security Models:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SNMPv3 SECURITY MODELS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β noAuthNoPriv: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ No authentication β β β β β’ No encryption β β β β β’ Like SNMPv2c but with user names β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β authNoPriv: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Authentication: MD5 or SHA β β β β β’ No encryption β β β β β’ Packet integrity verified β β β β β’ Data still in clear text β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β authPriv: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Authentication: MD5 or SHA β β β β β’ Encryption: DES or AES β β β β β’ Full security β β β β β’ Recommended for production β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 9. SNMPv3 Configuration ```cisco ! Configure SNMPv3 group Router(config)# snmp-server group SNMP-GROUP v3 priv ! Configure SNMPv3 user Router(config)# snmp-server user snmpuser SNMP-GROUP v3 Router(config)# snmp-server user snmpuser SNMP-GROUP v3 auth sha AuthPassword123 Router(config)# snmp-server user snmpuser SNMP-GROUP v3 auth sha AuthPassword123 priv aes 128 EncryptPassword123 ! Configure SNMP location and contact Router(config)# snmp-server location "Data Center - Rack A1" Router(config)# snmp-server contact "Network Team - noc@example.com" ! Configure SNMP traps Router(config)# snmp-server enable traps Router(config)# snmp-server host 192.168.1.100 version 3 priv snmpuser ! Configure SNMP view (restrict MIB access) Router(config)# snmp-server view RESTRICTED-VIEW iso included Router(config)# snmp-server view RESTRICTED-VIEW system excluded Router(config)# snmp-server group SNMP-GROUP v3 priv read RESTRICTED-VIEW ``` --- ### 10. SNMP Traps vs. Informs | Feature | Traps | Informs | |---------|-------|---------| | **Reliability** | Unreliable (UDP) | Reliable (UDP + ACK) | | **Acknowledgment** | No | Yes (SNMP response) | | **Retransmission** | No | Yes | | **Bandwidth** | Lower | Higher (due to ACKs) | | **Use Case** | Non-critical events | Critical events | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β TRAPS vs. INFORMS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β TRAPS (Unreliable): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Device NMS β β β β βββββββββββ βββββββββββ β β β β β β Trap (UDP) β β β β β β β Agent β βββββββββββββββββββββββΊ β Manager β β β β β β β (No acknowledgment) β β β β β β βββββββββββ βββββββββββ β β β β β β β β β’ No confirmation β β β β β’ May be lost if network congested β β β β β’ Lower overhead β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β INFORMS (Reliable): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Device NMS β β β β βββββββββββ βββββββββββ β β β β β β Inform (UDP) β β β β β β β Agent β βββββββββββββββββββββββΊ β Manager β β β β β β β β β β β β β β β SNMP Response (ACK) β β β β β β β β βββββββββββββββββββββββ β β β β β β βββββββββββ βββββββββββ β β β β β β β β β’ Acknowledgment required β β β β β’ Retransmitted if no ACK β β β β β’ More reliable β β β β β’ Higher overhead β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 11. SNMP MIB and OID **MIB Tree Structure:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β SNMP MIB TREE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β iso (1) β β β β β βββ org (3) β β β β β βββ dod (6) β β β β β βββ internet (1) β β β β β βββ directory (1) β β βββ mgmt (2) β β β β β β β βββ mib-2 (1) β β β β β β β βββ system (1) β β β β βββ sysDescr (1) β β β β βββ sysObjectID (2) β β β β βββ sysUpTime (3) β β β β βββ sysContact (4) β β β β β β β βββ interfaces (2) β β β βββ ip (4) β β β βββ icmp (5) β β β β β βββ experimental (3) β β βββ private (4) β β β β β βββ enterprises (1) β β β β β βββ cisco (9) β β β β β βββ ciscoMgmt (9) β β β β OID Examples: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ System description: 1.3.6.1.2.1.1.1.0 β β β β β’ System uptime: 1.3.6.1.2.1.1.3.0 β β β β β’ Interface table: 1.3.6.1.2.1.2.2.1 β β β β β’ Cisco specific: 1.3.6.1.4.1.9 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 12. SNMP Configuration Examples **Basic SNMPv2c Configuration:** ```cisco ! Configure read-only community snmp-server community public RO ! Configure read-write community snmp-server community private RW ! Configure location and contact snmp-server location "Data Center - Main" snmp-server contact "Network Operations - netadmin@example.com" ! Configure traps snmp-server enable traps snmp-server host 192.168.1.100 public ``` **Advanced SNMPv2c Configuration:** ```cisco ! Configure SNMP views snmp-server view SYSTEM-VIEW iso included snmp-server view SYSTEM-VIEW system excluded ! Configure SNMP community with view snmp-server community public RO view SYSTEM-VIEW ! Configure trap source interface snmp-server trap-source loopback 0 ``` **SNMPv3 Configuration (Full Security):** ```cisco ! Create SNMPv3 group snmp-server group SNMP-GROUP v3 priv ! Create SNMPv3 user with auth and privacy snmp-server user snmpadmin SNMP-GROUP v3 auth sha AdminAuth123 priv aes 128 AdminPriv123 ! Configure views snmp-server view ALL-VIEW iso included snmp-server view SYSTEM-ONLY-VIEW iso included snmp-server view SYSTEM-ONLY-VIEW system excluded ! Apply view to group snmp-server group SNMP-GROUP v3 priv read SYSTEM-ONLY-VIEW ! Configure traps snmp-server enable traps snmp-server host 192.168.1.100 version 3 priv snmpadmin ``` --- ### 13. SNMP Verification Commands | Command | Purpose | |---------|---------| | `show snmp` | Display SNMP configuration | | `show snmp community` | Display SNMP communities | | `show snmp group` | Display SNMPv3 groups | | `show snmp user` | Display SNMPv3 users | | `show snmp view` | Display SNMP views | | `show snmp engineID` | Display SNMP engine ID | | `show snmp mib` | Display MIB information | | `debug snmp packets` | Debug SNMP packets (use cautiously) | **Example Outputs:** ```cisco Router# show snmp Chassis: FTX12345678 Contact: Network Team - noc@example.com Location: Data Center - Rack A1 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP global trap: enabled SNMP logging: enabled Logging to 192.168.1.100.162, 0/10, 0 sent, 0 dropped. Router# show snmp community Community name: public Community Index: public Storage Type: permanent Active Community name: private Community Index: private Storage Type: permanent Active Router# show snmp user User name: snmpadmin Engine ID: 800000090300001A2B3C4D5E Authentication Protocol: SHA Privacy Protocol: AES128 Group-name: SNMP-GROUP Storage-type: nonvolatile Active ``` --- ## π§ Complete Configuration Examples ### Lab 1: NTP Server with Authentication ```cisco hostname NTP-Server ! ! Configure NTP authentication ntp authenticate ntp authentication-key 1 md5 SecureNTPKey123 ntp trusted-key 1 ! ! Configure NTP as master (stratum 2) ntp master 2 ! ! Configure access control access-list 10 permit 192.168.1.0 0.0.0.255 ntp access-group peer 10 ! ! Configure NTP source interface ntp source loopback 0 ! interface Loopback0 ip address 10.255.255.1 255.255.255.255 ! end ``` --- ### Lab 2: NTP Client with Authentication ```cisco hostname NTP-Client ! ! Configure NTP authentication ntp authenticate ntp authentication-key 1 md5 SecureNTPKey123 ntp trusted-key 1 ! ! Configure NTP server with authentication ntp server 192.168.1.100 key 1 prefer ! ! Configure backup NTP server ntp server 192.168.1.101 key 1 ! ! Configure timezone clock timezone EST -5 clock summer-time EDT recurring ! ! Verify show ntp status show ntp associations ! end ``` --- ### Lab 3: SNMPv2c Configuration ```cisco hostname Router ! ! Configure SNMP communities snmp-server community public RO snmp-server community private RW ! ! Configure location and contact snmp-server location "Main Data Center - Rack A1" snmp-server contact "Network Operations - netadmin@example.com" ! ! Configure SNMP views snmp-server view SYSTEM-ONLY iso included snmp-server view SYSTEM-ONLY system excluded ! ! Apply view to community snmp-server community public RO view SYSTEM-ONLY ! ! Configure traps snmp-server enable traps snmp-server host 192.168.1.100 public ! ! Configure trap source snmp-server trap-source loopback 0 ! end ``` --- ### Lab 4: SNMPv3 Configuration (Full Security) ```cisco hostname Router ! ! Configure SNMPv3 group snmp-server group SNMP-ADMIN v3 priv ! ! Configure SNMPv3 user (auth + privacy) snmp-server user admin SNMP-ADMIN v3 auth sha AdminAuth123 priv aes 128 AdminPriv123 ! ! Configure SNMPv3 user (read-only) snmp-server group SNMP-READ v3 auth snmp-server user readonly SNMP-READ v3 auth sha ReadOnlyAuth123 ! ! Configure SNMP views snmp-server view ALL iso included snmp-server view SYSTEM-ONLY iso included snmp-server view SYSTEM-ONLY system excluded ! ! Apply views to groups snmp-server group SNMP-ADMIN v3 priv read ALL write ALL snmp-server group SNMP-READ v3 auth read SYSTEM-ONLY ! ! Configure location and contact snmp-server location "Data Center - Rack A1" snmp-server contact "Network Team - noc@example.com" ! ! Configure traps snmp-server enable traps snmp-server host 192.168.1.100 version 3 priv admin ! end ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **NTP Stratum** | Lower stratum = more accurate | | **NTP Authentication** | Prevents unauthorized time updates | | **SNMP Versions** | v3 is secure (auth + priv), v1/v2c use community strings | | **SNMPv3 Security Levels** | noAuthNoPriv, authNoPriv, authPriv | | **SNMP Traps vs. Informs** | Traps (unreliable), Informs (reliable) | | **MIB/OID** | Hierarchical database of managed objects | | **SNMP Ports** | UDP 161 (polling), UDP 162 (traps/informs) | ### Common Exam Scenarios: **Scenario 1:** "Which SNMP version provides encryption and authentication?" - **Answer:** SNMPv3 with authPriv security level **Scenario 2:** "What is the difference between NTP traps and informs?" - **Answer:** Informs require acknowledgment (reliable), traps do not **Scenario 3:** "What is the purpose of NTP authentication?" - **Answer:** Prevents unauthorized or malicious time updates ### Mnemonics: **SNMPv3 Security Levels:** **"NAP" - NoAuthNoPriv, AuthNoPriv, AuthPriv** - **N**oAuthNoPriv: No security - **A**uthNoPriv: Authentication only - **A**uthPriv: Full security **SNMP Ports:** **"16 for Poll, 162 for Trap"** - UDP 161: Polling (GET, SET) - UDP 162: Traps/Informs --- ## π Summary (1-Minute Revision) ``` NTP (Network Time Protocol): STRATUM: βββ 0: Reference clock (atomic, GPS) βββ 1: Primary time server βββ 2-15: Secondary servers βββ 16: Unsynchronized CONFIGURATION: βββ ntp server [ip] [prefer] βββ ntp master [stratum] βββ ntp authenticate βββ ntp authentication-key [id] md5 [key] βββ ntp trusted-key [id] βββ ntp access-group [peer|serve|serve-only|query-only] [acl] βββ ntp source [interface] VERIFICATION: βββ show ntp status βββ show ntp associations SNMP (Simple Network Management Protocol): VERSIONS: βββ v1: Basic, clear text βββ v2c: Enhanced, clear text, GETBULK βββ v3: Authentication + encryption SECURITY: βββ noAuthNoPriv: No security βββ authNoPriv: Authentication only βββ authPriv: Full security (auth + encryption) CONFIGURATION: βββ snmp-server community [string] [RO|RW] βββ snmp-server group [name] v3 [auth|priv] βββ snmp-server user [name] [group] v3 auth [md5|sha] [password] priv [aes|des] [password] βββ snmp-server enable traps βββ snmp-server host [ip] [community|version 3 [auth|priv] [user]] βββ snmp-server view [name] [oid] [included|excluded] VERIFICATION: βββ show snmp βββ show snmp community βββ show snmp group βββ show snmp user ``` --- ## π§ͺ Practice Questions **1. Which SNMP version provides authentication and encryption?** - A) SNMPv1 - B) SNMPv2c - C) SNMPv3 - D) SNMPv4 <details> <summary>Answer</summary> <b>C) SNMPv3</b> - SNMPv3 provides authentication and encryption (authPriv). </details> **2. What is the default NTP stratum of a device synchronized to a stratum 1 server?** - A) Stratum 0 - B) Stratum 1 - C) Stratum 2 - D) Stratum 3 <details> <summary>Answer</summary> <b>C) Stratum 2</b> - A device synchronized to a stratum 1 server becomes stratum 2. </details> **3. Which UDP port does SNMP use for traps?** - A) UDP 161 - B) UDP 162 - C) UDP 123 - D) UDP 514 <details> <summary>Answer</summary> <b>B) UDP 162</b> - SNMP traps and informs use UDP port 162. </details> **4. What is the difference between a trap and an inform?** - A) Traps are reliable, informs are not - B) Informs are reliable (require ACK), traps are not - C) Traps use TCP, informs use UDP - D) No difference <details> <summary>Answer</summary> <b>B) Informs are reliable (require ACK), traps are not</b> - Informs require acknowledgment from the manager. </details> **5. Which command enables NTP authentication?** - A) `ntp auth` - B) `ntp authenticate` - C) `ntp enable auth` - D) `ntp security` <details> <summary>Answer</summary> <b>B) `ntp authenticate`</b> - Enables NTP authentication globally. </details> **6. Which SNMPv3 security level provides both authentication and encryption?** - A) noAuthNoPriv - B) authNoPriv - C) authPriv - D) privNoAuth <details> <summary>Answer</summary> <b>C) authPriv</b> - Provides both authentication and privacy (encryption). </details> **7. What is the purpose of an SNMP view?** - A) Display SNMP statistics - B) Restrict access to specific MIB objects - C) Configure trap destinations - D) Set community strings <details> <summary>Answer</summary> <b>B) Restrict access to specific MIB objects</b> - Views limit which MIB objects a user can access. </details> **8. Which command displays NTP synchronization status?** - A) `show ntp` - B) `show ntp status` - C) `show ntp sync` - D) `show clock` <details> <summary>Answer</summary> <b>B) `show ntp status`</b> - Displays NTP synchronization status and stratum. </details> **9. What does OID stand for?** - A) Object Identifier - B) Organization Identifier - C) Object Information Database - D) Operational Identifier <details> <summary>Answer</summary> <b>A) Object Identifier</b> - OID uniquely identifies managed objects in the MIB tree. </details> **10. Which command configures a router as an NTP master at stratum 3?** - A) `ntp server 3` - B) `ntp master 3` - C) `ntp stratum 3` - D) `ntp reference 3` <details> <summary>Answer</summary> <b>B) `ntp master 3`</b> - Configures the router as an NTP master at stratum 3. </details> **11. Which SNMP version introduced the GETBULK operation?** - A) SNMPv1 - B) SNMPv2c - C) SNMPv3 - D) SNMPv2 <details> <summary>Answer</summary> <b>B) SNMPv2c</b> - GETBULK allows retrieval of large tables efficiently. </details> **12. What is the default NTP holdtime?** - A) 30 seconds - B) 60 seconds - C) 120 seconds - D) 180 seconds <details> <summary>Answer</summary> <b>C) 120 seconds</b> - LLDP holdtime is 120 seconds; NTP uses different timers. </details> --- ## π Next Steps After completing Video 47, you should be ready for: - **Video 48:** NetFlow and IPFIX - **Video 49:** SPAN, RSPAN, and ERSPAN **Lab Practice:** 1. Configure NTP server with authentication 2. Configure NTP client with authentication 3. Verify synchronization with `show ntp status` 4. Configure SNMPv2c with read-only community 5. Configure SNMPv3 with authPriv security 6. Configure SNMP traps and verify 7. Test with SNMP walk tool (e.g., MIB Browser) --- **Ready for Video 48?** Share the link or say "next" and I'll continue with NetFlow and IPFIX. I'll continue with **Video 48: NetFlow and IPFIX** based on the standard CCNA 200-301 curriculum. ---