Kingsley,
To gain an understanding for something more than is contained in the documentation you will need to reference the RFC's that define the standards. I didn't know the answer to this without looking it up as well but when you need more clarification than is in the Cisco documentation you need to reference the RFC. But essentially the SNMP EngineID is used to uniquely identify both the IOS device and SNMP management station whether they can talk to each other directly or if there are other devices in between like a NAT gateway. The Engine ID provides unique identification. Although this may work without it, the RFC defines that it should always be used. RFC 5343 http://www.rfc-editor.org/rfc/rfc5343.txt Here is a snippet. The last two elements are encoded in an object identifier (OID) value. The contextName is a character string (following the SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB [RFC3411]) while the contextEngineID is an octet string constructed according to the rules defined as part of the SnmpEngineID textual convention of the SNMP-FRAMEWORK-MIB [RFC3411]. The SNMP protocol operations and the protocol data units (PDUs) operate on OIDs and thus deal with object types and instances [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of a scopedPDU as a data structure containing a contextEngineID, a contextName, and a PDU. The SNMP version 3 (SNMPv3) message format uses ScopedPDUs to exchange management information [RFC3412]. Within the SNMP framework, contextEngineIDs serve as end-to-end identifiers. This becomes important in situations where SNMP proxies are deployed to translate between protocol versions or to cross middleboxes such as network address translators. In addition, snmpEngineIDs separate the identification of an SNMP engine from the transport addresses used to communicate with an SNMP engine. This property can be used to correlate management information easily, even in situations where multiple different transports were used to retrieve the information or where transport addresses can change dynamically. To retrieve data from an SNMPv3 agent, it is necessary to know the appropriate contextEngineID. The User-based Security Model (USM) of SNMPv3 provides a mechanism to discover the snmpEngineID of the remote SNMP engine, since this is needed for security processing reasons. The discovered snmpEngineID can subsequently be used as a contextEngineID in a ScopedPDU to access management information local to the remote SNMP engine. Other security models, such as the Transport Security Model (TSM) [TSM], lack such a procedure and may use the discovery mechanism defined in this memo. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, June 30, 2010 12:02 PM To: Vybhav Ramachandran Cc: [email protected] Subject: Re: [OSL | CCIE_Security] snmp v3 remote engine ID Hi TacACK I have configured SNMP NMS with the username and I able to perform SNMP actions like GET, GETNEXT etc without configuring remote engine ID on the agent (IOS router). It seems, the remote engine ID is required for informs only. Even I waiting for a clear explanation from someone when do we need the remote-engine ID. With regards Kings On Wed, Jun 30, 2010 at 9:26 PM, Vybhav Ramachandran <[email protected]> wrote: Hello Kings, This is what i found in the Doc-CD SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You must configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it. I'm waiting for a response from someone who knows more about engine-ids :) Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
