Hi Tyson Thx for the detailed explanation and bringing out the RFC insight.
As per my understanding The Engine IDs is used for localization of the auth and encryption keys. *Local Engine ID* In the SNMP NMS that I have, there is an option where we can enable/disable "Localize Auth and Encr key". If I select disable, the SNMP requests fails to IOS router (Agent) and when enabled it succeeds.Hence "snmp-server engineID local" is significant for SNMP requests like get, getnext etc. *Remote Engine ID* "snmp-server engineID remote" is used when the IOS router (agent) sends the traps/informs to the SNMP NMS. Following are the two snippets from the link (highlighted in blue) that are not clear to me. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_20.html “SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.” “To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the *snmp-server engineID* command with the *remote* keyword. The remote agent's SNMP engine ID is needed when computing the authentication and privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail” *My queries* - Is SNMP Remote Engine ID required to be configured only when the device with the SNMP agent is configured for sending Informs? - Is SNMP Remote Engine ID not required for traps? - The 2nd snippet claims that the configuration command will fail, if remote Engine ID is not configured. With regards Kings On Fri, Jul 2, 2010 at 5:55 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > To gain an understanding for something more than is contained in the > documentation you will need to reference the RFC's that define the > standards. I didn't know the answer to this without looking it up as well > but when you need more clarification than is in the Cisco documentation you > need to reference the RFC. But essentially the SNMP EngineID is used to > uniquely identify both the IOS device and SNMP management station whether > they can talk to each other directly or if there are other devices in > between like a NAT gateway. The Engine ID provides unique identification. > Although this may work without it, the RFC defines that it should always be > used. > > > > RFC 5343 > > http://www.rfc-editor.org/rfc/rfc5343.txt > > Here is a snippet. > > The last two elements are encoded in an object identifier (OID) > > value. The contextName is a character string (following the > > SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB > > [RFC3411]) while the contextEngineID is an octet string constructed > > according to the rules defined as part of the SnmpEngineID textual > > convention of the SNMP-FRAMEWORK-MIB [RFC3411]. > > > > The SNMP protocol operations and the protocol data units (PDUs) > > operate on OIDs and thus deal with object types and instances > > [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of > > a scopedPDU as a data structure containing a contextEngineID, a > > contextName, and a PDU. The SNMP version 3 (SNMPv3) message format > > uses ScopedPDUs to exchange management information [RFC3412]. > > > > Within the SNMP framework, contextEngineIDs serve as end-to-end > > identifiers. This becomes important in situations where SNMP proxies > > are deployed to translate between protocol versions or to cross > > middleboxes such as network address translators. In addition, > > snmpEngineIDs separate the identification of an SNMP engine from the > > transport addresses used to communicate with an SNMP engine. This > > property can be used to correlate management information easily, even > > in situations where multiple different transports were used to > > retrieve the information or where transport addresses can change > > dynamically. > > > > To retrieve data from an SNMPv3 agent, it is necessary to know the > > appropriate contextEngineID. The User-based Security Model (USM) of > > SNMPv3 provides a mechanism to discover the snmpEngineID of the > > remote SNMP engine, since this is needed for security processing > > reasons. The discovered snmpEngineID can subsequently be used as a > > contextEngineID in a ScopedPDU to access management information local > > to the remote SNMP engine. Other security models, such as the > > Transport Security Model (TSM) [TSM], lack such a procedure and may > > use the discovery mechanism defined in this memo. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, June 30, 2010 12:02 PM > *To:* Vybhav Ramachandran > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] snmp v3 remote engine ID > > > > Hi TacACK > > I have configured SNMP NMS with the username and I able to perform SNMP > actions like GET, GETNEXT etc without configuring remote engine ID on the > agent (IOS router). > It seems, the remote engine ID is required for informs only. > > Even I waiting for a clear explanation from someone when do we need the > remote-engine ID. > > > > > With regards > Kings > > On Wed, Jun 30, 2010 at 9:26 PM, Vybhav Ramachandran <[email protected]> > wrote: > > Hello Kings, > > > > This is what i found in the Doc-CD > > > > SNMP passwords are localized using the SNMP engine ID of the authoritative > SNMP engine. For informs, the authoritative SNMP agent is the remote agent. > You must configure the remote agent's SNMP engine ID in the SNMP database > before you can send proxy requests or informs to it. > > > > I'm waiting for a response from someone who knows more about engine-ids :) > > > > Cheers, > > TacACK > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
