Well the configuration commands will take and you can successfully run SNMP requests to a router without specifying the engine-id as remote but it sounds like it is a suggested configuration so you should consider it as part of the configuration you must complete, although I know it works without doing it.
Traps would require it if the NMS is requiring authentication before it will accept traps. Most often the NMS is set to accept the credentials accept without the credentials. Your question depends on the configuration of the NMS. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Friday, July 02, 2010 9:10 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] snmp v3 remote engine ID Hi Tyson Thx for the detailed explanation and bringing out the RFC insight. As per my understanding The Engine IDs is used for localization of the auth and encryption keys. Local Engine ID In the SNMP NMS that I have, there is an option where we can enable/disable "Localize Auth and Encr key". If I select disable, the SNMP requests fails to IOS router (Agent) and when enabled it succeeds.Hence "snmp-server engineID local" is significant for SNMP requests like get, getnext etc. Remote Engine ID "snmp-server engineID remote" is used when the IOS router (agent) sends the traps/informs to the SNMP NMS. Following are the two snippets from the link (highlighted in blue) that are not clear to me. http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_20.html  “SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.† “To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the snmp-server engineID command with the remote keyword. The remote agent's SNMP engine ID is needed when computing the authentication and privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail†My queries * Is SNMP Remote Engine ID required to be configured only when the device with the SNMP agent is configured for sending Informs? * Is SNMP Remote Engine ID not required for traps? * The 2nd snippet claims that the configuration command will fail, if remote Engine ID is not configured. With regards Kings On Fri, Jul 2, 2010 at 5:55 PM, Tyson Scott <[email protected]> wrote: Kingsley,  To gain an understanding for something more than is contained in the documentation you will need to reference the RFC's that define the standards. I didn't know the answer to this without looking it up as well but when you need more clarification than is in the Cisco documentation you need to reference the RFC. But essentially the SNMP EngineID is used to uniquely identify both the IOS device and SNMP management station whether they can talk to each other directly or if there are other devices in between like a NAT gateway. The Engine ID provides unique identification. Although this may work without it, the RFC defines that it should always be used.  RFC 5343 http://www.rfc-editor.org/rfc/rfc5343.txt Here is a snippet. The last two elements are encoded in an object identifier (OID) value. The contextName is a character string (following the SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB [RFC3411]) while the contextEngineID is an octet string constructed according to the rules defined as part of the SnmpEngineID textual convention of the SNMP-FRAMEWORK-MIB [RFC3411].  The SNMP protocol operations and the protocol data units (PDUs) operate on OIDs and thus deal with object types and instances [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of a scopedPDU as a data structure containing a contextEngineID, a contextName, and a PDU. The SNMP version 3 (SNMPv3) message format uses ScopedPDUs to exchange management information [RFC3412].  Within the SNMP framework, contextEngineIDs serve as end-to-end identifiers. This becomes important in situations where SNMP proxies are deployed to translate between protocol versions or to cross middleboxes such as network address translators. In addition, snmpEngineIDs separate the identification of an SNMP engine from the transport addresses used to communicate with an SNMP engine. This property can be used to correlate management information easily, even in situations where multiple different transports were used to retrieve the information or where transport addresses can change dynamically.  To retrieve data from an SNMPv3 agent, it is necessary to know the appropriate contextEngineID. The User-based Security Model (USM) of SNMPv3 provides a mechanism to discover the snmpEngineID of the remote SNMP engine, since this is needed for security processing reasons. The discovered snmpEngineID can subsequently be used as a contextEngineID in a ScopedPDU to access management information local to the remote SNMP engine. Other security models, such as the Transport Security Model (TSM) [TSM], lack such a procedure and may use the discovery mechanism defined in this memo.  Regards,  Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130  IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/>  From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, June 30, 2010 12:02 PM To: Vybhav Ramachandran Cc: [email protected] Subject: Re: [OSL | CCIE_Security] snmp v3 remote engine ID  Hi TacACK I have configured SNMP NMS with the username and I able to perform SNMP actions like GET, GETNEXT etc without configuring remote engine ID on the agent (IOS router). It seems, the remote engine ID is required for informs only. Even I waiting for a clear explanation from someone when do we need the remote-engine ID. With regards Kings On Wed, Jun 30, 2010 at 9:26 PM, Vybhav Ramachandran <[email protected]> wrote: Hello Kings,  This is what i found in the Doc-CD  SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You must configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.  I'm waiting for a response from someone who knows more about engine-ids  :)  Cheers, TacACK Â
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
