Hi Tyson In that case in lab, if we are not provided by the Remote Engine ID in the task, then we need to configure a dummy Engine ID. Am I right?
Still, I am wondering why is it put in the Command reference link that the Remote ID is required for Informs only. I surfed Google and most of them have same info. With regards Kings On Fri, Jul 2, 2010 at 7:06 PM, Tyson Scott <[email protected]> wrote: > Well the configuration commands will take and you can successfully run > SNMP requests to a router without specifying the engine-id as remote but it > sounds like it is a suggested configuration so you should consider it as > part of the configuration you must complete, although I know it works > without doing it. > > > > Traps would require it if the NMS is requiring authentication before it > will accept traps. Most often the NMS is set to accept the credentials > accept without the credentials. Your question depends on the configuration > of the NMS. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Friday, July 02, 2010 9:10 AM > *To:* Tyson Scott > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] snmp v3 remote engine ID > > > > Hi Tyson > > > Thx for the detailed explanation and bringing out the RFC insight. > > As per my understanding > > The Engine IDs is used for localization of the auth and encryption keys. > > *Local Engine ID* > > In the SNMP NMS that I have, there is an option where we can enable/disable > "Localize Auth and Encr key". If I select disable, the SNMP requests fails > to > IOS router (Agent) and when enabled it succeeds.Hence "snmp-server engineID > local" is significant for SNMP requests like get, getnext etc. > > *Remote Engine ID* > > "snmp-server engineID remote" is used when the IOS router (agent) sends the > traps/informs to the SNMP NMS. > > Following are the two snippets from the link (highlighted in blue) that are > not clear to me. > > http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_20.html > >  > > “SNMP passwords are localized using the SNMP engine ID of the > authoritative SNMP engine. For informs, the authoritative SNMP agent is the > remote agent. You need to configure the remote agent's SNMP engine ID in the > SNMP database before you can send proxy requests or informs to it.†> >  > > “To configure a remote user, specify the IP address or port number for > the remote SNMP agent of the device where the user resides. Also, before you > configure remote users for a particular agent, configure the SNMP engine ID, > using the *snmp-server engineID* command with the *remote* keyword. The > remote agent's SNMP engine ID is needed when computing the authentication > and privacy digests from the password. If the remote engine ID is not > configured first, the configuration command will fail†> > > *My queries* > > - Is SNMP Remote Engine ID required to be configured only when the > device with the SNMP agent is configured for sending Informs? > - Is SNMP Remote Engine ID not required for traps? > - The 2nd snippet claims that the configuration command will fail, if > remote Engine ID is not configured. > > > > > With regards > Kings > > On Fri, Jul 2, 2010 at 5:55 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > >  > > To gain an understanding for something more than is contained in the > documentation you will need to reference the RFC's that define the > standards. I didn't know the answer to this without looking it up as well > but when you need more clarification than is in the Cisco documentation you > need to reference the RFC. But essentially the SNMP EngineID is used to > uniquely identify both the IOS device and SNMP management station whether > they can talk to each other directly or if there are other devices in > between like a NAT gateway. The Engine ID provides unique > identification. Although this may work without it, the RFC defines that it > should always be used. > >  > > RFC 5343 > > http://www.rfc-editor.org/rfc/rfc5343.txt > > Here is a snippet. > > The last two elements are encoded in an object identifier (OID) > > value. The contextName is a character string (following the > > SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB > > [RFC3411]) while the contextEngineID is an octet string constructed > > according to the rules defined as part of the SnmpEngineID textual > > convention of the SNMP-FRAMEWORK-MIB [RFC3411]. > >  > > The SNMP protocol operations and the protocol data units (PDUs) > > operate on OIDs and thus deal with object types and instances > > [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of > > a scopedPDU as a data structure containing a contextEngineID, a > > contextName, and a PDU. The SNMP version 3 (SNMPv3) message format > > uses ScopedPDUs to exchange management information [RFC3412]. > >  > > Within the SNMP framework, contextEngineIDs serve as end-to-end > > identifiers. This becomes important in situations where SNMP proxies > > are deployed to translate between protocol versions or to cross > > middleboxes such as network address translators. In addition, > > snmpEngineIDs separate the identification of an SNMP engine from the > > transport addresses used to communicate with an SNMP engine. This > > property can be used to correlate management information easily, even > > in situations where multiple different transports were used to > > retrieve the information or where transport addresses can change > > dynamically. > >  > > To retrieve data from an SNMPv3 agent, it is necessary to know the > > appropriate contextEngineID. The User-based Security Model (USM) of > > SNMPv3 provides a mechanism to discover the snmpEngineID of the > > remote SNMP engine, since this is needed for security processing > > reasons. The discovered snmpEngineID can subsequently be used as a > > contextEngineID in a ScopedPDU to access management information local > > to the remote SNMP engine. Other security models, such as the > > Transport Security Model (TSM) [TSM], lack such a procedure and may > > use the discovery mechanism defined in this memo. > >  > > Regards, > >  > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > >  > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > >  > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, June 30, 2010 12:02 PM > *To:* Vybhav Ramachandran > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] snmp v3 remote engine ID > >  > > Hi TacACK > > I have configured SNMP NMS with the username and I able to perform SNMP > actions like GET, GETNEXT etc without configuring remote engine ID on the > agent (IOS router). > It seems, the remote engine ID is required for informs only. > > Even I waiting for a clear explanation from someone when do we need the > remote-engine ID. > > > > > With regards > Kings > > On Wed, Jun 30, 2010 at 9:26 PM, Vybhav Ramachandran <[email protected]> > wrote: > > Hello Kings, > >  > > This is what i found in the Doc-CD > >  > > SNMP passwords are localized using the SNMP engine ID of the authoritative > SNMP engine. For informs, the authoritative SNMP agent is the remote agent. > You must configure the remote agent's SNMP engine ID in the SNMP database > before you can send proxy requests or informs to it. > >  > > I'm waiting for a response from someone who knows more about engine-ids >  :) > >  > > Cheers, > > TacACK > >  > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
