More of my posts:
See the following O/P, what happens when I configure the remote user without
the remote Engine ID.
router(config)#snmp-server user cisco mine remote 10.20.30.40 v3
router(config)#
*Jul 6 08:12:19.914: %SNMP-4-NOENGINEID: Remote snmpEngineID for
10.20.30.40 no
t found when creating user: cisco
The remote user configuration fails, if the remote Engine ID for 10.20.30.40
has not been configured. Hence a remote Engine Id is required when you
configure a snmp remote user
*SNMP v3*
SNMP v3 uses User Based Security Model (USM). As per RFC 2274, the following
are the speficiations
* Authentication
* Timeliness
* Privacy
* Message Format
* Discovery
* Key Management
In the SNMP v3, of the two entities (Agent and NMS) either one should be
Authoritative Engine and other will Non-Authoritative engine.
Timeliness - The Non-Authoritative entity will sync with the Authoritative
entity which sends the time. This is used for mitigating Anti-replay attacks
When the SNMP message expects a response then the receiver is the
Authoritative.
For GET, GETNEXT, SET, GETBULK the NMS will be authoritative as it is the
receiver.
For Informs, the Agent will Authoritative when Agent sends the Informs and
NMS will be the Authoritative when NMS sends Informs.
The Discovery process will discover the Engine ID of the remote device. The
NMS will discover the Engine ID of the Agent (IOS router).
This Engine ID will be used to localize the keys.Using this keys, NMS will
do GET, GETNEXT etc. The local engine is generated on the
router automatically, if you want, it can be configured using ""snmp-server
engineID remote" and viewed using sh snmp engineID.
For traps, the local engine ID is used to localize keys
For Informs, the remote engine is used to localize keys and you need to use
"snmp-server engineID remote" to configure it.
With regards
Kings
On Sat, Aug 21, 2010 at 9:01 AM, Kingsley Charles <
[email protected]> wrote:
> Hi Dave
>
> You need to configure remote Engine ID and Remote User for Informs only not
> for traps.
> It all depends which entity is the authoritative.
>
> In the case of Traps, the sender is authoritative. The local SNMP Engine ID
> and local user passwords are used to create the digest for authentication
> and encryption.
>
>
>
> snmp-server enable traps cpu
> snmp-server group mine v3 priv
> snmp-server user cisco mine v3 auth sha cisco priv 3des cisco
> snmp-server host 10.20.30.40 traps version 3 priv cisco
>
>
>
> In the case of Informs, the receiver is authoritative. The remote security
> Engine ID and remote user passwords are used to create the digest for
> authentication and encryption.
>
>
>
> To send Informs, we need to configure the remote engine ID and remote user.
>
>
>
> snmp-server engineID remote 10.20.30.40 123456789A
> snmp-server enable traps cpu
> snmp-server group mine v3 priv
> snmp-server user cisco mine remote 10.20.30.40 v3 auth sha cisco priv 3des
> cisco
> snmp-server host 10.20.30.40 traps version 3 priv cisco
>
>
>
> With regards
> Kings
>
>
> On Fri, Aug 20, 2010 at 11:59 PM, Mack, David A (Dave)
> <[email protected]>wrote:
>
>> Tyson,
>> Thanks for getting back to me and pointing me to that thread. It
>> answered my question. To summarize, my first configuration would work for
>> SNMPv3 Traps and the second would work for SNMPv3 INFORMs. I am sorry I
>> have not really utilized the archives as much as I would like to since the
>> searches have been localized to monthly time spans. I would have to do 24
>> searches to cover a 2 year period and it gets tiresome fast. Also I verified
>> that I sent my post as plain text and had pasted in the configs from notepad
>> and yet the lines wrapped. Is there something happening with the mailing
>> list application modifying the post?
>>
>> Thanks!
>> Dave
>>
>> Back to studying....
>>
>> -----Original Message-----
>> From: Tyson Scott [mailto:[email protected]]
>> Sent: Friday, August 20, 2010 12:07 PM
>> To: Mack, David A (Dave); [email protected]
>> Subject: RE: [OSL | CCIE_Security] SNMPv3 Questions
>>
>> David,
>>
>> If you go back to the archives on July 3rd and 6th there was a good
>> discussion on this and Kingsley answered this question in there.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>> Mailto: [email protected]
>> Telephone: +1.810.326.1444, ext. 208
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
>> training locations throughout the United States, Europe, South Asia and
>> Australia. Be sure to visit our online communities at
>> www.ipexpert.com/communities and our public website at www.ipexpert.com
>>
>>
>> -----Original Message-----
>> From: [email protected]
>> [mailto:[email protected]] On Behalf Of Mack,
>> David
>> A (Dave)
>> Sent: Friday, August 20, 2010 11:56 AM
>> To: [email protected]
>> Subject: [OSL | CCIE_Security] SNMPv3 Questions
>>
>> All,
>> Hello! I am trying to dive a little deeper into SNMPv3 and I am
>> confused on something. I have read the CCO documentation and blogs and
>> this still not clear to me. Let's say I have a requirement to send
>> Temperature informs to a NMS located at 10.0.0.100 and to use SNMPv3 to
>> protect the messages. From the docs I know that I need to do the
>> following:
>>
>>
>> 1) Enable traps and in this case restrict them to the temperature
>> category:
>> Snmp-sever enable traps envmon temperature
>>
>> 2) I need to then configure a snmp-server host, however that requires me
>> to have a SNMPv3 user which requires a SNMPv3 group. So here I can
>> configure:
>>
>> snmp-server group TRAP-GROUP v3 priv
>> user TRAP-USER TRAP-GROUP v3 auth sha CISCO priv 3des CISCO
>>
>> 3) Now having the user, I can configure the host:
>>
>> snmp-server host 10.0.0.100 informs version 3 priv TRAP-USER
>>
>> So the full configure would be:
>>
>>
>> snmp-server enable traps envmon temperature
>> snmp-server group TRAP-GROUP v3 priv
>> user TRAP-USER TRAP-GROUP v3 auth sha CISCO priv 3des CISCO
>> snmp-server host 10.0.0.100 informs version 3 priv TRAP-USER
>>
>> However, I could also configure the user as "Remote" and also have to
>> configure a remote SNMP engineID as shown below:
>>
>> snmp-server enable traps envmon temperature
>> snmp-server engineID remote 10.0.0.100 ABCD12345678
>> snmp-server group TRAP-GROUP v3 priv
>> snmp-server user TRAP-USER TRAP-GROUP remote 10.0.0.100 v3 auth sha
>> CISCO priv 3des CISCO
>> snmp-server host 10.0.0.100 inform version 3 priv TRAP-USER
>>
>>
>> So my confusion is to what is the difference in configuring the user as
>> remote along with the remote engineID? What impacts will each have?
>>
>> TIA!
>> Dave
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
