The following is the one that I posted earlier......
SNMP v3 uses User Based Security Model (USM). As per RFC 2274, the
following are the speficiations
Authentication
Timeliness
Privacy
Message Format
Discovery
Key Management
In the SNMP v3, of the two entities (Agent and NMS) either one should be
Authoritative Engine and other will Non-Authoritative engine.
Timeliness - The Non-Authoritative entity will sync with the Authoritative
entity which sends the time. This is used for mitigating Anti-replay attacks
When the SNMP message expects a response then the receiver is the
Authoritative.
For GET, GETNEXT, SET, GETBULK the NMS will be authoritative as it is the
receiver.
For Informs, the Agent will Authoritative when Agent sends the Informs and
NMS will be the Authoritative when NMS sends Informs.
The Discovery process will discover the Engine ID of the remote device. The
NMS will discover the Engine ID of the Agent (IOS router).
This Engine ID will be used to localize the keys.Using this keys, NMS will
do GET, GETNEXT etc. The local engine is generated on the
router automatically, if you want, it can be configured using ""snmp-server
engineID remote" and viewed using sh snmp engineID.
For traps, the local engine ID is used to localize keys
For Informs, the remote engine is used to localize keys and you need to use
"snmp-server engineID remote" to configure it.
With regards
Kings
On Fri, May 25, 2012 at 7:25 AM, Eugene Pefti <[email protected]>wrote:
> Hi Kings,****
>
> May I know the year and month in the archive when you discussed it?****
>
> ** **
>
> Any idea why two routers running the same IOS 12.4(15)T9 but different
> platforms – 1841 and 2800 show absolutely different results in terms of
> snmp informs? My point is that I don’t have any informs sent from R5
> (counters are 0) and informs are not active for R6.****
>
> ** **
>
> Router R5 (1841)****
>
> R5#sh run | sec snmp****
>
> snmp-server engineID remote 10.0.0.100 ABCD1234567890 ****
>
> snmp-server group SNMP-GROUP v3 priv ****
>
> snmp-server enable traps snmp linkdown linkup****
>
> snmp-server enable traps syslog****
>
> snmp-server host 10.0.0.100 inform version 3 priv SNMP-USER****
>
> ** **
>
> R5#sh snmp****
>
> Chassis: FHK133673MS****
>
> 31 SNMP packets input****
>
> 0 Bad SNMP version errors****
>
> 1 Unknown community name****
>
> 5 Illegal operation for community name supplied****
>
> 0 Encoding errors****
>
> 8 Number of requested variables****
>
> 0 Number of altered variables****
>
> 5 Get-request PDUs****
>
> 0 Get-next PDUs****
>
> 0 Set-request PDUs****
>
> 0 Input queue packet drops (Maximum queue size 1000)****
>
> 35 SNMP packets output****
>
> 0 Too big errors (Maximum packet size 1500)****
>
> 0 No such name errors****
>
> 0 Bad values errors****
>
> 0 General errors****
>
> 3 Response PDUs****
>
> 0 Trap PDUs****
>
> 0 Unknown Security Models****
>
> 0 SNMP Invalid Messages****
>
> 0 SNMP Unknown PDU handlers****
>
> 0 Unsupported Security Level****
>
> 0 Unknown User Names****
>
> 2 Unknown EngineIDs****
>
> 0 Not In Time Windows****
>
> 0 Wrong MD5 or SHA Digests****
>
> 0 Decryption Errors****
>
> SNMP Trap Queue: 0 dropped due to resource failure.****
>
> ** **
>
> SNMP logging: disabled****
>
> ** **
>
> SNMP Manager-role output packets****
>
> 0 Get-request PDUs****
>
> 0 Get-next PDUs****
>
> 0 Get-bulk PDUs****
>
> 0 Set-request PDUs****
>
> 28 Inform-request PDUs****
>
> 28 Timeouts****
>
> 0 Drops****
>
> SNMP Manager-role input packets****
>
> 0 Inform request PDUs****
>
> 0 Trap PDUs****
>
> 0 Response PDUs****
>
> 0 Responses with errors****
>
> ** **
>
> SNMP informs: enabled****
>
> Informs in flight 0/25 (current/max)****
>
> Logging to 10.0.0.100.162****
>
> 0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped****
>
> ** **
>
> Router R6(2800)****
>
> R6#sh run | s snmp****
>
> snmp-server engineID remote 10.0.0.100 ABC12345678900 ****
>
> snmp-server group SNMP-GROUP v3 priv notify
> *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F ****
>
> snmp-server enable traps snmp linkdown linkup****
>
> snmp-server enable traps syslog****
>
> snmp-server host 10.0.0.100 inform version 3 priv SNMP-USER****
>
> ** **
>
> R6#sh snmp ****
>
> Chassis: FTX0949C02R****
>
> 6 SNMP packets input****
>
> 0 Bad SNMP version errors****
>
> 0 Unknown community name****
>
> 0 Illegal operation for community name supplied****
>
> 0 Encoding errors****
>
> 5 Number of requested variables****
>
> 0 Number of altered variables****
>
> 4 Get-request PDUs****
>
> 0 Get-next PDUs****
>
> 0 Set-request PDUs****
>
> 0 Input queue packet drops (Maximum queue size 1000)****
>
> 6 SNMP packets output****
>
> 0 Too big errors (Maximum packet size 1500)****
>
> 0 No such name errors****
>
> 0 Bad values errors****
>
> 0 General errors****
>
> 0 Response PDUs****
>
> 0 Trap PDUs****
>
> 0 Unknown Security Models****
>
> 0 SNMP Invalid Messages****
>
> 0 SNMP Unknown PDU handlers****
>
> 0 Unsupported Security Level****
>
> 0 Unknown User Names****
>
> 2 Unknown EngineIDs****
>
> 0 Not In Time Windows****
>
> 0 Wrong MD5 or SHA Digests****
>
> 0 Decryption Errors****
>
> ** **
>
> SNMP logging: disabled****
>
> ** **
>
> ** **
>
> *From:* Kingsley Charles [mailto:[email protected]]
> *Sent:* Wednesday, May 23, 2012 11:16 PM
> *To:* Eugene Pefti
> *Cc:* [email protected]
> *Subject:* Re: [OSL | CCIE_Security] Is "snmp-server engineID" mandatory
> when configuring snmp informs ?****
>
> ** **
>
> You can see, when trying to configure a remote user without an engine ID,
> you can following error message.
>
> router(config)#snmp-server user test test remote 10.20.30.40 v3
> router(config)#
> *May 24 06:23:12.943: %SNMP-4-NOENGINEID: Remote snmpEngineID for
> 10.20.30.40 not found when creating user: test****
>
> On Thu, May 24, 2012 at 11:43 AM, Kingsley Charles <
> [email protected]> wrote:****
>
> For informs, we need remote engine ID and a remote user. Just give a
> search in the archive, you can find my analysis on this subject.
>
> With regards
> Kings****
>
> On Thu, May 24, 2012 at 8:10 AM, Eugene Pefti <[email protected]>
> wrote:****
>
> Folks, ****
>
> Would appreciate your input please.****
>
> Trying to configure snmp v3 with informs that should be sent to the SNMP
> management station.****
>
> Part of the task is to configure SNMP server users.****
>
> Cisco documentation says:****
>
> ****
>
> -------------------------
> To configure a remote user, specify the IP address or port number for the
> remote SNMP agent of the device where the user resides.****
>
> Also, before you configure remote users for a particular agent, configure
> the SNMP engine ID, using the *snmp-server engineID* command****
>
> with the remote option. The remote agent's SNMP engine ID is required when
> computing the authentication and privacy digests from the password.****
>
> If the remote engine ID is not configured first, the configuration command
> will fail. ****
>
> -------------------------------****
>
> ****
>
> I don’t have any problem adding both the user and the group before
> configuring “snmp-server engineID” and have them showing ****
>
> in the router. What “configuration” command will fail if I don’t configure
> it ?****
>
> ****
>
> Secondly,****
>
> What do I miss in the SNMP config to not have informs sent at all ?****
>
> ****
>
> snmp-server engineID remote 10.0.0.100 ABC12345678900 ****
>
> snmp-server group SNMP-GROUP v3 priv notify
> *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F ****
>
> snmp-server enable traps snmp linkdown linkup****
>
> snmp-server enable traps syslog****
>
> snmp-server host 10.0.0.100 inform version 3 priv SNMP-USER****
>
> ****
>
> I already mentioned earlier that it looks for me as if informs are not
> active. I can’t configure informs timeout parameters and there’s nothing
> showing for “show snmp”****
>
> I installed SNMP management software on 10.0.0.100 and successfully poll
> the router using SNMP-USER credentials.****
>
> ****
>
> R6(config)#do sh snmp****
>
> Chassis: FTX0949C02R****
>
> 4 SNMP packets input****
>
> 0 Bad SNMP version errors****
>
> 0 Unknown community name****
>
> 0 Illegal operation for community name supplied****
>
> 0 Encoding errors****
>
> 3 Number of requested variables****
>
> 0 Number of altered variables****
>
> 2 Get-request PDUs****
>
> 0 Get-next PDUs****
>
> 0 Set-request PDUs****
>
> 0 Input queue packet drops (Maximum queue size 1000)****
>
> 4 SNMP packets output****
>
> 0 Too big errors (Maximum packet size 1500)****
>
> 0 No such name errors****
>
> 0 Bad values errors****
>
> 0 General errors****
>
> 0 Response PDUs****
>
> 0 Trap PDUs****
>
> 0 Unknown Security Models****
>
> 0 SNMP Invalid Messages****
>
> 0 SNMP Unknown PDU handlers****
>
> 0 Unsupported Security Level****
>
> 0 Unknown User Names****
>
> 2 Unknown EngineIDs****
>
> 0 Not In Time Windows****
>
> 0 Wrong MD5 or SHA Digests****
>
> 0 Decryption Errors****
>
> ****
>
> SNMP logging: disabled****
>
> ****
>
> ****
>
> ** **
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com****
>
> ** **
>
> ** **
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
