This is my first time trying to use and configure snmp v3 on my cisco routers and switches.
Q1) for the engine ID, should I use local or remote?
Q2) if use remote, how and where can I find out what is the remote engine ID?
I am using HP Openview on Windows 2003
Q3) a friend used local engineID and it works for snmpv3. But the more I read documents on the cisco website the more I think it should be remote. So why and how does the local engineID can work for snmpv3?
Q4) another friend tried to use Ciscoworks for the snmpv3, but the ciscoworks does not prompt him for the option of "encrypted" or username/password.
What is lacking?
Any evaluation software that I can use?
Pls revert asap.
Your questions need more context. If you are just using SNMPv3 to do polling from an NMS to an agent, then you don't need to worry about the engineID. The devices should already have a pre-defined engineID, and the manager (i.e. OV) will use engineID discovery to figure out what it is.
All you need to configure for simple polling is an SNMPv3 group followed by an SNMPv3 user. If you want to do more advanced operations with views and ACLs, see http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .
CiscoWorks LMS 2.5 and higher currently supports SNMPv3 authNoPriv. This means you will not be able to encrypt the SNMP payload, but you will be able to hash the user credentials using either MD5 or SHA-1. SNMPv3 authPriv support is planned for a future release. There are evaluation copies of CiscoWorks available that you should be able to get from your sales team.
Yes, I just need simple polling.
So, engineID will be the engineID of the device itself, that is, the router?
Also, since I Ciscoworks don't have authpriv yet, I used another management software called Castlerock.
The management Castlerock could poll the cisco 2811 router using snmpv3 successfully.
But using exact same configuration on cisco 2960 and cisco 3560 switches, although there are no error messages on the switches, but the Castlerock cannot poll the switches.
Any idea is it because the switches cannot support snmpv3?
But I don't receive any errors?
(i followed the instructions from cisco website)
Pls kindly advice asap.
When polling, your requests will contain the engineID of the device. Without seeing your SNMPv3 configuration, I cannot determine why you are having problems polling your devices.
I configured my switch as follows
1) snmp-server enable traps config
2) snmp-server remote engineID xxxxx (can't bothered to fill this part in)
3) snmp-server group nmsgrp v3 pri
4) snmp-server user nmsusr nmsgrp remote 10.10.10.1 v3 auth sha test1 pri des56 test2
5) snmp-server host 10.10.10.1 traps version 3 priv nmsusr
with the above same configuration on the 2811 router, the Castlerock management software can poll using snmpv3.
But with the above same configuration on 3560, 2950 and 2960 switches, the castlerock management software cannot poll.
Appreciate you can kindly help to advice whether is it because the switches do not support snmpv3?
By the way, the IOS used for the switches are
1) 2960 = 12.2(25)SEE1 and software image is C2960-LANBASEK9-M
2) 3560 = 12.2(25)SEE and software image is C3560-ADVIPSERVICESK
It is not recommended that you change your engineID. This is pre-configured on the device, and changing it will require a reload of the device. Note: engineID should be unique on all devices. If you have not reloaded these switches since changing the engineID, do so, and try to poll them again.
"engine ID should be unique on all devices"
Does this mean that I have to configure all unique engineIDs in the standard credential window for SNMPv3 (RME) ?
Not at all. As I said earlier, LMS applications will do engine ID discovery to obtain this information automatically. For example, when DeviceDiscovery obtains the engineID from a device, it will update DCR with that information.
Thx, for this answer.
It was just confusing to me, because RME foresees an input field "engineID" in the credentials window. Is there some reference of LMS where all this info is documented. I' ve searched in lot of LMS manuals (RME, CS, ... )but this info was never found.
You certainly CAN enter the engineID in DCR, but this is optional. The applications will figure this information out by the nature of SNMPv3. Configuring LMS for SNMPv3 is mentioned in the Cisco.com documentation, the context-sensitive online docs, and in the deployment guide at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html .