topic Re: APIC SNMP engineID in DevNet Sandbox

APIC SNMP engineID

Nik Noltenius — Tue, 04 Jun 2019 09:40:56 GMT

Hi folks,

for some reason my APIC does not reveal an SNMP engine ID:

apic1# show snmp summary 

Active Policy: SNMP-NAME, Admin State: enabled

Local SNMP engineID: [Hex] Not Found

----------------------------------------
Community Description 
----------------------------------------

------------------------------------------------------------
User Authentication Privacy 
------------------------------------------------------------
PRTG hmac-sha1-96 aes-128 

------------------------------------------------------------
Client-Group Mgmt-Epg Clients
------------------------------------------------------------
PRTG-SNMP default (Out-Of-Band) ###.###.###.###

------------------------------------------------------------
Host Port Version Level SecName 
------------------------------------------------------------
###.###.###.### 162 v2c noauth Public 
###.###.###.### 162 v2c noauth WHATEVER

SNMP ist configured and the fabric switches all have engine IDs...

Only for the controller I can't find a way to configure one. Searching the web I found a couple of screenshots and examples where the APIC does indeed have an engine ID, so I guess mine is not supposed to be behaving the way it does.

What am I missing? Can I manually assign an ID somewhere? Shouldn't there be one by default?

Kind regards,
Nik

Re: APIC SNMP engineID

Ahmed Boujelben — Mon, 03 Sep 2018 11:07:46 GMT

Hi Nik,

We have issued the same problem. How did you resolve the issue ?

Regards,

Ahmed

Re: APIC SNMP engineID

Nik Noltenius — Tue, 04 Sep 2018 06:34:11 GMT

Hi Ahmed,

unfortunately we haven't been able to resolve the issue yet. I will update the thread, if we ever find a solution...

Regards,
Nik

Re: APIC SNMP engineID

Nik Noltenius — Mon, 10 Sep 2018 07:03:03 GMT

Hi Ahmed,

I wouldn't call it a solution per se, but we figured out, that the APICs generate an engine ID as soon as a community policy is configured under the SNMP policy.

We are only using SNMPv3 so from my understanding we wouldn't have required a community, but apparently it is a way to have an engine ID for the APICs. I'm not sure if there are any side-effects, though.

Regards,
Nik

Re: APIC SNMP engineID

Nik Noltenius — Tue, 11 Sep 2018 13:51:34 GMT

Sorry to answer my own question but maybe it'll be helpful to others.

So, as I already stated in an answer below the first thing one can do to get the SNMP engine ID on an APIC to show up is configure a Community Policy under the SNMP policy. This feels kind of counter-intuitive if one is using SNMPv3 but hey, it works.

However this does not mean, the APIC won't use an engine ID without a community. As a matter of fact, packet captures show that the APIC does indeed send it's engine ID in SNMP reports even if the community is not configured. It just doesn't show up in the CLI which is kind of unexpected.

This is also TAC-confirmed behavior. They said, SNMP simply works differently on the APICs than on the leaf and spine switches thus there are differences in the output as well. - Fine, I don't have to understand that but I definitely can live with it.

tl;dr

Configure a community and "show snmp engineid" will reveal the ID on the APIC

Leave the community or delete it, the engine ID stays the same and is sent in messages even if it's not presented in the output of aforementioned CLI command any more.

Kind regards,

Nik