I need to implement SNMP v3 across a large estate ~ 400 devices, primarily so that these devices can be managed by CW Prime LMS 4.2. I have tested this manually and I'm getting LMS talking to the test device ok so I'm getting to grips with things. However it has only recently become apparent to me that each device needs to have a unique engineID so this could take some time if I have to enter each engineID manually into the CW credential database!
Is there any way I can automate this process using LMS 4.2? If not has anybody else who has had to migrate from snmp v1/2 able to suggest any solutions for making this process quicker?
An SNMP engine ID is generated automatically but is not displayed or stored in the running configuration. You can display the default or configured engine ID by using the show snmp engineID command.
Changing the value of snmpEngineID has important side-effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of engineID changes, the security digests of SNMPv3 users will be invalid, and the users will have to be reconfigured.
Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
It is not mandatory to configure snmpEngineID, as it is default generated in IOS. In case you configure it, it will make an already complicated SNMP v3 config even more.
In LMS, it is not possible to configure all devices for snmpEngineID, as each value has to be unique and NetConfig job would not be able to do so.
There can be script to do so, which can be devised, which may add/increment engineID with some fixed value.
**Rating Encourages contributors, and its really free. **
Thanks for your response Vinod but unfortunately this hasn't really answered my question - I understand that the IOS generates a unique engineID which isn't displayed by default but can be viewed using a show command.
The problem I have is that I need to configure 400 unique engineIDs in our Prime LMS 4.2 NMS and I don't want to have to do this manually, surely somebody must have had to automate this process at some point or am I misunderstanding?
DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spok...
On 24th August 2021, Cisco announced the latest IOS XE release - Cisco IOS XE Bengaluru 17.6.1a
IOS XE 17.6.1a unlocks various routing features and enhancements comprehensively covering different technology segments such as voice, security,...
DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where th...
SummaryRequirementsConfiguration StepsVerificationFAQTroubleshootingReferences & Tools
In the past when IOS 12.x was hot stuff we used MD5 to authenticate OSPF neighbors. This worked great on ethernet networks because OSPF is a m...
Chapter 1 – Pre-requisite
You have Root or Super Users access privileges of Cisco Prime Infrastructure.
You have access credentials of Cisco DNA Center.
You use Cisco Prime Infrastructure version 3.5 and above which is compatible with Cisco DNA Center v...