SNMPv3 Community String Indexing

Unanswered Question
Apr 17th, 2007

Some standard MIBs assume that a particular SNMP entity contains only one instance of the MIB. Thus, the standard MIB does not have any index that allows you to directly access an instance of the MIB. In these cases, a community string indexing is provided to access each instance of the standard MIB. The syntax is [community string]@[instance number].

For example, the Catalyst switch includes one instance of the standard BRIDGE-MIB for each VLAN in the switch. If the read-only community string is public and the read-write community string is private, you can use [email protected] to read the BRIDGE-MIB for VLAN 25 and use [email protected] to read and write the BRIDGE-MIB for VLAN 33. If just public or private is used, the BRIDGE-MIB for VLAN 1 is accessed.

For SNMPV3 there are NO community strings. So the question is: how do we access the bridge mib for VLANs? Currently, when using SNMPV3, we only see the entries on VLAN 1.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Joe Clarke Tue, 04/17/2007 - 09:04

This is done using SNMP contexts. This is a more standard and reliable way of getting different MIB trees for different subsystems within the same device. However, this does require you to do extra configuration on the device. What device, and what version of code are you using? What SNMP management system are you using? Does it support SNMP contexts?

hulbertj17613 Wed, 04/18/2007 - 15:14

Thanks for the response. This would be done on multiple Cisco switches, 6500/4500/3750/3560/3550 using MG-Soft software and yes, it does support Contexts.

Joe Clarke Wed, 04/18/2007 - 15:26

All of those switches can run code that supports SNMP contexts. 6500s running recent 12.2SXF or higher code support contexts as do 35xx switches running 12.2(25)SEE or higher. For the 4500, you must be running 12.2(31)SG or higher.

Here is an example config that will give userv3 access to the default branch as well as contexts vlan-1 and vlan-100. See "show snmp context" for a list of all available contexts:

snmp-server group v3group v3 auth

snmp-server group v3group v3 auth context vlan-1

snmp-server group v3group v3 auth context vlan-100

snmp-server user userv3 groupv3 v3 auth md5 userv3pw123

Then you would specify the context name (e.g. vlan-1, vlan-100, etc.) along with the SNMPv3 username and password when querying the dot1dTpFdbTable objects in MG-Soft.

b.julin Tue, 05/15/2007 - 05:46

Just spent 2 hours figuring this out. Wish I had searched netpro instead of CISCO's main site, which returned near usless results as to how to actually set it up, scattered among several documents VPNs to NMS release notes, that all needed to be pieced together along with some commandline detective work. Sigh.

Does anyone know if there is a way to give an SNMPv3 group access to all contexts? If no context is specified, you cannot get at the bridge-mib for all vlans (vlan-1 seems to default), and we have a whole lot of vlans, so adding a line for every vlan for every SNMP context is quite amazingly inconvenient.

Joe Clarke Tue, 05/15/2007 - 07:48

Yes, this is inconvenient, but it is the only way to do it for IOS devices. I have developed an IOS TCL scipt that makes this a lot easier, but it currently only works on 6500 and 7600 switches that are running 12.2(18)SXF5 or higher. If there is interest, I will post it.

hulbertj17613 Tue, 05/15/2007 - 10:52

Thanks, I would be very interested in your script if you don't mind. I appreciate your answers as well.

dany.datacraft Tue, 04/17/2012 - 07:32

Hey guys,

I know this is a pretty old topic, but i have been trying to locate this information.  Feature Navigator doesn't help much.

I need to know what is the minimum IOS for Catalyst 6500 Supervisor engine 2 to support SNMP group context?

Galactis(config)#snmp-server group capitaland v3 auth ?
 access specify an access-list associated with this group
 notify specify a notify view for the group
 read specify a read view for the group
 write specify a write view for the group

This switch is running 12.1(22)E1.

Hope to get some help...

dany.datacraft Tue, 04/17/2012 - 08:37

Thanks Joe, but I don't think Sup Engine 2 / MSFC2 supports 12.2(33)SXH.

I will try in the lab with this image:


Otherwise the latest image for this platform is


Joe Clarke Tue, 04/17/2012 - 08:39

Those images will not work.   If you cannot run 12.2(33)SXH, then you will not get SNMPv3 context support.


This Discussion