SNMP Over VPN Tunnel

Unanswered Question
Oct 20th, 2008
User Badges:


I've setup a GRE tunnel between 2 Cisco routers. I'd like to monitor one of the routers over the VPN tunnel, for bandwidth info. I've tried simply configuring snmp, which doesn't work. Having read up on the subject, it looks like I'll need to setup vrf routes. Would someone be able to provide me with some simple config on how I could setup SNMP monitoring of this router over the VPN tunnel?

Your help is much appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Collin Clark Mon, 10/20/2008 - 05:14
User Badges:
  • Purple, 4500 points or more

You might also want to look at using loopbacks for monitoring SNMP. I am monitoring devices through a GRE tunnel and I do not use vrf routes.

Hope that helps.

alraycisco Mon, 10/20/2008 - 05:19
User Badges:


Could you explain further how I would use loopbacks for this? Could you provide a sample config?

The current snmp config on this router is the same as my other Cisco routers which are working, i.e.

snmp-server host x.x.x.x public

snmp-server enable traps

I'm using SNMP v1. This is the output from show snmp

105 SNMP packets input

0 Bad SNMP version errors

0 Unknown community name

103 Illegal operation for community name supplied

0 Encoding errors

22 Number of requested variables

0 Number of altered variables

100 Get-request PDUs

3 Get-next PDUs

0 Set-request PDUs

0 Input queue packet drops (Maximum queue size 1000)

127 SNMP packets output

0 Too big errors (Maximum packet size 1500)

81 No such name errors

0 Bad values errors

0 General errors

103 Response PDUs

22 Trap PDUs


lamav Mon, 10/20/2008 - 05:26
User Badges:
  • Blue, 1500 points or more


You should really read all about SNMP and how to configure it on a Cisco device.

The purpose of using a loopback interface is to tell the router to source that interface when sending SNMP traffic. Remember, without specifying that, the router will select the exit interface's IP address as the source interface from which SNMP traffic will be sourced (source IP address in the IP datagram). This may or may not mean anything to you -- it depends on which subnets are allowed across the tunnel.



Collin Clark Mon, 10/20/2008 - 05:39
User Badges:
  • Purple, 4500 points or more

If you create a loopback interface (which is logical) on each router and put it in a different subnet, you can access that IP by any link (assuming you have multiple WAN links or connectivity to the router).

config t

int loopback0

ip address

You will want the loopback subnet mask to be /32. Using your SNMP manager, point it to the loopback IP address instead of a physical address of the router. There is no specific SNMP config under the interface.

alraycisco Mon, 10/20/2008 - 06:30
User Badges:


it looks like the following command resolved the issue:

snmp-server community public RO


Collin Clark Mon, 10/20/2008 - 06:34
User Badges:
  • Purple, 4500 points or more

Good to hear. Depending on your security req, you might want to append an ACL on the end.

snmp-server community public RO 50

access-list 50 permit

A helpful command for SNMP is snmp-server ifindex persist. That will make the ifindexes of your interfaces stay the same.


This Discussion