cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5885
Views
0
Helpful
6
Replies

BRIDGE-MIB with SNMP v3

mjames_wdd
Level 1
Level 1

I'm trying to determine what changes I need to make in order to read the BRIDGE-MIB for a switch using SNMP v3. In v1 and v2c, there is community string indexing. Based on articles that I've found, this is not the case with v3.

I've seen some articles referring to the use of contexts to gather the information, but I've read other articles indicating that it doesn't always work, and may be related to the firmware version of the device. I've got switches running both CatOS and IOS, so I'm looking for a solution that works across the board.

At the end of the day, I need the following information:

1) How do I read the BRIDGE-MIB tables for multiple VLANs?

2) If there are restrictions that the process won't/can't work for some devices, how can I programmatically determine that?

3) If there is no way to determine if a process can be followed (from 2), what is the impact of running the answer to (1) on a switch that doesn't support it?

Thanks - Matt

1 Accepted Solution

Accepted Solutions

Joe Clarke
Cisco Employee
Cisco Employee

You must use contexts to get per-VLAN data from the BRIDGE-MIB with SNMPv3. Not all IOS switches support this. In general, if the device supports the "show snmp context" command, contexts will work. If not, an upgrade is needed. However, some switches (e.g. 2950 series) will never support SNMPv3 contexts. You must use v1/v2c with these switches.

Very simply, you need to add the context to the SNMP group to allow your users to poll the given context. For example, to allow users to poll the BRIDGE-MIB for context vlan-6, you would add something like:

snmp-server group v3group v3 auth context vlan-6 read v1default

Or for CatOS:

set snmp access v3group security-model v3 authentication read myview context vlan- prefix nonvolatile

The CatOS approach is more efficient since this allows you to add support for all VLAN contexts in one command. With IOS, you will have to add each VLAN context by hand. Newer versions of IOS support a match operator. If your IOS supports it, you can do:

snmp-server group v3group v3 auth context vlan- match prefix

View solution in original post

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

You must use contexts to get per-VLAN data from the BRIDGE-MIB with SNMPv3. Not all IOS switches support this. In general, if the device supports the "show snmp context" command, contexts will work. If not, an upgrade is needed. However, some switches (e.g. 2950 series) will never support SNMPv3 contexts. You must use v1/v2c with these switches.

Very simply, you need to add the context to the SNMP group to allow your users to poll the given context. For example, to allow users to poll the BRIDGE-MIB for context vlan-6, you would add something like:

snmp-server group v3group v3 auth context vlan-6 read v1default

Or for CatOS:

set snmp access v3group security-model v3 authentication read myview context vlan- prefix nonvolatile

The CatOS approach is more efficient since this allows you to add support for all VLAN contexts in one command. With IOS, you will have to add each VLAN context by hand. Newer versions of IOS support a match operator. If your IOS supports it, you can do:

snmp-server group v3group v3 auth context vlan- match prefix

Thanks for the update! This means the theory that I'm following is correct, there's just something wrong in my configuration.

I thought that I had everything put in place:

snmp-server context vlan-24

snmp-server group mattv3 v3 noauth

snmp-server group mattv3 v3 noauth context vlan-24

snmp-server user wddmatt mattv3 v3

However, when I query the dot1dTpFdbTable, I get endOfMibView for my response. There are MAC addresses present in VLAN 24, as I can see with show mac-address-table.

If it makes a difference, I'm running Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1).

Thanks again for the help.

Matt

First, you should not have to configure snmp-server context ANYTHING. Second, as I said, use the "show snmp context" command to confirm if contexts are supported. This version of IOS will not support contexts. You will need to upgrade to 12.2(25)SEE to get context support.

My apologies. I did "show snmp context" and got the list of contexts back that I had added for each of my VLANs (there's more than just #24). Based on your comments, I would have assumed this was going to work. I'll have to look into upgrading. What would I expect to see if it was properly supported?

Thanks - Matt

The show snmp context command should be unhidden (i.e. "show snmp ?" should show it), and the command should produce a list of all VLANs on the device. For example:

vlan-1

vlan-2

vlan-3

vlan-4

...

vlan-1003

vlan-1004

vlan-1005

While I have not seen any device that supported this command not support contexts, I suppose the parser support could have been added before official support. In any event, Desktop switches like the 3560 require at least 12.2(25)SEE for context support.

All of that is the case on my switch, so the parser support must have been added in this version.

Thanks again for the help.

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco