04-24-2009 10:12 AM
I'm trying to determine what changes I need to make in order to read the BRIDGE-MIB for a switch using SNMP v3. In v1 and v2c, there is community string indexing. Based on articles that I've found, this is not the case with v3.
I've seen some articles referring to the use of contexts to gather the information, but I've read other articles indicating that it doesn't always work, and may be related to the firmware version of the device. I've got switches running both CatOS and IOS, so I'm looking for a solution that works across the board.
At the end of the day, I need the following information:
1) How do I read the BRIDGE-MIB tables for multiple VLANs?
2) If there are restrictions that the process won't/can't work for some devices, how can I programmatically determine that?
3) If there is no way to determine if a process can be followed (from 2), what is the impact of running the answer to (1) on a switch that doesn't support it?
Thanks - Matt
Solved! Go to Solution.
04-24-2009 10:23 AM
You must use contexts to get per-VLAN data from the BRIDGE-MIB with SNMPv3. Not all IOS switches support this. In general, if the device supports the "show snmp context" command, contexts will work. If not, an upgrade is needed. However, some switches (e.g. 2950 series) will never support SNMPv3 contexts. You must use v1/v2c with these switches.
Very simply, you need to add the context to the SNMP group to allow your users to poll the given context. For example, to allow users to poll the BRIDGE-MIB for context vlan-6, you would add something like:
snmp-server group v3group v3 auth context vlan-6 read v1default
Or for CatOS:
set snmp access v3group security-model v3 authentication read myview context vlan- prefix nonvolatile
The CatOS approach is more efficient since this allows you to add support for all VLAN contexts in one command. With IOS, you will have to add each VLAN context by hand. Newer versions of IOS support a match operator. If your IOS supports it, you can do:
snmp-server group v3group v3 auth context vlan- match prefix
04-24-2009 10:23 AM
You must use contexts to get per-VLAN data from the BRIDGE-MIB with SNMPv3. Not all IOS switches support this. In general, if the device supports the "show snmp context" command, contexts will work. If not, an upgrade is needed. However, some switches (e.g. 2950 series) will never support SNMPv3 contexts. You must use v1/v2c with these switches.
Very simply, you need to add the context to the SNMP group to allow your users to poll the given context. For example, to allow users to poll the BRIDGE-MIB for context vlan-6, you would add something like:
snmp-server group v3group v3 auth context vlan-6 read v1default
Or for CatOS:
set snmp access v3group security-model v3 authentication read myview context vlan- prefix nonvolatile
The CatOS approach is more efficient since this allows you to add support for all VLAN contexts in one command. With IOS, you will have to add each VLAN context by hand. Newer versions of IOS support a match operator. If your IOS supports it, you can do:
snmp-server group v3group v3 auth context vlan- match prefix
04-24-2009 11:25 AM
Thanks for the update! This means the theory that I'm following is correct, there's just something wrong in my configuration.
I thought that I had everything put in place:
snmp-server context vlan-24
snmp-server group mattv3 v3 noauth
snmp-server group mattv3 v3 noauth context vlan-24
snmp-server user wddmatt mattv3 v3
However, when I query the dot1dTpFdbTable, I get endOfMibView for my response. There are MAC addresses present in VLAN 24, as I can see with show mac-address-table.
If it makes a difference, I'm running Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1).
Thanks again for the help.
Matt
04-24-2009 11:40 AM
First, you should not have to configure snmp-server context ANYTHING. Second, as I said, use the "show snmp context" command to confirm if contexts are supported. This version of IOS will not support contexts. You will need to upgrade to 12.2(25)SEE to get context support.
04-24-2009 11:51 AM
My apologies. I did "show snmp context" and got the list of contexts back that I had added for each of my VLANs (there's more than just #24). Based on your comments, I would have assumed this was going to work. I'll have to look into upgrading. What would I expect to see if it was properly supported?
Thanks - Matt
04-24-2009 11:55 AM
The show snmp context command should be unhidden (i.e. "show snmp ?" should show it), and the command should produce a list of all VLANs on the device. For example:
vlan-1
vlan-2
vlan-3
vlan-4
...
vlan-1003
vlan-1004
vlan-1005
While I have not seen any device that supported this command not support contexts, I suppose the parser support could have been added before official support. In any event, Desktop switches like the 3560 require at least 12.2(25)SEE for context support.
04-24-2009 12:08 PM
All of that is the case on my switch, so the parser support must have been added in this version.
Thanks again for the help.
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: