Cisco Support Community
Community Member

SNMP Support over VPNs—Context Based Access Control

I am a little confused as to what this feature is designed to provide. I've been experimenting with this based on the examples in the CCO documentation.

Can anyone offer me any insight into the design of this feature?

My initial understanding was that all of the MIB data would be available (unless limited by a view) and that the contexts would limit access on a per VRF basis. For example

VRF Customer_A1 could be in contextA

VRF Customer_A2 could also be in contextA

VRF Customer_B could be in contextB.

When a walk query was performed on the MPLS-VPN MIB then only the data for the VRFs in the relevant context would be shown - so UserA (in GroupA which is associated with contextA) could see data about the Customer_A1 and Customer_A2 VRFs only, and UserB (in GroupB which is associated with contextB) could only see the information in contextB.

It seems that my theories weren't quite right - the vrf <-> context <-> group relationship appears to be a little strange. A context must be unique and cannot be duplicated between VRFs - this means that CustomerA that has two (or possibly more) VRFs on a router can't see data on both using the userA login?

It also appears that this feature doesn't work with views enabled on 12.3(7)T, and the data provided when context alone is used is limited to a subset of the IP-Forwarding MIB?


Re: SNMP Support over VPNs—Context Based Access Control

Information about this feature including configuration examples is available in the documentation at I also feel that the image 12.3(7)T is not exactly the best choice. The image is pretty new and a 'T' image. You might end up running into bugs frequently.

CreatePlease to create content