Cisco IOS – Version Changes for SNMPv3 Server-Group Context

ciscocisco-iossnmp

I'm trying to understand switch mapping using SNMPv3. It's come to my attention that the group(user) who is authenticating needs access to thecontext
for mapping out VLANs. I've figures out this can be accomplished with the command:

 snmp-server group [groupname] v3 priv context [vlanID / match]

However the matching function doesn't seem to be supported on all IOS versions, and the context feature also doesn't appear to be be present in all Cisco IOS versions. Can anyone help me get a better understanding of the context of all this? (no pun intended)

Best Answer

According to the Internet standards organization (IETF) SNMP contexts are described as followed:

https://www.rfc-editor.org/rfc/rfc5343

Within an administrative domain, an SNMP engine is uniquely identified by an snmpEngineID value [RFC3411]. An SNMP entity, which consists of an SNMP engine and several SNMP applications, may provide access to multiple contexts.

An SNMP context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context and an SNMP entity potentially has access to many contexts [RFC3411]. A context is identified by the snmpEngineID value of the entity hosting the management information (also called a contextEngineID) and a context name that identifies the specific context (also called a contextName).

To identify an individual item of management information within an administrative domain, a four tuple is used consisting of

a contextEngineID,

a contextName,

an object type, and

its instance identification.

The last two elements are encoded in an object identifier (OID) value. The contextName is a character string (following the SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB [RFC3411]) while the contextEngineID is an octet string constructed according to the rules defined as part of the SnmpEngineID textual convention of the SNMP-FRAMEWORK-MIB [RFC3411].

The SNMP protocol operations and the protocol data units (PDUs) operate on OIDs and thus deal with object types and instances [RFC3416]. The SNMP architecture [RFC3411]introduces the concept of a scopedPDU as a data structure containing a contextEngineID, a contextName, and a PDU. The SNMP version 3 (SNMPv3) message format uses ScopedPDUs to exchange management information [RFC3412].

Within the SNMP framework, contextEngineIDs serve as end-to-end identifiers. This becomes important in situations where SNMP proxies are deployed to translate between protocol versions or to cross middleboxes such as network address translators. In addition, snmpEngineIDs separate the identification of an SNMP engine from the transport addresses used to communicate with an SNMP engine. This property can be used to correlate management information easily, even in situations where multiple different transports were used to retrieve the information or where transport addresses can change dynamically.

To retrieve data from an SNMPv3 agent, it is necessary to know the appropriate contextEngineID. The User-based Security Model (USM) of SNMPv3 provides a mechanism to discover the snmpEngineID of the remote SNMP engine, since this is needed for security processing reasons. The discovered snmpEngineID can subsequently be used as a contextEngineID in a ScopedPDU to access management information local to the remote SNMP engine.

To clarify your comment "It also looks like they were removed from IOS at some point after being added."

That is not true. Cisco devices still support SNMP contexts on new IOS, IOS-XE, NXOS etc.

In the past it was required to configure access to each "vlan-*" context. Newer versions of IOS support the "match prefix" syntax that makes scalability easier.

The configuration varies a lot depending on the IOS version and model type.

Examples:

Cisco 2960/S/X etc. IOS Release 15.X.X(X) (Tested - https://communities.ca.com/thread/100549100):

Given:
View Name - View1
Group Name - Group1
Access List - Access1
User - User1
SHA pass - password1
AES pass - password2
Location - Location1
Contact - Contact1

Then:
conf t
ip access-list standard Access1 (create access list "Access1")
permit any (grant permissions in the list)
end

conf t
snmp-server view View1 system included (create the view "View1", add "system" SNMP info to the view)
snmp-server view View1 internet included (add "internet" SNMP info to the view)
snmp-server group Group1 V3 priv access Access1 (create the group "Group1" with access through access list "Access1")
snmp-server group Group1 V3 priv read View1 (use "View1" with the group)
snmp-server group Group1 V3 priv context vlan- match prefix (add context names to the group, this will add all context names starting with "vlan-" which is what Spectrum wants to see)
snmp-server user User1 Group1 v3 auth sha password1 priv aes 128 password2 (create a user in group "Group1" with SNMPv3 credentials)
snmp-server location Location1 (set the switch location in the SNMP)
snmp-server contact Contact1 (set the switch contact information in SNMP)
end
wr

Make changes as required ie permission in the access list. 
We used view "v1default" and added "system" to it, it already had "internet"

Cisco 3750 IOS version 12.2(55)SE10 (Tested - https://switchportmapper.com/support-mapping-a-cisco-switch-using-snmpv3.htm)

How to enable SNMPv3 in a Cisco Switch IOS CLI

Switch>enable

Switch#config term - this allows you to edit the running-config. (note: to remove any of the following 3 commands, use 'no snmp-server view', 'no snmp-server group' or 'no snmp-server user')

Create a view for the test SNMPv3 user: Switch(config)#snmp-server view testv3view internet included

Create a group to access the view: Switch(config)#snmp-server group testv3group v3 priv read testv3view write testv3view

Create a user for the group: Switch(config)#snmp-server user testv3user testv3group v3 auth md5 Passw0rd priv des Passw0rd

Activate context prefix matching by entering this command: Switch(config)#snmp-server group yourV3groupName v3 auth context vlan- match prefix (If you do not do this the Managed Switch Port Mapping Tool will give error messages claiming it cannot access Bridge Mib even though the rest of the mapping appears to work. See the next section if that command is not supported by your version of IOS)

Switch(config)#Ctrl-z

Optionally save it to the startup config using Switch#copy running-config startup-config

Problem: my Cisco 3750 switch maps fine using SNMPv1 or v2c, but with SNMPv3 I no longer see MAC Addresses, IP Addresses, VLANs or hostnames. What is wrong with the Switch Port Mapper?

Nothing is wrong with the Switch Port Mapper. The problem is in the switch and its config settings.

Background: Cisco uses 'community name indexing' for SNMPv1 and SNMPv2c to allow us to get VLAN specific information from BRIDGE-MIB. In SNMPv3 they use a variation of this technique by making use of SNMPv3 contexts. The context field is changed for each VLAN requested so that BRIDGE-MIB will give us the information we need for that particular VLAN. The problem is not all versions of IOS support contexts and in order to request context information for each VLAN, you have to make changes to the running config through CLI. If the switch is not configured, this software and any other switch mapping software cannot map the switch with SNMPv3.

First, you need to see if your switch supports contexts. From CLI run this command:
Switch>enable
Switch#show snmp context
vlan-1
vlan-3
vlan-1005
vlan-1005
vlan-1005
vlan-1005
Assuming your switch does support contexts, next check to see if your switch supports prefix matching.

In your running config add:
Switch>enable
Switch#config term
Switch#snmp-server group yourV3groupName v3 auth context vlan- match prefix
(don't forget the dash after vlan)
Switch(config)#Ctrl-z
If the switch does support prefix matching every Cisco switch using that version of IOS or later and SNMPv3 that you intend to map must have that command in the config - you can skip the next section - you are finished.

If the switch does NOT support prefix matching you have a lot of work to do. Every VLAN must have a context set up for it. You have to add this command into running config for EVERY VLAN:
snmp-server group yourV3groupName v3 priv context vlan-(vlanid)
So if you have 10 VLANs on the switch, that command must appear 10 times, once for each VLAN (no parens around 'vlanid' and you may want to add 'access #' at the end).

Examples for a switch with vlans number 6, 100, 117 and 200 (note the optional access list statement):
Switch>enable
Switch#config term
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-6
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-100
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-117
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-200 access 51
Switch(config)#Ctrl-z
Important note: the 'vlan-' contexts are probably different from the SNMP contexts you may have used - you must use the vlan- context in the statements described above in this topic whether using prefix matching or individual entries. Treat vlan- as 'reserved' contexts to avoid confusion. The topic before this one is not using SNMPv3 contexts at all.

More questions? see this thread: https://supportforums.cisco.com/thread/2036734

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.

I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.

There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42 would map incoming [1042] stack to [42 1042] stack. As opposed to switchport vlan mapping 1042 42 which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].

JNPR M320 config:

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show 
vlan-id 1042;
family inet {
    address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0               
Physical interface: ge-0/1/0, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 506
  Description: B: SUP32 ge5/1
  Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
  Last flapped   : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
  Input rate     : 4560 bps (5 pps)
  Output rate    : 6968 bps (4 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

SUP32 config:

SUP32#show run int giga5/1
Building configuration...

Current configuration : 365 bytes
!
interface GigabitEthernet5/1
 description F: M320 ge-0/1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 switchport vlan mapping enable
 switchport vlan mapping 1042 42
 mtu 9216
 bandwidth 1000000
 speed nonegotiate
 no cdp enable
 spanning-tree portfast edge trunk
 spanning-tree bpdufilter enable
end

SUP32#show ru int vlan42
Building configuration...

Current configuration : 61 bytes
!
interface Vlan42
 ip address 10.42.42.2 255.255.255.0
end

SUP32#sh int GigabitEthernet5/1 vlan mapping  
State: enabled
Original VLAN Translated VLAN
------------- ---------------
  1042           42  

SUP32#sh int vlan42                           
Vlan42 is up, line protocol is up 
  Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
  Internet address is 10.42.42.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:01:27, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     38 packets input, 3432 bytes, 0 no buffer
     Received 21 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     26 packets output, 2420 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

And

SUP32#ping 10.42.42.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet  10.42.42.1             12   0012.1ed5.907f  ARPA   Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
*  450  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   50  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   40  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   42  0012.1ed5.907f   dynamic  Yes          5   Gi5/1


user@m320# run ping 10.42.42.2 count 2 
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms

--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2 
00:05:dd:ee:60:00 10.42.42.2      ge-0/1/0.1042        none

Configuring SNMPv3 on Cisco IOS and SNMP Agent

They have a pretty simple writeup over at Networklessons, but in-depth information on how it works are on Cisco's site. It can be as complicated and secure as you want it. Your 2 questions are one and the same.

A barebones config would be like this:

Create a group

R1(config)#snmp-server group MYGROUP v3 priv

Attach a user to a group

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes128 MYKEY123

If you aren't looking to restrict access to specific MIBs, then this is all you really need.

Best Answer

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

Configuring SNMPv3 on Cisco IOS and SNMP Agent

Related Topic