Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
5106
Views
5
Helpful
1
Comments

Ask the ACI Experts: SNMP in the ACI Fabric

Tomas de Leon
Cisco Employee
Cisco Employee
‎08-18-2016 03:10 PM

The purpose of this BLOG is to discuss Questions, Concerns, and Issues with the SNMP Feature functionality in the ACI Fabrics. Since this is Feature focused we can monitor your feedback and push for improvements and enhancements if requested. Also, this forum allows you to ask questions and hopefully we can assist you and your questions.

Attached to the blog is the latest Technote that I have developed for this feature in ACI. Some troubleshooting tips may require "root" access. This requires Cisco TAC assistance but I wanted to still document the process so that you understand the different ways to troubleshoot issues regarding to this feature.

Thank you again for participating in the Cisco Support Forum!

T.

Labels:
Preview file
3365 KB
0 Helpful
1 Comment
Tomas de Leon
Cisco Employee
Cisco Employee
‎09-13-2016 12:28 PM
‎09-13-2016 12:28 PM

Tech Tip of the Day

SNMP GET & Walks to APIC(s) do not work, why?

The following technote is written against Application Policy Infrastructure Controller Version 1.2(1i\k) and later. The following information does not apply to earlier versions of Application Policy Infrastructure Controller since SNMP was not supported on the APIC until "Brazos" 1.2(1i\k\m).

Preface for this Technote
The contents of this TechNote may NOT be the only issue and resolution for SNMP Gets not working to the APIC, but the most common that we are seeing. Always check and verify the SNMP configuration on APIC UI to make sure all components for SNMP is configured correctly. This technote assumes the SNMP is configured correctly and SNMP walks are "WORKING" to leaf & spine nodes. APIC is the only SNMP device that is NOT WORKING.

In "Brazos" & previous ACI releases, the leaf\spine node switches did NOT require a OOB or INB contract to allow SNMP Get Requests using UDP DestPort 161: for SNMP. These requests cannot be blocked through contracts. Creating a SNMP ClientGroup in the SNMP policy with a list of Client-IP Addresses restricts SNMP access to only the configured Client-IP Addresses. If no Client-IP address is configured, SNMP packets are allowed from anywhere.

In "Brazos" 1.2(1i\k\m), Cisco added SNMP support for the APIC(s). The default behavior for allowed ports for the APIC is “Different". Unlike the Switches, a CONTRACT is needed for the APIC to allow SNMP. This is “NEW” with "Brazos" 1.2(1i\k\m) & later.  You will need to define SNMP Ports (upd 161 & 162) in your OOB Contract which is configured and use in the External Management Network Instance Profile or in an INBAND Contract used for your INBAND Management. Once you add Ports 161 & 162 to the contracts and the appropriate subnet(s) to for this filter is configured for the OOB or INB Contract, your SNMP Gets should work as expected.

Also in addition to contracts being needed, Node Management Address(s) in the Tenant mgmt need to be configured for the APIC(s), Leaf, & Spines. Verify that the APIC Node management address(s) are configured also. The "node management" address configuration for the APIC(s) is separate from the OOB management address defined during the setup script.

Here are some CLI commands that can be used to verify the configuration on the APIC:
show snmp policy default

## For custom policies, use this to identify custom policy
show snmp policy ?

show snmp community
show snmp hosts
show snmp clientgroups

moquery -c mgmtSubnet
moquery -c mgmtRsOoBCons
moquery -c vzOOBBrCP
moquery -c vzEntry | grep 161
moquery -c vzEntry | grep 162
moquery -c mgmtRsOoBStNode | egrep "tDn|addr"
moquery -c mgmtRsInBStNode | egrep "tDn|addr"
moquery -c snmpCtxP
moquery -c snmpSrc | egrep "snmp.Src|name|dn|incl|minSev|monPolDn"

If you have verified the configuration and the contracts and SNMP Walks & Gets to the APIC(s) continue to not work, additional troubleshooting may be needed so please open a case with the Cisco ACI TAC. The ACI TAC Customer Support Engineer will perform some additional troubleshooting steps to fix your issues.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents