02-07-2011 08:00 AM
Hi on our switches we are to configure SNMPv3 and a User for LMS.
Because we are using User-Tracking we need to configure the context.
This is possible to configure it just with "vlan-" and the match prefix statement.
So all possible VLANs on the switch are included.
snmp-server group LMS_GROUP v3 priv read readlms write writelms notify notifylms access SNMP_ACL
snmp-server group LMS_GROUP v3 auth context vlan- match prefix read readlms write writelms notify notifylms access SNMPV3_ACL
snmp-server view readlms iso included
snmp-server view writelms iso included
snmp-server view notifylms iso included
ip access-list standard SNMPV3_ACL
permit x.x.x.x
permit y.y.y.y
snmp-server user lmsuser LMS_GROUP v3 auth md5 lmsauthpw priv aes 256 lmsencryptpw
Switch#sh snmp context
vlan-1
vlan-2
vlan-10
vlan-11
vlan-70
vlan-71
vlan-72
vlan-73
vlan-74
vlan-90
vlan-91
vlan-95
vlan-98
vlan-99
vlan-101
vlan-102
vlan-103
vlan-104
vlan-105
vlan-107
vlan-108
vlan-109
vlan-110
vlan-111
vlan-112
vlan-113
vlan-114
vlan-115
vlan-123
vlan-174
vlan-197
vlan-198
vlan-199
this works fine.
Bad thing is that we have also a lot of 3550-switches in the field. The latest IOS-Version which is out for 3550 is 122-44.SE6, which does not support this "match prefix" statement.
That means that we have to configure
snmp-server group LMS_GROUP v3 auth context vlan-1 read readlms write writelms notify notifylms access SNMPV3_ACL
...
...
...
snmp-server group LMS_GROUP v3 auth context vlan-199 read readlms write writelms notify notifylms access SNMPV3_ACL
so the SNMPv3 config is not easy automatically to rollout.
Is there another option without configuring context statement for every VLAN ?
Thx
Hubert
02-07-2011 10:29 PM
I wrote a Tcl script to facilitate configuring multiple SNMP contexts on devices. You should have the tclsh on these 3500s. Try running this script as:
tclsh snmp-context.tcl -p -g GROUP -l LEVEL vlan-
Where GROUP is your SNMPv3 group and LEVEL is your SNMPv3 security level (i.e. auth or priv).
02-07-2011 11:03 PM
Thx , I ll try the script
KR
Hubert
02-08-2011 03:24 AM
Interesting but disturbing.
I asumed all this would be dynamic.
Campus find outs out what vlans are on the box and does what is required to obtain the mac table of each vlan.
So if I understand correct this is not the case?
I have customers where vlans get created and deleted quite rapidly
So the snmp content there needs to be adjusted all the time?
Is there a document that describes in some detail what needs to be done on the various IOS versions?
Cheers,
Michel
02-08-2011 08:18 AM
The problem described here is a matter of access vs. data collection. Campus does dynamically detect VLANs on the device, but unless it is given access to query those VLAN contexts, it will not be able to retrieve such per-VLAN data as spanning tree and CAM tables.
Prior to SNMPv3, Cisco used a community string indexing hack to make legacy MIBs aware of different instances. SNMPv3 provides the context as a well-defined mechanism to have the same MIB implemented multiple times within a manager. If you need to use SNMPv3 on your devices, you must configure your SNMP group with all of the VLAN contexts to be polled. This is documented in the Campus Manager/LMS online help.
02-08-2011 11:37 AM
Thanks Joe,
I searched on SNMP V3 user tracking in LMS 4 without any result.
On CCO I found a document that mentions this context.keyword in conjuction with user tracking..
I have a few C2950's that now give me just the default vlan in UT.
It appears not to know the context keyword. Its a v12.1 IOS but it supports snmp v3.
I doubt to find much 12.1 IOS at customers that want snmp v3 though.
So each vlan added requires an edit of the SNMP context, otherwise user tracking silently fails for that vlan?
There are some downsides to using SNMP v3. But your script can help there
Cheers,
Michel
02-08-2011 12:41 PM
It looks like they pulled this section of the online help in LMS 4.0. I can find it in 3.2.
You are right, the 2950s do not support contexts, and thus cannot work properly in UT. This is a known issue, and I wrote code so that LMS will fallback to SNMPv2c (if community strings exist) for these switches. Context support requires varying versions of 12.2, so the 2950s will never support them.
If a VLAN context is not configured, then UT will skip those VLANs. A timeout error will be printed in the ut.log.
02-09-2011 02:22 AM
Thanks again Joe,
All this is not documented clearly enough for simple folks like myself
Is it possible to configure an snmp context for vlans that are not present on the device?
I.O.W. Can I push a single "ad hoc" job to all devices so that a context exists for all vlans in the domain?
Or do I need to find out what vlan is present and configure a context based on that per device?
Cheers,
Michel
02-09-2011 10:20 PM
Yes, you can configure contexts for VLANs that do not [yet] exist on the device.
02-09-2011 11:17 PM
Thanks Joe,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide