Howdy folks - I've got one of those frustrating scenarios with an RMM tool using SNMPv3 that has a relatively well-known fix (on this forum and others) but I'll be damned if I can get it to work in my environment.
Short version - Monitoring tool can't learn per-vlan MAC address-table information via SNMPv3 and only learns MAC addresses in VLAN 1 and MAC addresses on interfaces that have port-security disabled. I have tried the vlan- prefix match snmpv3 group configs without success.
Longer version - My RMM (Auvik - kinda like ThousandEyes but not as sophisticated), like most of them uses icmp scans to discover devices, then attempts to manage the discovered devices via SSH and SNMP (v3 in our case). From there, the tool will read routing, ARP and CAM tables to draw out a map of the network. Apparently its a relatively well-known struggle to get per-VLAN mac address table information from a switch when using SNMPv3. In our scenario, our RMM tool is only able to discover the mac addresses on a switch that live in VLAN 1, and mac addresses that were dynamically learned in other VLANs. That part about dynamically learned is important because we have port-security (not sticky) configured on all access interfaces across the org as a standard - so those learned addresses show as static in the mac address-table.
Now, if I disable port-security on a switch, our RMM is able to learn all of the mac address on the switch, so it can at least draw the network map but still doesn't learn the associated VLAN information for those MACs. Interestingly enough, if I turn port-security back on, the RMM looses the MACs but if we flip monitoring over to using SNMPv2 communities, everything works end to end, mac address and VLAN information even with port-security enabled, and the map is cleanly drawn.
So its like, either I can use SNMPv3 w/o port-security
or SNMPv2 w/ port-security. Like the only option is to steal from Peter to pay Paul or vice verse.
For clarity - SNMPv3 works just fine in general, just not for pulling per-vlan mac address info. I should also mention that I have bled the Internet dry of any posts related to the configs below
snmp-server group <groupname> v3
snmp-server group <groupname> v3 context vlan- match prefix
snmp-server user <username> <groupname> v3 auth sha xxxxxx aes 128 xxxxxxx
still using the v1default view, but it seems to include the MIBs other forum examples use in their custom views.
I thought that vlan- match prefix booger was going to be the one but no joy there.
The environment consists of
many single and stacked Cat 2960X switches
many stacked Cat 3650 switches
a few Cat 4500-X vss pairs
and a couple of Cat 9500 series stacks
The issue is present on all switch, at all sites.
In all cases the hardware is running the most-recent / Cisco-recommended IOS / IOS-XE version.
Vendor support for the RMM was helpful, but didn't bare fruit in the form of resolving the issue. suffice to say the tool is able to pull vlan / mac info via SNMPv3 in other environments with Cisco IOS devices. Just not sure what I'm missing on this wonky thing. Kinda hoping its one of those things where someone says ohhh ya - this one dumb thing you missed. Fingers crossed.
Thanks!
