I have several IOS-XR routers and have been monitoring them with SNMPv3 for quite some time. We have them configured with an OSPF underlay with LDP, and then use L3VPNs/VRFs for public internet interfaces. I am running into a problem using SNMP on an interface in one of our VRFs. I created a public loopback interface in the VRF with a public address. Currently, I have SNMP allowed from our management servers on the private loopback interfaces in the default table of the router, but in this case (a DDoS mitigation appliance), I need to be able to SNMP walk the router from a public address, which is in a VRF. The source and destination are in the same VRF. I am able to ping between the devices and BGP has an active session in the VRF, so connectivity is there, but I suspect the management plane is preventing SNMP traffic on the public lookback. I have tried simply adding the public IPv4 address under "allow snmp peer" beneath the public loopback in our inband config, but this does not work. I have also tried creating an OOB management VRF in our management plane using the VRF that the devices live in, which also does not allow traffic. In the inband plane, I always have to add the loopback interface, and the interfaces that the management traffic travels through to reach the loopback, but it is not possible (it seems) to configure the same interface in both the OOB plane and the inband plane. Is this a limitation of the management plane configuration or is there a piece that I am missing? Let me know if you need more details! Thanks in advance for your help!
As well as adding the source addresses of your management servers to the inband section of your management-plane protection config (and any ACLs applied to the SNMPv3 users/groups), you need to tell the snmp-server on the router to listen in your management VRF.
Do you have the command
snmp-server vrf vrf_name
On what interface does the SNMP traffic actually enter the box? physical, bundle, mgmt? If its physical or bundle then you need to configure that interface not the loopback to accept the traffic. If its mgmt then the same applies but outofband. And of course your vrf settings in mpp where you map the interface and allowing snmp need to match what the incoming interface has configured not the loopback.
What happens is when snmp traffic comes in on an interface and we see that it is destined to this router we punt it up to lpts and lpts checks its bindings table to see if we allow the flow, and one of the parameters is interface it came from. MPP directly programs lpts.
Hope that helps.