This topic addresses Cisco switch IOS SNMPv3 Settings and Related Topics
This topic covers SNMPv3
settings and troubleshooting for Cisco IOS based
Switches. Other Cisco operating systems will be similar.
This topic assumes that you are familiar
with how to access Command Line Interface (CLI) using a
serial cable and terminal program such as TeraTerm.
The topics below were prepared using the
following versions of IOS and the Managed Switch Port
Mapping Tool.
Cisco IOS Version: IOS version
12.2(55)SE10
Managed Switch Port Mapping Tool
Version: 2.55
The Managed Switch Port
Mapping Tool supports the USM SNMPv3 model. We have not
used access lists or SNMPv3 contexts for simplicity.
Related Topic: How to enable
SNMPv1 and SNMPv2c and how to disable all SNMP on a
Cisco switch
are found on this page. How to
prepare the
Managed Switch Port Mapping Tool to use SNMPv3.
Example: How to change your config on a Cisco 3750 switch to support SNMPv3
Commands are shown in bold.
How to
check current SNMP settings in your running-config
Switch>enable
Switch#show
running-config | include snmp-server
snmp-server group testv3group v3 priv read testv3view
write testv3view
snmp-server group testv3group v3
auth context vlan- match prefix
snmp-server view
testv3view internet included
snmp-server community
public RO
Switch#
If
you see no information or only 'snmp-server community
public RO', you do
not have SNMPv3 active in your running-config. The
output above shows that SNMP1, 2c and 3 are active. For information on how to add
SNMPv1 and SNMPv2c support, please
review this page.
How to enable
SNMPv3 in a Cisco Switch IOS CLI
1. Switch>enable
2. Switch#config
term - this allows you to edit the running-config.
(note: to remove any of the following 3 commands, use
'no snmp-server view', 'no snmp-server group' or 'no
snmp-server user')
3. Create a view for the test
SNMPv3 user:
Switch(config)#snmp-server view testv3view internet included
4. Create a group to access the
view:
Switch(config)#snmp-server group
testv3group v3 priv read testv3view write testv3view
5. Create a user for the group:
Switch(config)#snmp-server user
testv3user testv3group v3 auth md5 Passw0rd priv des
Passw0rd
6. Activate context prefix matching
by entering this command:
Switch(config)#snmp-server group
yourV3groupName v3 auth context vlan- match prefix
(If you do not do this the Managed Switch Port Mapping
Tool will give error messages claiming it cannot access
Bridge Mib even though the rest of the mapping appears
to work. See the next section if that command is not
supported by your version of IOS)
7.
Switch(config)#Ctrl-z
8. Optionally save it to the
startup config using Switch#copy running-config startup-config
Checking your running-config settings
Switch>enable
(Execute
the command show snmp user - this is
typical output if SNMPv3 is active)
Switch#show
snmp user
User name: testv3user
Engine ID:
800000090300001562299C03
storage-type: nonvolatile
active
Authentication Protocol: MD5
Privacy
Protocol: DES
Group-name: testv3group
(Execute the show snmp
group command. Typical output if SNMPv3 is
active and it shows all three versions of SNMP are
active)
Switch#show snmp group
groupname: public
security model:v1
readview : v1default writeview: <no
writeview specified>
notifyview: <no notifyview
specified>
row status: active
groupname:
public security model:v2c
readview : v1default
writeview: <no writeview specified>
notifyview:
*tv.00000000.00000000.00000020.0
row status: active
groupname: testv3group security model:v3 priv
readview : testv3view writeview: testv3view
notifyview: <no notifyview specified>
row status:
active
(Execute the show snmp view command to
see what parts of the SNMP OID tree are readable by
users. The
view 'testv3view' is in italics and it covers the
internet or .1.3.6 and below level.)
Switch#show snmp
view
v1default iso - included permanent active
v1default internet - included permanent active
v1default snmpUsmMIB - excluded permanent active
v1default snmpVacmMIB - excluded permanent active
v1default snmpCommunityMIB - excluded permanent active
v1default ciscoMgmt.252 - excluded permanent active
testv3view internet - included nonvolatile active
*tv.00000000.00000000.00000020.000000007F iso - included
volatile active
*tv.00000000.00000000.00000020.000000007F
iso.2.840.10036 - included volatile active
SNMPv3 Settings in the Managed Switch Port
Mapping Tool
The settings must match or
you WILL see a Switch Communications Timeout and Failure
with our first SNMP query when you press Map Switch.
Make sure your switch settings match what you entered in
step 5 above - the settings are highlighted below.
Problem: my Cisco 3750 switch maps fine using SNMPv1 or v2c, but with SNMPv3 I no longer see MAC Addresses, IP Addresses, VLANs or hostnames. What is wrong with the Switch Port Mapper?
Nothing is wrong with the Switch Port Mapper.
The problem is in the switch and its config settings.
Background: Cisco uses 'community
name indexing' for SNMPv1 and SNMPv2c to allow us to get
VLAN specific information from BRIDGE-MIB. In SNMPv3
they use a variation of this technique by making use of
SNMPv3 contexts. The context field is changed for each
VLAN requested so that BRIDGE-MIB will give us the
information we need for that particular VLAN. The
problem is not all versions of IOS support contexts and
in order to request context information for each VLAN,
you have to make changes to the running config through
CLI. If the switch is not configured, this software and
any other switch mapping software cannot map the switch
with SNMPv3.
First, you need to see if
your switch supports contexts. From CLI run
this command:
Switch>enable
Switch#show snmp context
vlan-1
vlan-3
vlan-1005
vlan-1005
vlan-1005
vlan-1005
Assuming your switch does support contexts, next
check to see if your switch supports prefix matching.
In your running config add:
Switch>enable
Switch#config term
Switch#snmp-server group
yourV3groupName v3 auth context vlan- match prefix
(don't forget the dash after vlan)
Switch(config)#Ctrl-z
If the
switch does support prefix matching every Cisco
switch using that version of IOS or later and SNMPv3
that you intend to map must have that command in the
config - you can skip the next section - you are
finished.
If the switch does NOT
support prefix matching you have a lot of work to do.
Every VLAN must have a context set up for it.
You have to add this command into running config for
EVERY VLAN:
snmp-server group
yourV3groupName v3 priv context vlan-(vlanid)
So if you have 10 VLANs on the switch, that
command must appear 10 times, once for each
VLAN (no parens around 'vlanid' and you may want to add
'access #' at the end).
Examples for
a switch with vlans number 6, 100, 117 and 200 (note the
optional access list statement):
Switch>enable
Switch#config
term
Switch(config)#snmp-server group yourV3groupName v3 priv context
vlan-6
Switch(config)#snmp-server group yourV3groupName v3 priv
context vlan-100
Switch(config)#snmp-server group yourV3groupName v3
priv context vlan-117
Switch(config)#snmp-server group
yourV3groupName v3 priv context vlan-200 access 51
Switch(config)#Ctrl-z
Important note: the 'vlan-' contexts are probably
different from the SNMP contexts you may have used - you
must use the vlan- context in the statements described
above in this topic whether using prefix matching or
individual entries. Treat vlan- as 'reserved' contexts
to avoid confusion. The topic before this one is not
using SNMPv3 contexts at all.
More questions? see this thread:
https://supportforums.cisco.com/thread/2036734
NetScanTools is a registered trademark of Northwest Performance Software, Inc.
'NetScanTools Pro', 'NetScanTools Standard', 'NetScanTools LE', 'ipPulse', 'Northwest Performance Software' and 'NetScanTools.com', are trademarks of Northwest Performance Software, Inc.
Any trademarked names mentioned herein are the property of their respective owners.
About Us
Email Us
Call Us
Help & Support Center
General Topics
Purchasing
Other Products
© 2024 Northwest Performance Software, Inc. All Rights Reserved. | Privacy Policy