• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 28
  • Last Modified:

How do I replace SNMPv2 with SNMPv3 on VLANs?

SNMPv3 and VLANs.  I've removed SNMPv2c from my CISCO switch and enabled SNMPv3. However, it's not entirely removed. When I run the "show snmp community" command, I see entries that correspond to my VLANs. Each entry looks like this example (where @1 is VLAN-1, @2 is VLAN-2, and so on):

Community name: bep@1
Community Index: bep@1
Community SecurityName: bep
storage-type: read-only  active


What is the process for removing SNMPv2 and enabling SNMPv3 on VLANs? I read something about BRIDGE-MIB, but I'm new to SNMP in general, so it's about as clear as mud to me at this point. Any help would be greatly appreciated.
0
SnAkEhIpS
Asked:
SnAkEhIpS
  • 5
  • 3
2 Solutions
 
atlas_shudderedSr. Network EngineerCommented:
there are a couple of things.  first, run this command:

show run | inc snmp

Open in new window


Any returns that you see, run the "no" argument, so as example
Swtich#show run | inc snmp
snmp-server community rostring RO 1
snmp-server community rwstring RW 1
snmp-server location Somewhere, Earth
snmp-server contact megamind@megacorp.com
!
!
!
Switch(config)#no snmp-server community rostring RO 1
Switch(config)#no snmp-server community rwstring RW 1
Switch(config)#no snmp-server location Somewhere, Earth
Switch(config)#no snmp-server contact megamind@megacorp.com

Open in new window


After executing the above, then input the following:

no snmp-server

This will remove all commands in the first part and then shut down the snmp engine in the last.  When you enter the first of your snmpv3 commands, the engine will be turned back on.
0
 
SnAkEhIpSAuthor Commented:
I figured out how to remove SNMPv2 from the VLANs. First you have to make sure the SNMP engine is running if it's not already:

snmp-server community bep

Then you have to remove the context and then the community:

no snmp-server context bep
no snmp-server community bep
0
 
SnAkEhIpSAuthor Commented:
Thanks atlas_shuddered. I see you did the same thing "no snmp-server community"... I'm going to try another without "no snmp-server context". Perhaps the latter isn't necessary.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
SnAkEhIpSAuthor Commented:
Apparently all that is required (provided the engine is running) is "no snmp-server community bep", where bep is the community name. So you were right atlas_shuddered.

The second part of my question relates to enabling SNMPv3 on VLANs. When SNMPv2 was enabled I saw corollary entries for each VLAN:

Community name: bep@1
Community Index: bep@1
Community SecurityName: bep
storage-type: read-only  active


Is there a corresponding configuration using SNMPv3?  If so, I assume that I must take some extra steps to enable it.  Can anyone explain?
0
 
atlas_shudderedSr. Network EngineerCommented:
Hey snake -

Try this link.  What you ask has a pretty lengthy answer and to be completely honest, I tend to be lazy.  Especially if someone else has already taken the time to build an applicable answer.  Let me know if the link helps.

http://www.switchportmapper.com/support-mapping-a-cisco-switch-using-snmpv3.htm
0
 
SnAkEhIpSAuthor Commented:
Thanks atlas. I hear ya. I ran the tool and got some interesting results that made reference to the BRIDGE-MIB. Every VLAN was recognized. There were some authentication errors in regard to a few of those VLANs. The results below spell it out in detail. Thank you for your help today!

IMPORTANT message about Cisco IOS and SNMPv3.

Cisco uses SNMPv3 'context' to allow retrieval of per-VLAN data from Bridge-MIB (things like device MAC addresses). This is not pre-configured so each switch must have the running-config in the switch changed to report the VLAN details. If the switch is not configured, this software and any other switch mapping software cannot map the switch with SNMPv3. We can map it using SNMPv1 or v2c if allowed without any special config changes.

First, you need to see if your switch supports contexts.
From CLI do: 'show snmp context' (no quotes).

Assuming success, next check to see if your switch supports prefix matching.
In your running config add:
'snmp-server group yourV3groupName v3 auth context vlan- match prefix' (no quotes and don't forget the dash after vlan).

If it does support prefix matching every Cisco switch using IOS and SNMPv3 that you intend to map must have that command in the config - you can skip the next section.

If it does NOT support prefix matching you have a lot of work to do. Every VLAN must have a context set up for it.
You have to add this command into running config for EVERY VLAN:
snmp-server group yourV3groupName v3 priv context vlan-(vlanid)
So if you have 10 VLANs on the switch, that command must appear 10 times, once for each VLAN (no parens around 'vlanid' and you may want to add 'access #' at the end).

More questions? see this thread: https://supportforums.cisco.com/thread/2036734

Open in new window

0
 
SnAkEhIpSAuthor Commented:
Thanks again!
0
 
atlas_shudderedSr. Network EngineerCommented:
Not a problem.  Cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now