How do I replace SNMPv2 with SNMPv3 on VLANs?

SNMPv3 and VLANs.  I've removed SNMPv2c from my CISCO switch and enabled SNMPv3. However, it's not entirely removed. When I run the "show snmp community" command, I see entries that correspond to my VLANs. Each entry looks like this example (where @1 is VLAN-1, @2 is VLAN-2, and so on):

Community name: bep@1
Community Index: bep@1
Community SecurityName: bep
storage-type: read-only  active


What is the process for removing SNMPv2 and enabling SNMPv3 on VLANs? I read something about BRIDGE-MIB, but I'm new to SNMP in general, so it's about as clear as mud to me at this point. Any help would be greatly appreciated.
LVL 1
SnAkEhIpSAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
there are a couple of things.  first, run this command:

show run | inc snmp

Open in new window


Any returns that you see, run the "no" argument, so as example
Swtich#show run | inc snmp
snmp-server community rostring RO 1
snmp-server community rwstring RW 1
snmp-server location Somewhere, Earth
snmp-server contact megamind@megacorp.com
!
!
!
Switch(config)#no snmp-server community rostring RO 1
Switch(config)#no snmp-server community rwstring RW 1
Switch(config)#no snmp-server location Somewhere, Earth
Switch(config)#no snmp-server contact megamind@megacorp.com

Open in new window


After executing the above, then input the following:

no snmp-server

This will remove all commands in the first part and then shut down the snmp engine in the last.  When you enter the first of your snmpv3 commands, the engine will be turned back on.
0
SnAkEhIpSAuthor Commented:
I figured out how to remove SNMPv2 from the VLANs. First you have to make sure the SNMP engine is running if it's not already:

snmp-server community bep

Then you have to remove the context and then the community:

no snmp-server context bep
no snmp-server community bep
0
SnAkEhIpSAuthor Commented:
Thanks atlas_shuddered. I see you did the same thing "no snmp-server community"... I'm going to try another without "no snmp-server context". Perhaps the latter isn't necessary.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

SnAkEhIpSAuthor Commented:
Apparently all that is required (provided the engine is running) is "no snmp-server community bep", where bep is the community name. So you were right atlas_shuddered.

The second part of my question relates to enabling SNMPv3 on VLANs. When SNMPv2 was enabled I saw corollary entries for each VLAN:

Community name: bep@1
Community Index: bep@1
Community SecurityName: bep
storage-type: read-only  active


Is there a corresponding configuration using SNMPv3?  If so, I assume that I must take some extra steps to enable it.  Can anyone explain?
0
atlas_shudderedSr. Network EngineerCommented:
Hey snake -

Try this link.  What you ask has a pretty lengthy answer and to be completely honest, I tend to be lazy.  Especially if someone else has already taken the time to build an applicable answer.  Let me know if the link helps.

http://www.switchportmapper.com/support-mapping-a-cisco-switch-using-snmpv3.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SnAkEhIpSAuthor Commented:
Thanks atlas. I hear ya. I ran the tool and got some interesting results that made reference to the BRIDGE-MIB. Every VLAN was recognized. There were some authentication errors in regard to a few of those VLANs. The results below spell it out in detail. Thank you for your help today!

IMPORTANT message about Cisco IOS and SNMPv3.

Cisco uses SNMPv3 'context' to allow retrieval of per-VLAN data from Bridge-MIB (things like device MAC addresses). This is not pre-configured so each switch must have the running-config in the switch changed to report the VLAN details. If the switch is not configured, this software and any other switch mapping software cannot map the switch with SNMPv3. We can map it using SNMPv1 or v2c if allowed without any special config changes.

First, you need to see if your switch supports contexts.
From CLI do: 'show snmp context' (no quotes).

Assuming success, next check to see if your switch supports prefix matching.
In your running config add:
'snmp-server group yourV3groupName v3 auth context vlan- match prefix' (no quotes and don't forget the dash after vlan).

If it does support prefix matching every Cisco switch using IOS and SNMPv3 that you intend to map must have that command in the config - you can skip the next section.

If it does NOT support prefix matching you have a lot of work to do. Every VLAN must have a context set up for it.
You have to add this command into running config for EVERY VLAN:
snmp-server group yourV3groupName v3 priv context vlan-(vlanid)
So if you have 10 VLANs on the switch, that command must appear 10 times, once for each VLAN (no parens around 'vlanid' and you may want to add 'access #' at the end).

More questions? see this thread: https://supportforums.cisco.com/thread/2036734

Open in new window

0
SnAkEhIpSAuthor Commented:
Thanks again!
0
atlas_shudderedSr. Network EngineerCommented:
Not a problem.  Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.