SNMP Support over VPNs--Context-Based Access Control

Cisco IOS software supports the following versions of SNMP:

• SNMPv1--Simple Network Management Protocol: a full Internet standard, defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on community strings.
• SNMPv2c--The community string-based Administrative Framework for SNMPv2. SNMPv2c (the "c" is for "community") is an experimental Internet protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic) and uses the community-based security model of SNMPv1.
• SNMPv3--Version 3 of SNMP. SNMPv3 is an interoperable standards-based protocol defined in RFCs 3413 to 3415. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.

For more information about SNMP Versions, see the “ Configuring SNMP Support ” module in the Cisco IOS Network Management Configuration Guide .

• SNMPv1 or SNMPv2 Security
  
• SNMPv3 Security
  

The SNMP Notification Support over VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing and forwarding (VRF) instance tables. In particular, this feature adds support to Cisco IOS software for the sending and receiving of SNMP notifications (traps and informs) specific to individual VPNs.

SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents.

A VPN is a network that provides high-connectivity transfers on a shared system with the same usage guidelines as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks.

A VRF stores per-VPN routing data. It defines the VPN membership of a customer site attached to the network access server (NAS). A VRF consists of an IP routing table, a derived Cisco Express Forwarding (formerly known as CEF) table, and guidelines and routing protocol parameters that control the information that is included in the routing table.

The SNMP Support for VPNs--Context-Based Access Control feature provides configuration commands that allow users to associate SNMP agents and managers with specific VRFs. The associated VRF is used for the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF is not specified, the default routing table for the VPN is used.

The SNMP Support for VPNs--Context-Based Access Control feature extends the capabilities of the SNMP Notification Support for VPNs feature and enables SNMP to differentiate between incoming packets from different VPNs.

When the SNMP Support for VPNs--Context-Based Access Control feature is configured, SNMP accepts requests on any configured VRF and returns responses to the same VRF. A trap host also can be associated with a specific VRF. The configured VRF is then used for sending out traps; otherwise, the default routing table is used. You also can associate a remote user with a specific VRF. You also can configure the VRFs from which SNMP should accept requests. Any requests coming from VRFs that are not specified are dropped.

IP access lists can be configured and associated with SNMP community strings. This feature enables you to configure an association between VRF instances with SNMP community strings. When a VRF instance is associated with an SNMP community string, SNMP processes the requests coming in for a particular community string only if the requests are received from the configured VRF. If the community string contained in the incoming packet does not have a VRF associated with it, the community string will be processed only if it came in through a non-VRF interface.

You also can enable or disable authentication traps for SNMP packets dropped due to VRF mismatches. By default if SNMP authentication traps are enabled, VRF authentication traps are also enabled.

• VPN Route Distinguishers
  

SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, that VPN’s specific MIB data exists in that context. Associating a VPN with a context enables service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about other VPN userss on the same networking device.

VPN-aware SNMP requires an agreement between SNMP manager and agent entities operating in a VPN environment on a mapping between the SNMP security name and the VPN ID. This mapping is created by using multiple contexts for the SNMP data of different VPNs through the configuration of the SNMP-VACM-MIB. The SNMP-VACM-MIB is configured with views so that a user on a VPN with a security name is allowed access to the restricted object space associated with a user’s access type in the context associated with the user of that VPN.

SNMP request messages undergo three phases of security and access control before a response message is sent back with the object values in the context of a VPN:

• In the first phase, the username is authenticated. This phase ensures that the user is authenticated and authorized for SNMP access.
• In the second phase, the user is authorized for the SNMP access requested to the group objects under consideration of the configured SNMP context. This phase is called the access control phase.
• In the third phase, access is made to a particular instance of a table entry. With this third phase, complete retrieval can be based on the SNMP context name.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    snmp-server context context-name

4.    ip vrf vrf-name

5.    rd route-distinguisher

6.    context context-name

7.    route-target {import | export | both} route-target-ext-community

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	snmp-server context context-name Example: Router(config)# snmp-server context context1	Creates and names an SNMP context.
Step 4	ip vrf vrf-name Example: Router(config)# ip vrf vrf1	Configures a VRF routing table and enters VRF configuration mode.
Step 5	rd route-distinguisher Example: Router(config-vrf)# rd 100:120	Creates a VPN route distinguisher.
Step 6	context context-name Example: Router(config-vrf)# context context1	Associates an SNMP context with a particular VRF. Note    In Cisco IOS Release 15.0(1)M and later releases, the context command is replaced by the snmp context command. See the Network Management Command Reference for more information.
Step 7	route-target {import | export | both} route-target-ext-community Example: Router(config-vrf)# route-target export 100:1000	(Optional) Creates a route-target extended community for a VRF.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    snmp-server user username group-name [remote host [udp-port port] [vrf vrf-name]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access [ipv6 nacl] [priv {des | 3des | aes {128 | 192 | 256}} privpassword] {acl-number | acl-name}]

4.    snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [context context-name] [read read-view] [write write-view] [notify notify-view] [access [ipv6 named-access-list] [acl-number| acl-name]]

5.    snmp-server view view-name oid-tree {included | excluded}

6.    snmp-server enable traps [notification-type] [vrrp]

7.    snmp-server community string [view view-name] [ro | rw] [ipv6 nacl] [access-list-number | extended-access-list-number | access-list-name]

8.    snmp-server host {hostname | ip-address} [vrf vrf-name] [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]

9.    snmp mib community-map community-name [context context-name] [engineid engine-id] [security-name security-name][target-list upn-list-name]

10.    snmp mib target list vpn-list-name {vrf vrf-name | host ip-address}

11.    no snmp-server trap authentication vrf

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	snmp-server user username group-name [remote host [udp-port port] [vrf vrf-name]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access [ipv6 nacl] [priv {des | 3des | aes {128 | 192 | 256}} privpassword] {acl-number | acl-name}] Example: Router(config)# snmp-server user customer1 group1 v1	Configures a new user to an SNMP group.
Step 4	snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [context context-name] [read read-view] [write write-view] [notify notify-view] [access [ipv6 named-access-list] [acl-number| acl-name]] Example: Router(config)# snmp-server group group1 v1 context context1 read view1 write view1 notify view1	Configures a new SNMP group or a table that maps SNMP users to SNMP views. Use the context context-name keyword argument pair to associate the specified SNMP group with a configured SNMP context.
Step 5	snmp-server view view-name oid-tree {included | excluded} Example: Router(config)# snmp-server view view1 ipForward included	Creates or updates a view entry.
Step 6	snmp-server enable traps [notification-type] [vrrp] Example: Router(config)# snmp-server enable traps	Enables all SNMP notifications (traps or informs) available on your system.
Step 7	snmp-server community string [view view-name] [ro | rw] [ipv6 nacl] [access-list-number | extended-access-list-number | access-list-name] Example: Router(config)# snmp-server community public view view1 rw	Sets up the community access string to permit access to the SNMP.
Step 8	snmp-server host {hostname | ip-address} [vrf vrf-name] [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] Example: Router(config)# snmp-server host 10.0.0.1 vrf vrf1 public udp-port 7002	Specifies the recipient of an SNMP notification operation.
Step 9	snmp mib community-map community-name [context context-name] [engineid engine-id] [security-name security-name][target-list upn-list-name] Example: Router(config)# snmp mib community-map community1 context context1 target-list commAVpn	Associates an SNMP community with an SNMP context, Engine ID, or security name.
Step 10	snmp mib target list vpn-list-name {vrf vrf-name | host ip-address} Example: Router(config)# snmp mib target list commAVpn vrf vrf1	Creates a list of target VRFs and hosts to associate with an SNMP community.
Step 11	no snmp-server trap authentication vrf Example: Router(config)# no snmp-server trap authentication vrf	(Optional) Disables all SNMP authentication notifications (traps and informs) generated for packets received on VRF interfaces. Use this command to disable authentication traps only for those packets on VRF interfaces with incorrect community associations.