Downloads |
Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring SNMP Support for a VPN
Verifying SNMP Support for VPNs
Configuring SNMP Support over VPNs Example
SNMP Support for VPNs
Feature History
12.2(2)T
This feature was introduced.
12.0(23)S
This feature was integrated into Cisco IOS Release 12.0 S.
The document describes the SNMP Support for VPNs feature in Cisco IOS Release 12.2(2)T. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The SNMP Support for VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing/forwarding (VRFs) tables. In particular, this feature adds support to Cisco IOS software for the sending and receiving of SNMP notifications (traps and informs) specific to individual Virtual Private Networks (VPNs).
The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents.
A Virtual Private Network (VPN) is a network that provides high connectivity transfers on a shared system with the same usage guidelines as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks.
A VRF stores per-VPN routing data. It defines the VPN membership of a customer site attached to the network access server (NAS). A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and guidelines and routing protocol parameters that control the information that is included in the routing table.
The SNMP Support for VPNs feature provides configuration commands that allow users to associate SNMP agents and managers with specific VRFs. The specified VRF is used for the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF is not specified, the default routing table for the VPN is used.
Benefits
This feature allows users to configure an SNMP agent to only accept SNMP requests from a certain set of VPNs. With this configuration, providers can provide network management services to their customers, so customers can manage all user VPN devices.
Related Documents
For details on configuring SNMP, refer to the following documents:
•
•
For information about configuring a VRF table, refer to the "Configuring Multiprotocol Label Switching" chapter of the Cisco IOS Switching Services Configuration Guide, Release 12.2.
Supported Platforms
This feature is supported in images for the following platforms:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
See the following sections for configuration tasks for the SNMP Support over VPNs feature. Each task in the list is identified as either required or optional:
•
•
Configuring SNMP Support for a VPN
To configure SNMP over a specific VPN, use the following command in global configuration mode:
To configure SNMP over a specific VPN for a remote SNMP user, use the following command in global configuration mode:
Router(config)# snmp-server engineID remote ip-address [udp-port udp-port-number][vrf vrf-name] engineid-string
Configures a name for the remote SNMP engine on a router.
Verifying SNMP Support for VPNs
To verify that the SNMP Support over VPNs feature is configured properly, use the show snmp-server host EXEC command.
Configuration Examples
This section provides the following configuration example:
•
Configuring SNMP Support over VPNs Example
The following example sends all SNMP notifications to xyz.com over the VRF named "trap-vrf":
Router(config)# snmp-server host xyz.com vrf trap-vrfThe following example configures the VRF named "traps-vrf" for the remote server 172.16.20.3:
Router(config)# snmp-server engineID remote 172.16.20.3 vrf traps-vrf 80000009030000B064EFE100Command Reference
This section documents the following modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
snmp-server engineID remote
To configure a name for the remote Simple Network Management Protocol (SNMP) engine on a router, use the snmp-server engineID remote command in global configuration mode. To remove a specified SNMP group, use the no form of this command.
snmp-server engineID remote ip-address [udp-port udp-port-number] [vrf vrf-name] engineid-string
no snmp-server engineID remote
Syntax Description
Defaults
UDP port: 161
Command Modes
Global configuration
Command History
12.0(3)T
This command was introduced.
12.2(2)T
The vrf keyword and vrf-name argument were introduced.
Usage Guidelines
You need not specify the entire 24-character engine ID if it contains trailing zeros. Specify only the portion of the engine ID up until the point where only zeros remain in the value. To configure an engine ID of 123400000000000000000000, you can specify the value 1234, for example, snmp-server engineID remote 1234.
A remote engine ID is required when an SNMP version 3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Examples
The following example configures the VRF name traps-vrf for the remote server 172.16.20.3:
Router(config)# snmp-server engineID remote 172.16.20.3 vrf traps-vrf 80000009030000B064EFE100Related Commands
snmp-server host
To specify the recipient of a SNMP notification operation and the VRF table to be used for the sending of SNMP notificiations, use the snmp-server host command in global configuration mode. To remove the specified host, use the no form of this command.
snmp-server host host-address [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port][notification-type] [vrf vrf-name]
no snmp-server host host-address [traps | informs]
Syntax Description
Defaults
version: noauth
port: 162
If no version keyword is present, the default is version 1. The no snmp-server host global configuration command with no keywords will disable all of the notifications (both traps and informs). In order to disable informs, use the no snmp-server host informs global configuration command.
Note
Command Modes
Global configuration
Command History
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. Traps are less reliable because the receiver does not send acknowledgments when it receives traps. The sender cannot determine if the traps were received. However, an SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. If the sender never receives the response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination.
However, informs consume more resources in the agent and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Also, traps are sent only once, while an inform may be retried several times. The retries increase traffic and contribute to a higher overhead on the network.
If you do not enter an snmp-server host command, no notifications are sent. In order to configure the router to send SNMP notifications, you must enter at least one snmp-server host command. If you enter the command with no keywords, all trap types are enabled for the host.
In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. You can specify multiple notification types in the command for each host.
When multiple snmp-server host commands are given for the same host and kind of notification (trap or inform), each succeeding command overwrites the previous command. Only the last snmp-server host command will be in effect. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host but with different variables, the second command will replace the first.
The snmp-server host command is used in conjunction with the snmp-server enable global configuration command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled.
However, some notification types cannot be controlled with the snmp-server enable command. For example, some notification types are always enabled. Other notification types are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command.
Availability of notification type option depends on the router type and Cisco IOS software features supported on the router. For example, the envmon notification type is available only if the environmental monitor is part of the system.
The added vrf keyword allows users to specify the notifications being sent to a specified IP address over a specific VRF. The VRF defines a VPN membership of a customer so data is stored using the VPN.
Examples
The following example sends all SNMP notifications to xyz.com over the VRF named trap-vrf:
Router(config)# snmp-server host xyz.com vrf trap-vrfRelated Commands
snmp-server user
To configure a new user to a Simple Network Management Protocol (SNMP) group, use the snmp-server user command in global configuration mode. To remove a user from an SNMP group, use the no form of the command.
snmp-server user username groupname [remote host [udp-port udp-port-number]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list] [vrf vrf-name]
no snmp-server user
Syntax Description
Defaults
Table 1 describes default behaviours for encryption, passwords and access lists.
Command Modes
Global configuration
Command History
12.0(3)T
This command was introduced.
12.2(2)T
The vrf vrf-name keyword/argument combination was introduced
Usage Guidelines
To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the command snmp-server engineID with the remote option. The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail.
SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.
If a VPN table (VRF) is specified, the vrf-name should match the VRF specified with the ip vrf vrf-name command.
Examples
In the following example, the SNMP user "usmusr" in the SNMP group "group1" is configured to use the VRF "6400-private":
Router(config)# snmp-server group group1 v3 noauthRouter(config)# snmp-server user usmusr group1 v3Router(config)# snmp-server host 10.100.100.100 vrf 6400-private version 3 noauth trapusrRelated Commands
