DX NetOps

New to Spectrum, old to infrastructure management.

I have just upgraded to 9.2.3 but this problem has been around since the initial install.

Does anyone have experience with Spectrum and Cisco switches using SNMP V3? Specifically when it comes to context.

I am able to see the native VLAN in the switch(es) but not the VLAN containing the connected devices. For example, switch native VLAN is x and servers are in VLAN y.

Spectrum shows the connectivity between all switches, but not server to switch.

I am able to browse the MIBs etc but have no entries in the dot1dBridge.dot1dTp.dot1dTpFdbTable (.1.3.6.1.2.1.17.4.3)

The SNMP Community String shows #v3/P:SHA^******:AES^******/"username" in CA Spectrum Modeling Information.

The only thing I have been able to find was a CA document talking about adding /-(context name) to the above Community String but that just caused a loss of SNMP connectivity to the device (switch).

I have looked at the "CA Spectrum Infrastrucutre Manager Cisco Device Management Guide" and it looks like our SOP's for configuring the switches uses the same procedures.

Any thoughts? What other information would you need me to post?

Iain Hamilton

SNMPv3 and Cisco switches require a little bit more configuration in order to get SPECTRUM to see the connection data. Basically you have to configure each and every VLAN in a context to allow an SNMPv3 User to access them (check out Cisco document ID 44800 for reading BRIDGE-MIB objects on a per-VLAN basis). If you have later versions of the IOS code, you can use a "match prefix" syntax that makes scalability easier. To allow all VLANs configure something like the following:

snmp-server group v3group v3 auth context vlan-

This is an issue though on the switch side not the SPECTRUM side since by default a SNMPv3 user can't read the bridge table.

MattClausen wrote:

SNMPv3 and Cisco switches require a little bit more configuration in order to get SPECTRUM to see the connection data. Basically you have to configure each and every VLAN in a context to allow an SNMPv3 User to access them (check out Cisco document ID 44800 for reading BRIDGE-MIB objects on a per-VLAN basis). If you have later versions of the IOS code, you can use a "match prefix" syntax that makes scalability easier. To allow all VLANs configure something like the following:

snmp-server group v3group v3 auth context vlan-

This is an issue though on the switch side not the SPECTRUM side since by default a SNMPv3 user can't read the bridge table.

Matt,
Thanks for the reply.

If I understand you correctly, you're saying that Spectrum will only need the V3 authorisation to read through ALL the context names, right?
I'll assume it's grabbing the context names from somewhere like entLogicalContextName in the ENTITY-MIB (this, currently, shows all of our context names), am I correct in this asumption?

We're still working on it but no joy yet.

Iain Hamilton

Update:
I have Net-SNMP snmpwalk working against one switch for testing.

snmpwalk -v 3 -u ***** -l authpriv -n vlan-418 -a SHA -A ***** -x AES -X ***** 172.**.**.* 1.3.6.1.2.1.17.4.3 shows me accurate information for VLAN 418 and
snmpwalk -v 3 -u ***** -l authpriv -n vlan-417 -a SHA -A ***** -x AES -X ***** 172.**.**.* 1.3.6.1.2.1.17.4.3 shows me accurate information for VLAN 417 that is different from VLAN 418.

This tells me that Net-SNMP and the Cisco configs are compatible.

The switch is in VLAN 417 and the connected devices are in VLAN 418. In this case the connected devices are Windows servers with SNMP enabled.

Spectrum reads the standard SNMP info from both the servers and the switch. The switch Interfaces in Spectrum show connected but nothing in the "Device Connected"/"Port Connected" columns except for up links to other switches.

I have re-discovered, deleted and re-discovered the switch in Spectrum, I have "Discover(ed) Connections" and I am still not getting port cennectivity between the devices.

Is there anything else I should be checking for communication between SNMP and the switch?

Thanks
Iain Hamilton

I read in some docs that Spectrum does not supports managment over SNMP context.
I think this is ok because SNMP context are used to segregate informations and Spectrum need all informations to manage the device.

I think the device need to answer all informations when the context is null or empty string.

jlbastos,
Thanks for the reply.

snmpwalk -v 3 -u ***** -l authpriv -a SHA -A ***** -x AES -X ***** 172.**.**.* 1.3.6.1.2.1.17.4.3 (no "-n" option) yields "No Such Object available on this agent at this OID" where 1.3.6.1.2.1.17.4.3 should be the table for VLAN.

Iain Hamilton

Using a CISCO 2960G8TC, IOS 15.0(2)SE2, we have managed to get this working. There are still some issues with out production switches, which we will sort out.

The following configuration has worked in our lab:

Given:
View Name - View1
Group Name - Group1
Access List - Access1
User - User1
SHA pass - password1
AES pass - password2
Location - Location1
Contact - Contact1

Then:
conf t
ip access-list standard Access1 (create access list "Access1")
permit any (grant permissions in the list)
end

conf t
snmp-server view View1 system included (create the view "View1", add "system" SNMP info to the view)
snmp-server view View1 internet included (add "internet" SNMP info to the view)
snmp-server group Group1 V3 priv access Access1 (create the group "Group1" with access through access list "Access1")
snmp-server group Group1 V3 priv read View1 (use "View1" with the group)
snmp-server group Group1 V3 priv context vlan- match prefix (add context names to the group, this will add all context names starting with "vlan-" which is what Spectrum wants to see)
snmp-server user User1 Group1 v3 auth sha password1 priv aes 128 password2 (create a user in group "Group1" with SNMPv3 credentials)
snmp-server location Location1 (set the switch location in the SNMP)
snmp-server contact Contact1 (set the switch contact information in SNMP)
end
wr

Make changes as required ie permission in the access list.
We used view "v1default" and added "system" to it, it already had "internet"

Iain hamilton