18 Replies Latest reply: Jul 7, 2010 1:53 PM by greg@solarwinds.net RSS

Problems with Switch Port Mapper and SNMP v3?

Dal

Hi!

I'm trying to implement SNMP v3 on my Cisco switches, but I have stumbled over something strange:
I'm not sure if this is a Cisco problem or a Switch Port Mapper (SPM) problem, but either way I need help :)

Earlier I have used a simple community string in my switches to use with SPM and things have worked fine (mostly).

But when I setup SNMP v3 like this:
snmp-server group SNMPA v3 auth write v1default
snmp-server user username SNMPA v3 auth sha password

and then try to use that with SPM, it lists only a few of the ports on the switch every time.
It seems that it lists only ports in trunk mode.
When I switch back to a community string it works fine again.

What can cause this?
As you can see I use the Cisco default v1default view. Are there some limitations to that maybe? Solarwinds Orion don't seem to have problems with it at least.



Any ideas?

Thanks. 

  • Re: Problems with Switch Port Mapper and SNMP v3?

    Yes, I have the same problem! Where is the SW's support team? My cases about IP Network Browser and Real-Time Interface Monitor  (## 14109 & 18079) are unanswered also!

  • Re: Problems with Switch Port Mapper and SNMP v3?

    I'm not sure if this is a Cisco problem or a Switch Port Mapper (SPM) problem

     



    I think this is a SPM problem. I installed version 9.2 today. Something's wrong too. When I try to use SNMPv3 with SPM, it lists ALL of the ports on the switch, BUT with ONLY ONE ROW for the non-trunked ports WITHOUT Device MACs values in the row. With SNMPv1-community SPM works fine (although I don't make sure of even it now ...)

    • Re: Problems with Switch Port Mapper and SNMP v3?
      Dal

      Can anyone from SW confirm this?

       

      Thanks. 

      • Re: Problems with Switch Port Mapper and SNMP v3?
        davidmaltby

        Development is looking into this issue.  Thank you for your patience.  At this point we're not sure if the issue is only with SNMP v3 logins or what.  Can you help by checking if you can reproduce this issue with SNMP v3 login on a 9.1 Toolset install?


         Thanks,


        • Re: Problems with Switch Port Mapper and SNMP v3?

          My version is 9.2 and the issue is reproduced.

          • Re: Problems with Switch Port Mapper and SNMP v3?

             It took a little while to figure our what was going on with this issue... As you may know, when asking a Cisco switch about it's Bridge-MIB, you append the @ sign and the VLAN number to the community string to get that VLAN's bridging info.  Well, you really can't do that for SNMPv3 since there is no community string.  After trying a few things we finally figured it out, but it requires a code change to switch port mapper *AND* the device we are querying.  I won't detail the changes to the code here, but we will try to get something out in the next build that addresses the issue.

            The change that must be made to the Cisco Switch is that the VLAN context must be added to the view group for each VLAN.

            Command: snmp-server group <groupName> v3 <auth|noauth> context vlan-<VLAN-ID>  where the snmp user belongs to <groupName>: snmp-server user Me MyGroup v3 auth ...

            So, to set it up for vlans 10-12 where my group name is MyGroup, using V3 auth:
            • snmp-server group MyGroup v3 auth context vlan-12  
            • snmp-server group MyGroup v3 auth context vlan-10 
            • snmp-server group MyGroup v3 auth context vlan-11

            ***  If anyone knows of a better way to get the context into the view, please respond and let everyone know ***

             

             Again, we will try to have the needed code changes in the next build.

            HTH,
            Greg

            • Re: Problems with Switch Port Mapper and SNMP v3?
              Dal

              As you may know, when asking a Cisco switch about it's Bridge-MIB, you append the @ sign and the VLAN number to the community string to get that VLAN's bridging info.


              I have never used that to get info from my switches, not at least since the day we used switches from the 3500XL series at least, and have always to be able to extract info from multiple VLAN's. So unless SPM adds some kind of default @<all> or something if you don't type in yourself, I don't understand this.

               I always thought that SNMP v3 is just a more advanced way than SNMP v2 to get access to the switch?
               

              • Re: Problems with Switch Port Mapper and SNMP v3?

                 Dal - SPM does automatically add the @<VLANID> to the community string for each VLAN when it queries the switch.  But SNMPv3 has no community string, as it uses a username, context, enc key, and auth key.

                SNMPv3, specifically the User Security Model, (USM) is a mechanism that provides authentication and encryption for SNMP traffic.

                Eric Davis has a great article on USM in the context of SNMPv3, it can be found here

                 
                HTH,

                Greg 

                • Re: Problems with Switch Port Mapper and SNMP v3?
                  greybirds2

                  We just configured SNMPv3 on our Cisco switches to comply with security standards.  Switch port mapper was working fine with snmpv2 but does not work with v3.  On the layer-2 switches, it complains that the switch does not support the Bridge-MIB.  On the L3 switch it goes through the motions but most of the information is missing (Device MAC addresses, hostnames, IPs, etc).

                   

                  Thwack has many posts on SNMPv3 but I don't see anything missing in the snmpv3 configuration (view statements for MIBs and context statements for each VLAN) so I opened a support case.  They told me that Toolset 9.2 Port Mapper doesn't support SNMPv3 - is that true?  This post seems to indicate otherwise.

                   

                  Thanks!

                  • Re: Problems with Switch Port Mapper and SNMP v3?

                    greybirds2 - It is possible to use SPM 9.2 with SNMPv3, but you must setup the views for each VLAN as mentioned before.  You can also use our newest SwitchPortMapper in the Real-Time Dashboard, which does not require the SNMP-Server views to be setup.

                    You can get the Real-Time Dashboard for free (technical preview) The specified item was not found..

                     

                    HTH,

                    Greg

                    • Re: Problems with Switch Port Mapper and SNMP v3?
                      greybirds2

                      Hello, Greg -

                       

                      The VLANs are set up with context statements in the view -

                      snmp-server group GROUPNAME v3 auth context vlan-N     (a statement for each vlan)

                      As soon as the command is invoked on the layer two switches, in the lower-left corner it starts flashing that it is retrying Bridge-MIB table support on {IP address} on VLAN (#} and then a pop-up stating that "IP ADDRESS does not support the Bridge-MIB"

                      When attempting it on the layer threee switch, it goes through the exercise and does display all the interfaces, but none of the information for attached devices (MAC addresses, IPs, DNS/NB name) shows up. 

                      This sounds a bit different than the original post, for whom adding the VLAN context seemed to help. 

                       

                      I have multiple statements for the MIB tree.  I started out with Internet, interfaces, chassis, system, for example

                      snmp-server view ORION internet included 

                       -  and then added several others (private, CiscoMgmt, iso, to name a few) but nothing helped.  Am I missing somethiing there?

                      I have I'll try the dashboard but am not optimistic...NCM inventory is also not picking everything up with v3. 

                      • Re: Problems with Switch Port Mapper and SNMP v3?

                        greybirds2 - I am optimistic about the Dashboard SPM, as I have done any SNMPv3 maps with it.

                        What happens when you MIB Browse the Bridge-MIB with the given credentials? Make sure you set the context name in the view...

                        HTH,

                        Greg

                        • Re: Problems with Switch Port Mapper and SNMP v3?
                          greybirds2

                          I'm not going to be able to try the Dashboard today - have to get an exception to install yet another piece of software that isn't on the "approved" list.

                          Using the Toolset MIB Browser and the v3 credentials, I can browse the devices' MIB tables with no problem.  I must be doing something wrong but don't know what....the configuration I have matches what Cisco and other examples I've found provide, although this post is about the only location that discusses the need for multiple context statements (one per active VLAN). 

                          • Re: Problems with Switch Port Mapper and SNMP v3?
                            greybirds2

                            I tried downloading the Dashboard but the link didn't work - so I upgraded to Toolset v10 and tried the Studio, which looks to be the same thing.  Now when doing the port map via the Studio, it goes all the way through Layer 2 and then Layer 3 and then....nothing.  It must be "finished" as the Settings link is usable.  I guess this is "progress" as at least it doesn't whine that the bridge-mib isn't supported. 

                            As with Toolset 9.2, if I fall back to snmpv2 it works fine. 

                            • Re: Problems with Switch Port Mapper and SNMP v3?

                              All - we have identified an issue in the Workspace Studio and command line versions of SwitchPortMapper which could cause the results you are seeing.

                              Symptoms: MAC's not showing up on non-default VLANs when retrieving values via SNMPv3 on Cisco switches.

                              * You must still add the context for each VLAN to the group as mentioned above, or the SwitchPortMapper will not be able to read the Bridge-MIB for each VLAN.

                              This issue should be fixed in the next release of Toolset, (I can't give a date, but one is coming soon).

                              Thanks to everyone for their assistance on this issue,

                              Greg

                              • Re: Problems with Switch Port Mapper and SNMP v3?

                                Just a follow up here as a few folks have contacted me about this issue...

                                The current version (v10.2 as of this post) of switch port mapper (in the Workspace Studio) will correctly get the bridge info using SNMPv3 now, as well as extended VLANs, but you will still need to add the context for each VLAN in the config as stated in previous posts.

                                MarkG - I replied to you earlier, but I do not think you are getting my emails... please check your junk filter :)

                                Thanks,

                                Greg

                                • Re: Problems with Switch Port Mapper and SNMP v3?

                                  I've never been able to get SPM to work with v3. I've just downloaded the latest version (10.6.0.84)... configured a Cisco WS-C3750-48TS-E with the following commands:

                                  snmp-server group somename v3 priv read ReadOnly
                                  snmp-server user username somename v3 auth sha password priv des56 password
                                  snmp-server group somename v3 auth context vlan-85

                                  When I test the creditials, it passes. But when I click "Map Ports", it says the device does not respond to snmp queries.