• A Network Switch Mapping Solution

This topic addresses Cisco switch IOS SNMPv3 Settings and Related Topics

This topic covers SNMPv3 settings and troubleshooting for Cisco IOS based Switches. Other Cisco operating systems will be similar. This topic assumes that you are familiar with how to access Command Line Interface (CLI) using a serial cable and terminal program such as TeraTerm.

The topics below were prepared using the following versions of IOS and the Managed Switch Port Mapping Tool.
Cisco IOS Version:
IOS version 12.2(55)SE10
Managed Switch Port Mapping Tool Version: 2.55
The Managed Switch Port Mapping Tool supports the USM SNMPv3 model. We have not used access lists or SNMPv3 contexts for simplicity.

Related Topic: How to enable SNMPv1 and SNMPv2c and how to disable all SNMP on a Cisco switch are found on this page. How to prepare the Managed Switch Port Mapping Tool to use SNMPv3.

Example: How to change your config on a Cisco 3750 switch to support SNMPv3

Commands are shown in bold.

How to check current SNMP settings in your running-config

Switch>enable
Switch#show running-config | include snmp-server
snmp-server group testv3group v3 priv read testv3view write testv3view
snmp-server group testv3group v3 auth context vlan- match prefix
snmp-server view testv3view internet included
snmp-server community public RO
Switch#

If you see no information or only 'snmp-server community public RO', you do not have SNMPv3 active in your running-config. The output above shows that SNMP1, 2c and 3 are active. For information on how to add SNMPv1 and SNMPv2c support, please review this page.

How to enable SNMPv3 in a Cisco Switch IOS CLI

1. Switch>enable
2. Switch#config term - this allows you to edit the running-config. (note: to remove any of the following 3 commands, use 'no snmp-server view', 'no snmp-server group' or 'no snmp-server user')
3. Create a view for the test SNMPv3 user:
Switch(config)#snmp-server view testv3view internet included
4. Create a group to access the view:
Switch(config)#snmp-server group testv3group v3 priv read testv3view write testv3view
5. Create a user for the group:
Switch(config)#snmp-server user testv3user testv3group v3 auth md5 Passw0rd priv des Passw0rd
6. Activate context prefix matching by entering this command:
Switch(config)#snmp-server group yourV3groupName v3 auth context vlan- match prefix
(If you do not do this the Managed Switch Port Mapping Tool will give error messages claiming it cannot access Bridge Mib even though the rest of the mapping appears to work. See the next section if that command is not supported by your version of IOS)
7. Switch(config)#Ctrl-z
8. Optionally save it to the startup config using Switch#copy running-config startup-config

Checking your running-config settings

Switch>enable
(Execute the command show snmp user - this is typical output if SNMPv3 is active)
Switch#show snmp user

User name: testv3user
Engine ID: 800000090300001562299C03
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: testv3group

(Execute the show snmp group command. Typical output if SNMPv3 is active and it shows all three versions of SNMP are active)
Switch#show snmp group
groupname: public security model:v1
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active

groupname: public security model:v2c
readview : v1default writeview: <no writeview specified>
notifyview: *tv.00000000.00000000.00000020.0
row status: active

groupname: testv3group security model:v3 priv
readview : testv3view writeview: testv3view
notifyview: <no notifyview specified>
row status: active

(Execute the show snmp view command to see what parts of the SNMP OID tree are readable by users. The view 'testv3view' is in italics and it covers the internet or .1.3.6 and below level.)
Switch#show snmp view
v1default iso - included permanent active
v1default internet - included permanent active
v1default snmpUsmMIB - excluded permanent active
v1default snmpVacmMIB - excluded permanent active
v1default snmpCommunityMIB - excluded permanent active
v1default ciscoMgmt.252 - excluded permanent active
testv3view internet - included nonvolatile active
*tv.00000000.00000000.00000020.000000007F iso - included volatile active
*tv.00000000.00000000.00000020.000000007F iso.2.840.10036 - included volatile active

SNMPv3 Settings in the Managed Switch Port Mapping Tool
The settings must match or you WILL see a Switch Communications Timeout and Failure with our first SNMP query when you press Map Switch. Make sure your switch settings match what you entered in step 5 above - the settings are highlighted below.
SNMPv3 Settings AuthPriv

Problem: my Cisco 3750 switch maps fine using SNMPv1 or v2c, but with SNMPv3 I no longer see MAC Addresses, IP Addresses, VLANs or hostnames. What is wrong with the Switch Port Mapper?

Nothing is wrong with the Switch Port Mapper. The problem is in the switch and its config settings.

Background: Cisco uses 'community name indexing' for SNMPv1 and SNMPv2c to allow us to get VLAN specific information from BRIDGE-MIB. In SNMPv3 they use a variation of this technique by making use of SNMPv3 contexts. The context field is changed for each VLAN requested so that BRIDGE-MIB will give us the information we need for that particular VLAN. The problem is not all versions of IOS support contexts and in order to request context information for each VLAN, you have to make changes to the running config through CLI. If the switch is not configured, this software and any other switch mapping software cannot map the switch with SNMPv3.

First, you need to see if your switch supports contexts. From CLI run this command:

Switch>enable
Switch#show snmp context
vlan-1
vlan-3
vlan-1005
vlan-1005
vlan-1005
vlan-1005

Assuming your switch does support contexts, next check to see if your switch supports prefix matching.
In your running config add:

Switch>enable
Switch#config term
Switch#snmp-server group yourV3groupName v3 auth context vlan- match prefix
(don't forget the dash after vlan)
Switch(config)#Ctrl-z

If the switch does support prefix matching every Cisco switch using that version of IOS or later and SNMPv3 that you intend to map must have that command in the config - you can skip the next section - you are finished.

If the switch does NOT support prefix matching you have a lot of work to do. Every VLAN must have a context set up for it. You have to add this command into running config for EVERY VLAN:

snmp-server group yourV3groupName v3 priv context vlan-(vlanid)

So if you have 10 VLANs on the switch, that command must appear 10 times, once for each VLAN (no parens around 'vlanid' and you may want to add 'access #' at the end).

Examples for a switch with vlans number 6, 100, 117 and 200 (note the optional access list statement):
Switch>enable
Switch#config term
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-6
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-100
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-117
Switch(config)#snmp-server group yourV3groupName v3 priv context vlan-200 access 51
Switch(config)#Ctrl-z

Important note: the 'vlan-' contexts are probably different from the SNMP contexts you may have used - you must use the vlan- context in the statements described above in this topic whether using prefix matching or individual entries. Treat vlan- as 'reserved' contexts to avoid confusion. The topic before this one is not using SNMPv3 contexts at all.

More questions? see this thread: https://supportforums.cisco.com/thread/2036734