SNMP Support over VPNs—Context-Based Access Control

The SNMP Support over VPNs--Context-Based Access Control feature provides infrastructure for the multiple SNMP context supports in Cisco software and VPN-aware MIB.

Finding Feature Information

Your software release may not support all the features that are documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this document provides information about the documented features and lists the releases in which each feature is supported.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.

Hardware Compatibility Matrix for the Cisco cBR Series Routers


Note


The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.
Table 1. Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform

Processor Engine

Interface Cards

Cisco cBR-8 Converged Broadband Router

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 Supervisor:

  • PID—CBR-SUP-250G

  • PID—CBR-CCAP-SUP-160G

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 CCAP Line Cards:

  • PID—CBR-LC-8D30-16U30

  • PID—CBR-LC-8D31-16U30

  • PID—CBR-RF-PIC

  • PID—CBR-RF-PROT-PIC

  • PID—CBR-CCAP-LC-40G

  • PID—CBR-CCAP-LC-40G-R

  • PID—CBR-CCAP-LC-G2-R

  • PID—CBR-SUP-8X10G-PIC

  • PID—CBR-2X100G-PIC

Digital PICs:

  • PID—CBR-DPIC-8X10G

  • PID—CBR-DPIC-2X100G

Cisco cBR-8 Downstream PHY Module:

  • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules:

  • PID—CBR-D31-US-MOD


Note


Do not use DPICs (8X10G and 2x100G) to forward IP traffic, as it may cause buffer exhaustion, leading to line card reload.

The only allowed traffic on a DPICs DEPI, UEPI, and GCP traffic from the Cisco cBR-8 router to Remote PHY devices. Other traffic such as DHCP, SSH, and UTSC should flow via another router, since DPICs cannot be used for normal routing.


Restrictions for SNMP Support over VPNs—Context-Based Access Control

  • If you delete an SNMP context using the no snmp-server context command, all SNMP instances in that context are deleted.

  • Not all MIBs are VPN-aware.

Information About SNMP Support over VPNs—Context-Based Access Control

SNMP Versions and Security

Cisco software supports the following versions of SNMP:

  • SNMPv1—Simple Network Management Protocol: a full Internet standard, which is defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on the community strings.

  • SNMPv2c—The community string-based Administrative Framework for SNMPv2. SNMPv2c (the "c" is for "community") is an experimental IP that is defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic) and uses the community-based security model of SNMPv1.

For more information about SNMP versions, see the “Configuring SNMP Support” module in the Cisco Network Management Configuration Guide.

SNMPv1 or SNMPv2 Security

Cisco IOS software supports the following versions of SNMP:

  • SNMPv1—Simple Network Management Protocol: a full Internet standard, that is defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on the community strings.

  • SNMPv2c—The community string-based Administrative Framework for SNMPv2. SNMPv2c (the "c" is for "community") is an experimental IP that is defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic) and uses the community-based security model of SNMPv1.

SNMPv1 and SNMPv2 are not as secure as SNMPv3. SNMP version 1 and 2 use plain text communities and do not perform the authentication or security checks that SNMP version 3 performs. When using SNMP version 1 or 2, associate a community name with a VPN to configure the SNMP Support over VPNs—Context-Based Access Control feature. This association causes SNMP to process requests coming in for a particular community string only if it comes in from the configured VRF. Community strings without an associated VRF in the incoming packets are processed only if it came through a non-VRF interface. This process prevents users outside the VPN from snooping a clear text community string to query the VPN’s data. These methods of source address validation are not as secure as using SNMPv3.

SNMPv3 Security

If you are using SNMPv3, the security name must be associated with authentication or privileged passwords. Source address validation is not performed on SNMPv3 users. Configure a minimum security level of AuthNoPriv. This configuration ensures that the VPN accesses only to context associated with it and cannot see the MIB data of other VPNs.

On a provider edge (PE) router, a community can be associated with a VRF to provide the source address validation. Associate source address with the community list by using an access control list, if the source address validation is required on a customer edge (CE) router.

If you are using SNMPv3, the security name or security password of the users of a VPN must be unknown to users of other VPNs. Cisco recommends not to use SNMPv3 nonauthorized users if you need security of management information.

SNMP Notification Support over VPNs

The SNMP Notification Support over VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing and forwarding (VRF) instance tables. In particular, this feature adds support to Cisco software for the sending and receiving of SNMP notifications (traps and informs) specific to individual VPNs.

SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents.

A VPN is a network that provides high-connectivity transfers on a shared system with the same usage guidelines as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks.

A VRF stores per-VPN routing data. It defines the VPN membership of a customer site that is attached to the network access server (NAS). The VRF consists of an IP routing table and a derived Cisco Express Forwarding (formerly known as CEF) table. VRF also consists of guidelines and routing protocol parameters that control the information that is included in the routing table.

The SNMP Support for VPNs—Context-Based Access Control feature provides configuration commands that allow you to associate SNMP agents and managers with specific VRFs. The associated VRF is used for the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF is not specified, the default routing table for the VPN is used.

VPN-Aware SNMP

The SNMP Support for VPNs—Context-Based Access Control feature extends the capabilities of the SNMP Notification Support for VPNs feature and enables SNMP to differentiate between incoming packets from different VPNs.

When the SNMP Support for VPNs—Context-Based Access Control feature is configured, SNMP accepts requests on any configured VRF and returns responses to the same VRF. A trap host can be associated with a specific VRF. The configured VRF is then used for sending out traps; otherwise, the default routing table is used. You can also associate a remote user with a specific VRF. You can also configure the VRFs from which SNMP accepts requests. Any requests coming from VRFs that are not specified are dropped.

IP access lists can be configured and associated with SNMP community strings. This feature enables you to configure an association between VRF instances with SNMP community strings. When a VRF instance is associated with an SNMP community string, SNMP processes the requests coming in for a particular community string only if the requests are received from the configured VRF. If the community string in the incoming packet does not have a VRF associated with it, the community string must come through a non-VRF interface.

You can also enable or disable authentication traps for SNMP packets dropped due to VRF mismatches. By default if SNMP authentication traps are enabled, VRF authentication traps are also enabled.

VPN Route Distinguishers

A route distinguisher (RD) creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of your IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes.

The RD is an autonomous system number (ASN)-relative RD, in which case it comprises an autonomous system number and an arbitrary number. Or, the RD is an IP-address-relative RD, in which case it comprises an IP address and an arbitrary number.

You can enter an RD in either of these formats:

  • 16-bit ASN: your 16-bit number: For example, 101:3.

  • 32-bit IP address: your 32-bit number: For example, 192.168.122.15:1.

SNMP Contexts

SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, that VPN’s specific MIB data exists in that context. Associating a VPN with a context enables service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN makes it unique. The context enables a provider to prevent the users of one VPN from accessing information about other VPN users on the same networking device.

VPN-aware SNMP requires an agreement between SNMP manager and agent entities operating in a VPN environment. The agreement ensures mapping between the SNMP security name and the VPN ID. This mapping is created by using multiple contexts for the SNMP data of different VPNs through the configuration of the SNMP-VACM-MIB. The SNMP-VACM-MIB is configured with views. This configuration allows VPN users with a security name access to the restricted object space. The configuration is associated with your access type in the context that is associated with the user of that VPN.

SNMP request messages undergo three phases of security and access control. Once the access is validated, a response message is sent back with the object values in the context of a VPN:

  • In the first phase, the username is authenticated. This phase ensures that the user is authenticated and authorized for SNMP access.

  • In the second phase, the user is authorized for the SNMP access that is requested to the group objects under consideration of the configured SNMP context. This phase is called the access control phase.

  • In the third phase, access is made to an instance of a table entry. With this third phase, complete retrieval can be based on the SNMP context name.

How to Configure SNMP Support over VPNs—Context-Based Access Control

Configuring an SNMP Context and Associating the SNMP Context with a VPN

Perform this task to configure an SNMP context and to associate the SNMP context with a VPN.


Note


  • Only the following MIBs are context-aware. All the tables in these MIBs can be polled:
    • CISCO-IPSEC-FLOW-MONITOR-MIB
    • CISCO-IPSEC-MIB
    • CISCO-PING-MIB
    • IP-FORWARD-MIB
    • MPLS-LDP-MIB
  • Only two SNMP variables in the IP-FORWARD-MIB can be polled: 1.3.6.1.2.1.4.24.3 (ipCidrRouteNumber - Scalar) and 1.3.6.1.2.1.4.24.4.1 (ipCidrRouteEntry - Table).

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server context context-name

Example:


Device(config)# snmp-server context context1

Creates and names an SNMP context.

Step 4

vrf definition vrf-name

Example:


Device(config)# vrf definition vrf1

Configures a VRF routing table and enters VRF configuration mode.

Step 5

rd route-distinguisher

Example:


Device(config-vrf)# rd 100:120

Creates a VPN route distinguisher.

Step 6

context context-name

Example:


Device(config-vrf)# context context1

Associates an SNMP context with a particular VRF.

Note

 

The snmp context command is used instead of the context command, depending on your release. See the Cisco IOS Network Management Command Reference for more information.

Step 7

route-target {import | export | both } route-target-ext-community

Example:


Device(config-vrf)# route-target export 100:1000

(Optional) Creates a route-target extended community for a VRF.

Step 8

end

Example:

Device(config-vrf)# end

Exits interface mode and enters global configuration mode.

Step 9

end

Example:

Device(config)# end

Exits global configuration mode.

Configuring SNMP Support and Associating an SNMP Context

Perform this task to configure SNMP support and associate it with an SNMP context.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. snmp-server user username group-name [remote host [udp-port port ] [vrf vrf-name ]] {v1 | v2c | v3 [encrypted ] [auth {md5 | sha } auth-password ]} [access [ipv6 nacl ] [priv {des | 3des | aes {128 | 192 | 256 }} privpassword ] {acl-number | acl-name }]
  4. snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv }} [context context-name ] [read read-view ] [write write-view ] [notify notify-view ] [access [ipv6 named-access-list ] [acl-number | acl-name ]]
  5. snmp-server view view-name oid-tree {included | excluded }
  6. snmp-server enable traps [notification-type ] [vrrp ]
  7. snmp-server community string [view view-name ] [ro | rw ] [ipv6 nacl ] [access-list-number | extended-access-list-number | access-list-name ]
  8. snmp-server host {hostname | ip-address } [vrf vrf-name ] [traps | informs ] [version {1 | 2c | 3 [auth | noauth | priv ]}] community-string [udp-port port ] [notification-type ]
  9. snmp mib community-map community-name [context context-name ] [engineid engine-id ] [security-name security-name ] [target-list upn-list-name ]
  10. snmp mib target list vpn-list-name {vrf vrf-name | host ip-address }
  11. no snmp-server trap authentication vrf

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server user username group-name [remote host [udp-port port ] [vrf vrf-name ]] {v1 | v2c | v3 [encrypted ] [auth {md5 | sha } auth-password ]} [access [ipv6 nacl ] [priv {des | 3des | aes {128 | 192 | 256 }} privpassword ] {acl-number | acl-name }]

Example:


Device(config)# snmp-server user customer1 group1 v1

Configures a new user to an SNMP group.

Step 4

snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv }} [context context-name ] [read read-view ] [write write-view ] [notify notify-view ] [access [ipv6 named-access-list ] [acl-number | acl-name ]]

Example:


Device(config)# snmp-server group group1 v1 context context1 read view1 write view1 notify view1

Configures a new SNMP group or a table that maps SNMP users to SNMP views.

  • Use the context context-name keyword argument pair to associate the specified SNMP group with a configured SNMP context.

Step 5

snmp-server view view-name oid-tree {included | excluded }

Example:


Device(config)# snmp-server view view1 ipForward included

Creates or updates a view entry.

Step 6

snmp-server enable traps [notification-type ] [vrrp ]

Example:


Device(config)# snmp-server enable traps

Enables all SNMP notifications (traps or informs) available on your system.

Step 7

snmp-server community string [view view-name ] [ro | rw ] [ipv6 nacl ] [access-list-number | extended-access-list-number | access-list-name ]

Example:


Device(config)# snmp-server community public view view1 rw

Sets up the community access string to permit access to the SNMP.

Step 8

snmp-server host {hostname | ip-address } [vrf vrf-name ] [traps | informs ] [version {1 | 2c | 3 [auth | noauth | priv ]}] community-string [udp-port port ] [notification-type ]

Example:


Device(config)# snmp-server host 10.0.0.1 vrf vrf1 public udp-port 7002

Specifies the recipient of an SNMP notification operation.

Step 9

snmp mib community-map community-name [context context-name ] [engineid engine-id ] [security-name security-name ] [target-list upn-list-name ]

Example:


Device(config)# snmp mib community-map community1 context context1 target-list commAVpn

Associates an SNMP community with an SNMP context, Engine ID, or security name.

Step 10

snmp mib target list vpn-list-name {vrf vrf-name | host ip-address }

Example:


Device(config)# snmp mib target list commAVpn vrf vrf1

Creates a list of target VRFs and hosts to associate with an SNMP community.

Step 11

no snmp-server trap authentication vrf

Example:


Device(config)# no snmp-server trap authentication vrf 

(Optional) Disables all SNMP authentication notifications (traps and informs) generated for packets that received on VRF interfaces.

  • Use this command to disable authentication traps only for those packets on VRF interfaces with incorrect community associations.

Configuration Examples for SNMP Support over VPNs—Context-Based Access Control

Example: Configuring Context-Based Access Control

The following configuration example shows how to configure the SNMP Support over VPNs—Context-Based Access Control feature for SNMPv1 or SNMPv2:


Note


Use the snmp context command instead of the context command, depending on your release. See the Cisco IOS Network Management Command Reference for more information.



snmp-server context A
snmp-server context B
ip vrf Customer_A
 rd 100:110
 context A
 route-target export 100:1000
 route-target import 100:1000
!
ip vrf Customer_B
 rd 100:120
 context B
 route-target export 100:2000
 route-target import 100:2000
!
interface TenGigabitEthernet4/1/0
 description Belongs to VPN A
 ip vrf forwarding CustomerA
 ip address 192.168.2.1 255.255.255.0
 
interface TenGigabitEthernet4/1/1
 description Belongs to VPN B
 ip vrf forwarding CustomerB
 ip address 192.168.2.2 255.255.255.0
snmp-server user commA grp1A v1 
snmp-server user commA grp2A v2c 
snmp-server user commB grp1B v1 
snmp-server user commB grp2B v2c 
snmp-server group grp1A v1 context A read viewA write viewA notify viewA
snmp-server group grp1B v1 context B read viewB write viewB notify viewB 
snmp-server view viewA ipForward included
snmp-server view viewA ciscoPingMIB included
snmp-server view viewB ipForward included
snmp-server view viewB ciscoPingMIB included
snmp-server enable traps
snmp-server host 192.168.2.3 vrf CustomerA commA udp-port 7002
snmp-server host 192.168.2.4 vrf CustomerB commB udp-port 7002
snmp mib community-map commA context A target-list commAvpn
! Configures source address validation
snmp mib community-map commB context B target-list commBvpn
! Configures source address validation
snmp mib target list commAvpn vrf CustomerA 
! Configures a list of VRFs or from which community commA is valid
snmp mib target list commBvpn vrf CustomerB
! Configures a list of VRFs or from which community commB is valid

Additional References

Related Documents

Related Topic

Document Title

Cisco Network Management commands

Cisco IOS Network Management Command Reference

SNMP configuration

“Configuring SNMP Support” chapter in the Cisco Network Management Configuration Guide

SNMP Support for VPNs

SNMP Notification Support for VPNs

Standards

Standard

Title

None

--

MIBs

MIB

MIBs Link

  • CISCO-PING-MIB

  • IP-FORWARD-MIB

  • SNMP-VACM-MIB, The View-based Access Control Model (ACM) MIB for SNMP

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC 1441

Introduction to version 2 of the Internet-standard Network Management Framework

RFC 1442

Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1443

Textual Conventions for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1444

Conformance Statements for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1445

Administrative Model for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1446

Security Protocols for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1447

Party MIB for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1448

Protocol Operations for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1449

Transport Mappings for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 1450

Management Information Base for version 2 of the Simple Network Management Protocol (SNMPv2)

RFC 2571

An Architecture for Describing SNMP Management Frameworks

RFC 2576

Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework

Technical Assistance

Description

Link

The Cisco Support and Documentation website provide online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for SNMP Support over VPNs—Context-Based Access Control

Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the https://cfnng.cisco.com/ link. An account on the Cisco.com page is not required.


Note


The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 2. Feature Information for SNMP Support over VPNs—Context-Based Access Control
Feature Name

Releases

Feature Information

SNMP Support over VPNs—Context-Based Access Control

Cisco IOS XE Everest 16.6.1

This feature was integrated into Cisco IOS XE Everest 16.6.1 on theCisco cBR Series Converged Broadband Routers.