Wired

last person joined: 22 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

snmpv3 contexts

This thread has been viewed 8 times
  • 1.  snmpv3 contexts

    Posted Mar 11, 2020 05:47 PM

    I am working with a vendor who wants to snmpwalk our edge switches but wants to use a particular context.   Where can I find a list of the available contexts for AOS-Switch version KB.16.07.0002. SNMPv3.  An snmpwalk of the switch without specifying a context works fine, so I know the snmpv3 config is OK.  The vendor is trying to add "-n vlan-65" to the snmpwalk command but receives an "unknown report message" error.   Sample snmpwalk comment looks like this:  snmpwalk -v 3 -n "vlan-65" -l authPriv -u MY-user-v3 -a SHA -A MYSHAKEY! -x DES -X MYDESKEY! 10.80.28.1 .1.3.6.1.  The vendor is trying to walk the switch to find devices/ports in vlan 65 only.   Any guidance would be appreciated.



  • 2.  RE: snmpv3 contexts

    Posted Mar 12, 2020 02:46 AM

    Good day!

     

    Hello,

    In AOS-Switch, SNMPv3 context is not supported and so we are getting error message while performing SNMPWALK with “-n” option.


    root@Ubuntu4182:~# snmpwalk -v3 -m ALL -u initial -n "vlan-65" -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 .1.3.6.1
    snmpwalk: Bad context specified

     

    Customer is trying to walk the switch to find devices/ports in vlan 65 correct?


    For this, we have to use below MIB to get ports in particular VLAN.

     

    For getting portlist of particular vlan, we have to do SNMPWALk with MIB or OID.

     

    • SNMPWALk with MIB :

    snmpwalk -v3 -m ALL -u initial -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 dot1qVlanStaticTable

     

    • With OID :

    snmpwalk -v3 -m ALL -u initial -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 .1.3.6.1.2.1.17.7.1.4.3

     

    If customer is specific about "-n" context, please ask them to talk to account team or Switching PLM.

     

    Does this help?

     

    Regards,

    Yash



  • 3.  RE: snmpv3 contexts

    Posted Mar 12, 2020 09:41 AM

    Hi Yash,

     

    This helps, but further questions:  Is it possible to specify which vlan is of interest or do you have to walk the mib/oid and process the table yourself to pick out the ports of interest?  This is an E911 application, and the software needs to find which ports the phones are on.  Also, we do role-based here, so how does that impact things?  When we have a phone and computer on single port (computer slaved off the phone), the port VLAN is not set (shows up as multi in a show interface status command), it is actually the MAC's traffic that is tagged for the voice (or data) VLAN.  Would they need to talk the port-access client table?  If so, what OID would that be, if any?

     

    Thoughts?

     

    Thanks.

     

    Mike

     



  • 4.  RE: snmpv3 contexts

    Posted Mar 12, 2020 09:54 AM
      |   view attached

    Yash,

     

    So I ran the snmpwalk with the OID you supplied but I don't see how to determine the ports from the output.  I'm attaching the file of what I get for output.  It looks like it is just a list of the VLAN's defined on the switch, and nothing about which port (or client MAC) is in a particular VLAN.

     

    Mike

     

    Attachment(s)

    txt
    snmpwalk.txt   27 KB 1 version


  • 5.  RE: snmpv3 contexts

    Posted Mar 12, 2020 11:15 AM

    Hi Mike,

    Please see if this help:

    Below MIB object will show the ports present in a particular VLAN :

    root@Ubuntu4182:~# snmpwalk -v2c -m ALL -c public 20.0.0.1 dot1qPvid
    Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.2 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.3 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.4 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.5 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.6 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.7 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.8 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.9 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.10 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.11 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.12 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.13 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.14 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.15 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.16 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.23 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.24 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.25 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.26 = Gauge32: 10

    root@Ubuntu4182:~# snmpwalk -v2c -m ALL -c public 20.0.0.1 .1.3.6.1.2.1.17.7.1.4.5.1.1
    Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.2 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.3 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.4 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.5 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.6 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.7 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.8 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.9 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.10 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.11 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.12 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.13 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.14 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.15 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.16 = Gauge32: 1
    Q-BRIDGE-MIB::dot1qPvid.23 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.24 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.25 = Gauge32: 10
    Q-BRIDGE-MIB::dot1qPvid.26 = Gauge32: 10

    Running-config :

    Aruba-3810M-16SFPP-2-slot# show run

    Running configuration:

    ; JL075A Configuration Editor; Created on release #KB.16.10.0005
    ; Ver #14:2f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:40

    hostname "Aruba-3810M-16SFPP-2-slot"
    module 1 type jl075x
    module 2 type jl075y
    module 3 type jl075z
    flexible-module B type JL083A
    snmp-server community "public" unrestricted
    snmpv3 enable
    snmpv3 group managerpriv user "initial" sec-model ver3
    snmpv3 user "initial"
    oobm
    ip address dhcp-bootp
    ipv6 enable
    ipv6 address dhcp full
    exit
    vlan 1
    name "DEFAULT_VLAN"
    no untagged B1-B4
    untagged 1-16
    ip address 20.0.0.1 255.255.255.0
    ipv6 enable
    ipv6 address dhcp full
    exit
    vlan 10
    name "VLAN10"
    untagged B1-B4
    no ip address
    exit

    MIB description :

    dot1qPvid OBJECT-TYPE
    SYNTAX VlanIndex
    MAX-ACCESS read-write
    STATUS current
    DESCRIPTION
    "The PVID, the VLAN ID assigned to untagged frames or
    Priority-Tagged frames received on this port."
    REFERENCE
    "IEEE 802.1Q/D11 Section 12.10.1.1"
    DEFVAL { 1 }
    ::= { dot1qPortVlanEntry 1 }

     

    Regards,

    Yash



  • 6.  RE: snmpv3 contexts

    Posted Mar 12, 2020 11:34 AM

    Yash,

     

    Getting closer, but that just returns the vlan assignment on ports, which for our environment are mostly vlan 1.  The traffic coming in on those ports is painted with the vlan based on the role the MAC is set into, and that's what we need to see.

     

    here's the output of the first 23 ports from the snmpwalk:

    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.1 = Gauge32: 64
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.2 = Gauge32: 70
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.3 = Gauge32: 64
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.4 = Gauge32: 69
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.5 = Gauge32: 65
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.6 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.7 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.8 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.9 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.10 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.11 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.12 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.13 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.14 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.15 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.16 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.17 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.18 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.19 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.20 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.21 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.22 = Gauge32: 1
    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.23 = Gauge32: 1

     

    Here's the output of a show int status for the same ports:

     

    1/A1 RM104 UPS1 Down Auto 1000FDx 100/1000T No 64
    1/A2 Siemens... Up Auto 100FDx 100/1000T No 70
    1/A3 CGL Panel Up Auto 100FDx 100/1000T No 64
    1/A4 Facilit... Down Auto 1000FDx 100/1000T No 69
    1/A5 Dispatc... Up Auto 100FDx 100/1000T No 65
    1/A6 Down Auto 1000FDx 100/1000T No 1
    1/A7 Down Auto 1000FDx 100/1000T No 1
    1/A8 Up Auto 1000FDx 100/1000T No 65
    1/A9 Down Auto 1000FDx 100/1000T No 1
    1/A10 Down Auto 1000FDx 100/1000T No 1
    1/A11 Up Auto 1000FDx 100/1000T No 65
    1/A12 Down Auto 1000FDx 100/1000T No 1
    1/A13 Up Auto 1000FDx 100/1000T No 11
    1/A14 Up Auto 100FDx 100/1000T No multi
    1/A15 Up Auto 100FDx 100/1000T No 65
    1/A16 Down Auto 1000FDx 100/1000T No 1
    1/A17 Down Auto 1000FDx 100/1000T No 1
    1/A18 Up Auto 1000FDx 100/1000T No multi
    1/A19 Up Auto 100FDx 100/1000T No multi
    1/A20 Up Auto 1000FDx 100/1000T No 11
    1/A21 Down No 1
    1/A22 Down No 1
    1/A23 Up Auto 10GigFD 10GbE-GEN No No

     

    Using port A8 as an example, the snmpwalk reports vlan 1:

    BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.8 = Gauge32: 1

    But the show int statu shows vlan 65:

    1/A8 Up Auto 1000FDx 100/1000T No 65

    In this case, there is just a phone on the port, which has its traffic painted into vlan 65, our voice vlan:

    Feldberg-edge# sho mac-add 1/A8

    Status and Counters - Port Address Table - 1/A8

    MAC Address VLANs
    ----------------- ------------
    2c0be9-04fbc7 65

     

    interface 1/A8
    untagged vlan 1
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 10
    loop-protect
    exit

     

    Here's the port-access piece:

    Feldberg-edge# sho port-acc cli 1/A8

    Port Access Client Status

    Port Client Name MAC Address IP Address User Role Type VLAN
    ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
    1/A8 noc 2c0be9-04fbc7 n/a CISCO-PHONE-RO... MAC 65

    We need a method of getting a list of physical ports that have any device behind them that is being tagged into vlan 65 as above.

    Here's the list of all the ports in that first group of 23 that have phones talking on them:

    Feldberg-edge# sho port-acc cli | incl CISCO-PHONE
    1/A8 noc 2c0be9-04fbc7 n/a CISCO-PHONE-RO... MAC 65
    1/A11 noc@brande... cc70ed-562d6d n/a CISCO-PHONE-RO... MAC 65
    1/A14 noc@brande... c0626b-d2f242 n/a CISCO-PHONE-RO... MAC 65
    1/A15 noc@brande... cc70ed-57d955 n/a CISCO-PHONE-RO... MAC 65
    1/A18 fc:fb:fb:c... fcfbfb-cbc6d3 n/a CISCO-PHONE-RO... MAC 65
    1/A19 noc@brande... c0626b-d2f347 n/a CISCO-PHONE-RO... MAC 65

    Ports 18 and 19 show their VLAN as "multi" in the show interface output, as they have multiple devices attached, each in their own VLAN per the port-access client role mapping.

     

    Mike

     



  • 7.  RE: snmpv3 contexts

    Posted Mar 17, 2020 11:43 AM

    Yash (or anyone else watching),

     

    Any further thoughts regarding which OID (if any) can be used to gather the port info for each port-access client entry?

     

    Thanks.

     

    Mike