Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor I

snmpv3 contexts

I am working with a vendor who wants to snmpwalk our edge switches but wants to use a particular context.   Where can I find a list of the available contexts for AOS-Switch version KB.16.07.0002. SNMPv3.  An snmpwalk of the switch without specifying a context works fine, so I know the snmpv3 config is OK.  The vendor is trying to add "-n vlan-65" to the snmpwalk command but receives an "unknown report message" error.   Sample snmpwalk comment looks like this:  snmpwalk -v 3 -n "vlan-65" -l authPriv -u MY-user-v3 -a SHA -A MYSHAKEY! -x DES -X MYDESKEY! 10.80.28.1 .1.3.6.1.  The vendor is trying to walk the switch to find devices/ports in vlan 65 only.   Any guidance would be appreciated.

Highlighted
Aruba Employee

Re: snmpv3 contexts

Good day!

 

Hello,

In AOS-Switch, SNMPv3 context is not supported and so we are getting error message while performing SNMPWALK with “-n” option.


root@Ubuntu4182:~# snmpwalk -v3 -m ALL -u initial -n "vlan-65" -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 .1.3.6.1
snmpwalk: Bad context specified

 

Customer is trying to walk the switch to find devices/ports in vlan 65 correct?


For this, we have to use below MIB to get ports in particular VLAN.

 

For getting portlist of particular vlan, we have to do SNMPWALk with MIB or OID.

 

  • SNMPWALk with MIB :

snmpwalk -v3 -m ALL -u initial -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 dot1qVlanStaticTable

 

  • With OID :

snmpwalk -v3 -m ALL -u initial -a MD5 -A password -x DES -X password -l authpriv 20.0.0.1 .1.3.6.1.2.1.17.7.1.4.3

 

If customer is specific about "-n" context, please ask them to talk to account team or Switching PLM.

 

Does this help?

 

Regards,

Yash

Highlighted
Occasional Contributor I

Re: snmpv3 contexts

Hi Yash,

 

This helps, but further questions:  Is it possible to specify which vlan is of interest or do you have to walk the mib/oid and process the table yourself to pick out the ports of interest?  This is an E911 application, and the software needs to find which ports the phones are on.  Also, we do role-based here, so how does that impact things?  When we have a phone and computer on single port (computer slaved off the phone), the port VLAN is not set (shows up as multi in a show interface status command), it is actually the MAC's traffic that is tagged for the voice (or data) VLAN.  Would they need to talk the port-access client table?  If so, what OID would that be, if any?

 

Thoughts?

 

Thanks.

 

Mike

 

Highlighted
Occasional Contributor I

Re: snmpv3 contexts

Yash,

 

So I ran the snmpwalk with the OID you supplied but I don't see how to determine the ports from the output.  I'm attaching the file of what I get for output.  It looks like it is just a list of the VLAN's defined on the switch, and nothing about which port (or client MAC) is in a particular VLAN.

 

Mike

 

Highlighted
Aruba Employee

Re: snmpv3 contexts

Hi Mike,

Please see if this help:

Below MIB object will show the ports present in a particular VLAN :

root@Ubuntu4182:~# snmpwalk -v2c -m ALL -c public 20.0.0.1 dot1qPvid
Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.2 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.3 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.4 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.5 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.6 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.7 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.8 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.9 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.10 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.11 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.12 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.13 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.14 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.15 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.16 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.23 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.24 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.25 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.26 = Gauge32: 10

root@Ubuntu4182:~# snmpwalk -v2c -m ALL -c public 20.0.0.1 .1.3.6.1.2.1.17.7.1.4.5.1.1
Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.2 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.3 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.4 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.5 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.6 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.7 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.8 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.9 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.10 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.11 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.12 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.13 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.14 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.15 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.16 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.23 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.24 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.25 = Gauge32: 10
Q-BRIDGE-MIB::dot1qPvid.26 = Gauge32: 10

Running-config :

Aruba-3810M-16SFPP-2-slot# show run

Running configuration:

; JL075A Configuration Editor; Created on release #KB.16.10.0005
; Ver #14:2f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:40

hostname "Aruba-3810M-16SFPP-2-slot"
module 1 type jl075x
module 2 type jl075y
module 3 type jl075z
flexible-module B type JL083A
snmp-server community "public" unrestricted
snmpv3 enable
snmpv3 group managerpriv user "initial" sec-model ver3
snmpv3 user "initial"
oobm
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 1
name "DEFAULT_VLAN"
no untagged B1-B4
untagged 1-16
ip address 20.0.0.1 255.255.255.0
ipv6 enable
ipv6 address dhcp full
exit
vlan 10
name "VLAN10"
untagged B1-B4
no ip address
exit

MIB description :

dot1qPvid OBJECT-TYPE
SYNTAX VlanIndex
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The PVID, the VLAN ID assigned to untagged frames or
Priority-Tagged frames received on this port."
REFERENCE
"IEEE 802.1Q/D11 Section 12.10.1.1"
DEFVAL { 1 }
::= { dot1qPortVlanEntry 1 }

 

Regards,

Yash

Highlighted
Occasional Contributor I

Re: snmpv3 contexts

Yash,

 

Getting closer, but that just returns the vlan assignment on ports, which for our environment are mostly vlan 1.  The traffic coming in on those ports is painted with the vlan based on the role the MAC is set into, and that's what we need to see.

 

here's the output of the first 23 ports from the snmpwalk:

BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.1 = Gauge32: 64
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.2 = Gauge32: 70
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.3 = Gauge32: 64
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.4 = Gauge32: 69
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.5 = Gauge32: 65
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.6 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.7 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.8 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.9 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.10 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.11 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.12 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.13 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.14 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.15 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.16 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.17 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.18 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.19 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.20 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.21 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.22 = Gauge32: 1
BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.23 = Gauge32: 1

 

Here's the output of a show int status for the same ports:

 

1/A1 RM104 UPS1 Down Auto 1000FDx 100/1000T No 64
1/A2 Siemens... Up Auto 100FDx 100/1000T No 70
1/A3 CGL Panel Up Auto 100FDx 100/1000T No 64
1/A4 Facilit... Down Auto 1000FDx 100/1000T No 69
1/A5 Dispatc... Up Auto 100FDx 100/1000T No 65
1/A6 Down Auto 1000FDx 100/1000T No 1
1/A7 Down Auto 1000FDx 100/1000T No 1
1/A8 Up Auto 1000FDx 100/1000T No 65
1/A9 Down Auto 1000FDx 100/1000T No 1
1/A10 Down Auto 1000FDx 100/1000T No 1
1/A11 Up Auto 1000FDx 100/1000T No 65
1/A12 Down Auto 1000FDx 100/1000T No 1
1/A13 Up Auto 1000FDx 100/1000T No 11
1/A14 Up Auto 100FDx 100/1000T No multi
1/A15 Up Auto 100FDx 100/1000T No 65
1/A16 Down Auto 1000FDx 100/1000T No 1
1/A17 Down Auto 1000FDx 100/1000T No 1
1/A18 Up Auto 1000FDx 100/1000T No multi
1/A19 Up Auto 100FDx 100/1000T No multi
1/A20 Up Auto 1000FDx 100/1000T No 11
1/A21 Down No 1
1/A22 Down No 1
1/A23 Up Auto 10GigFD 10GbE-GEN No No

 

Using port A8 as an example, the snmpwalk reports vlan 1:

BRIDGE-MIB::dot1dBridge.7.1.4.5.1.1.8 = Gauge32: 1

But the show int statu shows vlan 65:

1/A8 Up Auto 1000FDx 100/1000T No 65

In this case, there is just a phone on the port, which has its traffic painted into vlan 65, our voice vlan:

Feldberg-edge# sho mac-add 1/A8

Status and Counters - Port Address Table - 1/A8

MAC Address VLANs
----------------- ------------
2c0be9-04fbc7 65

 

interface 1/A8
untagged vlan 1
aaa port-access mac-based
aaa port-access mac-based addr-limit 10
loop-protect
exit

 

Here's the port-access piece:

Feldberg-edge# sho port-acc cli 1/A8

Port Access Client Status

Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
1/A8 noc 2c0be9-04fbc7 n/a CISCO-PHONE-RO... MAC 65

We need a method of getting a list of physical ports that have any device behind them that is being tagged into vlan 65 as above.

Here's the list of all the ports in that first group of 23 that have phones talking on them:

Feldberg-edge# sho port-acc cli | incl CISCO-PHONE
1/A8 noc 2c0be9-04fbc7 n/a CISCO-PHONE-RO... MAC 65
1/A11 noc@brande... cc70ed-562d6d n/a CISCO-PHONE-RO... MAC 65
1/A14 noc@brande... c0626b-d2f242 n/a CISCO-PHONE-RO... MAC 65
1/A15 noc@brande... cc70ed-57d955 n/a CISCO-PHONE-RO... MAC 65
1/A18 fc:fb:fb:c... fcfbfb-cbc6d3 n/a CISCO-PHONE-RO... MAC 65
1/A19 noc@brande... c0626b-d2f347 n/a CISCO-PHONE-RO... MAC 65

Ports 18 and 19 show their VLAN as "multi" in the show interface output, as they have multiple devices attached, each in their own VLAN per the port-access client role mapping.

 

Mike

 

Occasional Contributor I

Re: snmpv3 contexts

Yash (or anyone else watching),

 

Any further thoughts regarding which OID (if any) can be used to gather the port info for each port-access client entry?

 

Thanks.

 

Mike