Cisco IOS Software Releases 12.0 S

Table Of Contents

SNMP Notification Support for VPNs

Contents

Feature Overview

Benefits

Configuration Tasks

Configuring SNMP Support for a VPN

Verifying SNMP Support for VPNs

Configuration Examples

Configuring SNMP Support over VPNs Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

snmp-server engineID remote

snmp-server host

snmp-server user

SNMP Notification Support for VPNs

---

First Published: June 7, 2001

Last Updated: May 15, 2006

The SNMP Notification Support for VPNs feature adds support to Cisco IOS software for the sending and receiving of SNMP notifications (traps and informs) specific to individual Virtual Private Networks (VPNs).

History

Release	Modification
12.2(2)T	This feature was introduced.
12.0(23)S	This feature was integrated into Cisco IOS Release 12.0 S.
12.2(33)SRA	This feature was integrated into Cisco IOS Release 12.2(33)SRA.

for the SNMP Notification Support for VPNs feature

Contents

•Feature Overview

•Benefits

•Configuration Tasks

•Configuration Examples

•Additional References

•Command Reference

Feature Overview

The SNMP Notification Support for VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing/forwarding (VRFs) tables. In particular, this feature adds support to Cisco IOS software for the sending and receiving of SNMP notifications (traps and informs) specific to individual Virtual Private Networks (VPNs).

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents.

A Virtual Private Network (VPN) is a network that provides high connectivity transfers on a shared system with the same usage guidelines as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks.

A VRF stores per-VPN routing data. It defines the VPN membership of a customer site attached to the network access server (NAS). A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and guidelines and routing protocol parameters that control the information that is included in the routing table.

The SNMP Support for VPNs feature provides configuration commands that allow users to associate SNMP agents and managers with specific VRFs. The specified VRF is used for the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF is not specified, the default routing table for the VPN is used.

Benefits

This feature allows users to configure an SNMP agent to only accept SNMP requests from a certain set of VPNs. With this configuration, providers can provide network management services to their customers, so customers can manage all user VPN devices.

Configuration Tasks

See the following sections for configuration tasks for the SNMP Support over VPNs feature. Each task in the list is identified as either required or optional:

•Configuring SNMP Support for a VPN (required)

•Verifying SNMP Support for VPNs (optional)

Configuring SNMP Support for a VPN

To configure SNMP over a specific VPN, use the following command in global configuration mode:

Command	Purpose
Router(config)# snmp-server host host-address [traps | informs][version {1 | 2c | 3 [auth | noauth |priv]}] community-string [udp-port port][notification-type][vrf vrf-name]	Specifies the recipient of an SNMP notification operation and specifies the VRF table to be used for the sending of SNMP notificiations.

To configure SNMP over a specific VPN for a remote SNMP user, use the following command in global configuration mode:

Command	Purpose
Router(config)# snmp-server engineID remote ip-address [udp-port udp-port-number][vrf vrf-name] engineid-string	Configures a name for the remote SNMP engine on a router.

Verifying SNMP Support for VPNs

To verify that the SNMP Support over VPNs feature is configured properly, use the show snmp-server host EXEC command.

Configuration Examples

This section provides the following configuration example:

•Configuring SNMP Support over VPNs Example

Configuring SNMP Support over VPNs Example

The following example sends all SNMP notifications to xyz.com over the VRF named "trap-vrf":

Router(config)# snmp-server host xyz.com vrf trap-vrf

The following example configures the VRF named "traps-vrf" for the remote server 10.10.2.3:

Router(config)# snmp-server engineID remote 10.10.2.3 vrf traps-vrf 
80000009030000B064EFE100

Additional References

The following sections provide references related to SNMP Notification Support for VPNs feature.

Related Documents

Related Topic	Document Title
SNMP Support for VPNs	Cisco IOS Network Management Configuration Guide, Release 12.4

Standards

Standards	Title
None	—

MIBs

MIBs	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
None	—

Technical Assistance

Description	Link
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport

Command Reference

This section documents modified commands only.

•snmp-server engineID remote

•snmp-server host

•snmp-server user

snmp-server engineID remote

To configure a name for the remote Simple Network Management Protocol (SNMP) engine on a router, use the snmp-server engineID remote command in global configuration mode. To remove a specified SNMP group, use the no form of this command.

snmp-server engineID remote ip-address [udp-port udp-port-number] [vrf vrf-name] engineid-string

no snmp-server engineID remote

Syntax Description

ip-address	The IP address of the device that contains the remote copy of SNMP.
udp-port	(Optional) Specifies a User Datagram Protocol (UDP) port of the host to use.
udp-port-number	(Optional) The socket number on the remote device that contains the remote copy of SNMP. The default is 161.
vrf	(Optional) Instance of a routing table.
vrf-name	(Optional) Name of the VPN routing/forwarding (VRF) table to use for storing data.
engineid-string	The name of a copy of SNMP.

Defaults

UDP port: 161

Command Modes

Global configuration

Command History

Release	Modification
12.0(3)T	This command was introduced.
12.2(2)T	The vrf keyword and vrf-name argument were introduced.
12.0(23)S	The vrf vrf-name keyword/argument combination was integrated into Cisco IOS Release 12.0 S.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

You need not specify the entire 24-character engine ID if it contains trailing zeros. Specify only the portion of the engine ID up until the point where only zeros remain in the value. To configure an engine ID of 123400000000000000000000, you can specify the value 1234, for example, snmp-server engineID remote 1234.

A remote engine ID is required when an SNMP version 3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.

Examples

The following example configures the VRF name traps-vrf for the remote server 10.10.20.3:

Router(config)# snmp-server engineID remote 10.10.2.3 vrf traps-vrf 
80000009030000B064EFE100

Related Commands

Command	Description
show snmp engineID	Displays the identification of the local SNMP engine and all remote engines that have been configured on the router.
snmp-server host	Specifies the recipient (SNMP manager) of an SNMP trap notification.

snmp-server host

To specify the recipient of a SNMP notification operation and the VRF table to be used for the sending of SNMP notificiations, use the snmp-server host command in global configuration mode. To remove the specified host, use the no form of this command.

snmp-server host host-address [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port][notification-type] [vrf vrf-name]

no snmp-server host host-address [traps | informs]

Syntax Description

host-address	Name or Internet address of the host (the targeted recipient).
traps	(Optional) Specifies that notifications should be sent as traps. This is the default.
informs	(Optional) Specifies that notifications should be sent as informs.
version	(Optional) Version of the SNMP used to send the traps. Version 3 is the most secure model, because it allows packet encryption with the priv keyword. If you use the version keyword, one of the following keywords must be specified: •1 —SNMPv1. This option is not available with informs. •2c —SNMPv2C. •3 —SNMPv3. The following three optional keywords can follow the version 3 keyword: –auth—Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication –noauth—The noAuthNoPriv security level. This is the default if the [auth | noauth | priv] keyword choice is not specified. –priv—Enables Data Encryption Standard (DES) packet encryption (also called `privacy').
community-string	Password-like community string sent with the notification operation. Though you can set this string using the snmp-server host command by itself, we recommend you define this string using the snmp-server community command prior to using the snmp-server host command.
udp-port port	(Optional) User Datagram Protocol (UDP) port of the host to use. The default is 162.
notification-type	(Optional) Type of notification to be sent to the host. If no type is specified, all notifications are sent. The notification type can be one or more of the following keywords: •bgp—Sends Border Gateway Protocol (BGP) state change notifications. •config—Sends configuration notifications. •dspu—Sends downstream physical unit (DSPU) notifications. •entity—Sends Entity MIB modification notifications. •envmon—Sends Cisco enterprise-specific environmental monitor notifications when an environmental threshold is exceeded. •frame-relay—Sends Frame Relay notifications. •hsrp—Sends Hot Standby Routing Protocol (HSRP) notifications. •isdn—Sends ISDN notifications. •llc2—Sends Logical Link Control, type 2 (LLC2) notifications. •repeater—Sends standard repeater (hub) notifications. •rsrb—Sends remote source-route bridging (RSRB) notifications. •rsvp—Sends Resource Reservation Protocol (RSVP) notifications. •rtr—Sends Service Assurance Agent (RTR) notifications. •sdlc—Sends Synchronous Data Link Control (SDLC) notifications. •sdllc—Sends SDLC Logical Link Control (SDLLC) notifications. •snmp—Sends SNMP notifications (as defined in RFC 1157). •stun—Sends serial tunnel (STUN) notifications. •syslog—Sends error message notifications (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command. •tty—Sends Cisco enterprise-specific notifications when a TCP connection closes. •x25—Sends X.25 event notifications.
vrf vrf-name	(Optional) Instance of a Virtual Private Network (VPN) routing/forwarding (VRF) table. Name of the VRF that should be used to send SNMP notifications.

Defaults

version: noauth

port: 162

If no version keyword is present, the default is version 1. The no snmp-server host global configuration command with no keywords will disable all of the notifications (both traps and informs). In order to disable informs, use the no snmp-server host informs global configuration command.

---

Note If the community string is not defined using the snmp-server community global configuration command prior to using this command, the default form of the snmp-server community command will automatically be inserted into the configuration. The password (community-string) used for this automatic configuration of the snmp-server community will be the same as specified in the snmp-server host command. This is the default behavior for Cisco IOS Release 12.0(3) and later releases.

---

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.
12.0(3)T	The following keywords were added: •version 3 [auth | noauth | priv] •hsrp
12.2(2)T	The vrf vrf-name keyword/argument combination was introduced.
12.0(23)S	The vrf vrf-name keyword/argument combination was integrated into Cisco IOS Release 12.0 S.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

SNMP notifications can be sent as traps or inform requests. Traps are less reliable because the receiver does not send acknowledgments when it receives traps. The sender cannot determine if the traps were received. However, an SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. If the sender never receives the response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination.

However, informs consume more resources in the agent and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Also, traps are sent only once, while an inform may be retried several times. The retries increase traffic and contribute to a higher overhead on the network.

If you do not enter an snmp-server host command, no notifications are sent. In order to configure the router to send SNMP notifications, you must enter at least one snmp-server host command. If you enter the command with no keywords, all trap types are enabled for the host.

In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. You can specify multiple notification types in the command for each host.

When multiple snmp-server host commands are given for the same host and kind of notification (trap or inform), each succeeding command overwrites the previous command. Only the last snmp-server host command will be in effect. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host but with different variables, the second command will replace the first.

The snmp-server host command is used in conjunction with the snmp-server enable global configuration command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled.

However, some notification types cannot be controlled with the snmp-server enable command. For example, some notification types are always enabled. Other notification types are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command.

Availability of notification type option depends on the router type and Cisco IOS software features supported on the router. For example, the envmon notification type is available only if the environmental monitor is part of the system.

The added vrf keyword allows users to specify the notifications being sent to a specified IP address over a specific VRF. The VRF defines a VPN membership of a customer so data is stored using the VPN.

Examples

The following example sends all SNMP notifications to xyz.com over the VRF named trap-vrf:

Router(config)# snmp-server host xyz.com vrf trap-vrf

Related Commands

Command	Description
snmp-server informs	Specifies inform request options.
snmp-server trap-source	Specifies the interface (and hence the corresponding IP address) from which an SNMP trap should originate.
snmp-server trap-timeout	Defines how often attempts are made to resend trap messages on the retransmission queue.

snmp-server user

To configure a new user to a Simple Network Management Protocol (SNMP) group, use the snmp-server user command in global configuration mode. To remove a user from an SNMP group, use the no form of the command.

snmp-server user username groupname [remote host [udp-port udp-port-number]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list] [vrf vrf-name]

no snmp-server user

Syntax Description

username	The name of the user on the host that connects to the agent.
groupname	The name of the group to which the user belongs.
remote host	(Optional) Specifies a remote SNMP entity to which the user belongs, and the hostname or IP address of that entity.
udp-port port	(Optional) Specifies the UDP port number of the remote host. The default is UDP port 162.
v1	Specifies that SNMPv1 should be used.
v2c	Specifies that SNMPv2c should be used.
v3	Specifies that the SNMPv3 security model should be used. Allows the use of the encrypted and/or auth keywords.
encrypted	(Optional) Specifies whether the password appears in encrypted format (a series of digits, masking the true characters of the string).
auth	(Optional) Specifies which authentication level should be used.
md5	The HMAC-MD5-96 authentication level.
sha	The HMAC-SHA-96 authentication level.
auth-password	A string (not to exceed 64 characters) that enables the agent to receive packets from the host.
access access-list	(Optional) Specifies an access list to be associated with this SNMP user. The access-list argument represents a value between 1 and 99 that is the identifier of the standard IP access list.
vrf vrf-name	(Optional) Instance of a Virtual Private Network (VPN) routing/forwarding (VRF) table. For the vrf-name argument, specify the remote SNMP entity's VPN Routing instance.

Defaults

Table 1 describes default behaviours for encryption, passwords and access lists.

Table 1 snmp-server user Default Descriptions

Characteristic	Default
encryption	Not present by default. The encrypted keyword is used to specify that the auth and priv passwords are MD5 digests and not text passwords.
passwords	Assumed to be text strings.
access lists	Access from all IP access lists is permitted.
remote users	All users are assumed to be local to this SNMP engine unless you specify they are remote with the remote keyword.

Command Modes

Global configuration

Command History

Release	Modification
12.0(3)T	This command was introduced.
12.2(2)T	The vrf vrf-name keyword/argument combination was introduced.
12.0(23)S	The vrf vrf-name keyword/argument combination was integrated into Cisco IOS Release 12.0 S.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the command snmp-server engineID with the remote option. The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail.

SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.

If a VPN table (VRF) is specified, the vrf-name should match the VRF specified with the ip vrf vrf-name command.

Examples

In the following example, the SNMP user "usmusr" in the SNMP group "group1" is configured to use the VRF "6400-private":

Router(config)# snmp-server group group1 v3 noauth

Router(config)# snmp-server user usmusr group1 v3

Router(config)# snmp-server host 10.10.10.10 vrf 6400-private version 3 noauth trapusr

Related Commands

Command	Description
ip vrf	Enters VRF configuration mode and defines a VPN routing instance by assigning a VRF name.
show snmp user	Displays information on each SNMP username in the group username table.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2002, 2003, 2006 Cisco Systems, Inc. All rights reserved.