Question

how to configure snmp host when the snmp server is in one VRF?

  • 17 December 2018
  • 9 replies
  • 1625 views

how to configure snmp host when the snmp server address is in one VRF? Is it support? Thank you.

9 replies

Does the below config work for you:

rb3(config)# rb 3
rb3(config-rbridge-id-3)# vrf TEST
rb3(config-vrf-TEST)# exit
rb3(config-rbridge-id-3)# exit
rb3(config)# snmp-server host 10.1.1.1 public use-vrf TEST ?
Possible completions:
severity-level Severity level associated with traps
source-interface Interface IP address to be used as a source address for Traps
udp-port Port number used to send traps.
version Version used to send traps.

rb3(config)# snmp-server host 10.1.1.1 public use-vrf TEST
rb3(config-host-10.1.1.1/public)#

The example is for NOS, for SLX-OS VRF will be created globally rather than at RB level. Also "v3host" is used instead of "host", if the server is using SNMP v3 for authorization/encryption.

Many thanks,
Sargis
Hi Sargis,
Sorry I forgot to mention I'm using MLX,Looks like the Netlron OS is different from NOS. But didn't find the command for MLX.

MLX(config)#snmp-server host 1.1.1.1 ?
version SNMP version or security model

MLX(config)#snmp-server host 1.1.1.1 v
version SNMP version or security model
MLX(config)#snmp-server host 1.1.1.1 version ?
v1 SNMP version or security model 1
v2c SNMP version or security model 2
v3 SNMP version or security model 3
MLX(config)#snmp-server host 1.1.1.1 version v3 ?
auth SNMP v3 security level 2 or authentication
noauth SNMP v3 security level 1 or none
priv SNMP v3 security level 3 or authentication & privacy





MLX(config)#vrf ?
ASCII string Name of VRF (up to 255 characters)
MLX(config)#vrf test
MLX(config-vrf-test)#?
address-family Enter Address Family command mode
clear Clear table/statistics/keys
cls Clear screen
end End Configuration level and go to Privileged
level
exit Exit current level
exit-address-family Exit Address Family command mode
exit-vrf Exit IP VRF mode
ip VRF specific IP commands
no Undo/disable commands
quit Exit to User level
rd Configure Route Distinguisher
route-target Configure Target VPN Extended Communities
show Display system information
write Write running configuration to flash or terminal

MLX(config-vrf-test)#
I don't think that's supported, but you could configure a specific VRF as management VRF, which will possibly switch SNMP to that VRF (together with some other mgmt services). A sample config for that would be:

code:
vrf mgmt-vrf

code:
 rd 1:1

code:
 address-family ipv4

code:
 ip route 0.0.0.0/0 10.1.1.1 

code:
 exit-address-family


code:
management-vrf mgmt-vrf


code:
interface management 1

code:
 vrf for mgmt-vrf

code:
 ip address 10.1.1.2/24

code:
 enable


Many thanks,
Sargis
Trying a better formatting

code:
vrf mgmt-vrf
rd 1:1
address-family ipv4
ip route 0.0.0.0/0 10.1.1.1
exit-address-family

management-vrf mgmt-vrf

interface management 1
vrf for mgmt-vrf
ip address 10.1.1.2/24
enable




Many thanks,
Sargis
Userlevel 2
I believe what you are looking for is Context Mapping:

For V3, you simply map a Context to a VRF:

code:
device (Config)# snmp-server context context-name vrf vrf-name


For V1/V2c, in addition to the Context to VRF association, you create a community map in order to map the Context to a Community name:

code:
device (Config)# snmp-server mib community-map community-name context context-name


Now whenever you create a host using the set context or community name, traps will be sent on that VRF.

A full explanation can be found in the NI 6.0 Management Guide (starting on page 214)
Hi Michael,
How can the vrf aware the NMS is in global routing table? I never use the snmp context, could you pls explain a little bit more on how it works? Thanks.
Thank you Sargis!
Userlevel 2
I think I better understand your issue now.

My previous post mainly pertains to incoming SNMP managment traffic, which is allowed on any VRF. However outbound management traffic is only sent out via the Default VRF or the configured Mangement VRF as Sargis detailed.

Your SNMP management device will need to either be on the default VRF or on the configured Management VRF.
I‘m understand that now. Thanks a lot Michael!’

Reply