Snmp Notification Support Over Vpns; Vpn-Aware Snmp - Cisco cBR-8 Configuration And Troubleshooting Manual

SNMP Notification Support over VPNs

access only to context associated to the VPN and cannot see the MIB data of other VPNs, you must configure
a minimum security level of AuthNoPriv.
On a provider edge (PE) router, a community can be associated with a VRF to provide source address validation.
However, on a customer edge (CE) router, if source address validation is to be provided, you must associate
a source address with the community list by using an access control list.
If you are using SNMPv3, the security name or security password of the users of a VPN should be unknown
to users of other VPNs. Cisco recommends not to use SNMPv3 nonauthorized users if you need security of
management information.
SNMP Notification Support over VPNs
The SNMP Notification Support over VPNs feature allows the sending and receiving of SNMP notifications
(traps and informs) using VPN routing and forwarding (VRF) instance tables. In particular, this feature adds
support to Cisco software for the sending and receiving of SNMP notifications (traps and informs) specific
to individual VPNs.
SNMP is an application-layer protocol that provides a message format for communication between SNMP
managers and agents.
A VPN is a network that provides high-connectivity transfers on a shared system with the same usage guidelines
as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks.
A VRF stores per-VPN routing data. It defines the VPN membership of a customer site attached to the network
access server (NAS). A VRF consists of an IP routing table, a derived Cisco Express Forwarding (formerly
known as CEF) table, and guidelines and routing protocol parameters that control the information that is
included in the routing table.
The SNMP Support for VPNs—Context-Based Access Control feature provides configuration commands
that allow users to associate SNMP agents and managers with specific VRFs. The associated VRF is used for
the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF
is not specified, the default routing table for the VPN is used.

VPN-Aware SNMP

The SNMP Support for VPNs—Context-Based Access Control feature extends the capabilities of the SNMP
Notification Support for VPNs feature and enables SNMP to differentiate between incoming packets from
different VPNs.
When the SNMP Support for VPNs—Context-Based Access Control feature is configured, SNMP accepts
requests on any configured VRF and returns responses to the same VRF. A trap host also can be associated
with a specific VRF. The configured VRF is then used for sending out traps; otherwise, the default routing
table is used. You also can associate a remote user with a specific VRF. You also can configure the VRFs
from which SNMP should accept requests. Any requests coming from VRFs that are not specified are dropped.
IP access lists can be configured and associated with SNMP community strings. This feature enables you to
configure an association between VRF instances with SNMP community strings. When a VRF instance is
associated with an SNMP community string, SNMP processes the requests coming in for a particular community
string only if the requests are received from the configured VRF. If the community string contained in the
incoming packet does not have a VRF associated with it, the community string will be processed only if it
came in through a non-VRF interface.
Cisco cBR Series Converged Broadband Routers Troubleshooting and Network Management Configuration
Guide for Cisco IOS XE Fuji 16.8.x
70
SNMP Support over VPNs—Context-Based Access Control