I was reminded that I had not posted my notes, so hear is the Reader's Digest version...
To get the Bridge MIB and per-VLAN table info we query on triggered SNMP, you need to add context to SNMPv3. I found the following helpful link that explain why these queries require context:
http://fixunix.com/snmp/262406-how-get-cisco-bridge-mib-information-using-snmp-v3.html
SNMP command to cover multiple VLAN contexts:
https://supportforums.cisco.com/discussion/11109561/snmpv3-context-configuration-older-switches
https://supportforums.cisco.com/discussion/11077506/vlan-bridge-mib-and-snmpv3-contexts
Sample SNMPv3 config on 3750 switch:
snmp-server group snmpv3group v3 auth read iseview write iseview notify iseview
snmp-server group snmpv3group v3 auth context vlan- match prefix read iseview
snmp-server view iseview iso included
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.100.8 version 3 auth snmpv3user mac-notification snmp
snmp-server user snmpv3user snmpv3group v3 auth md5 snmpv3pass
Additional SNMPv3 Usage Notes:
- Last command will not display in running-config
- Commands to verify config:
- show snmp user
- show snmp view
- show snmp group
- If read view not specified, then assumes full object access
- If write or notify views not specified, then assumes no object access
- Write view not required for ISE profiling
- Notify view used to support SNMP traps
- If RADIUS Accounting used to detect new endpoints and trigger SNMP queries, then SNMP traps not required or recommended.
- Example view provides full access starting at iso tree level in MIB. For higher security, can include only specific MIBs, or specify excluded MIB object.
Regards,
Craig
