0 Replies Latest reply: Sep 14, 2010 11:21 PM by Kingsley - CCSP/CCIP/ CCNP/CCIE Security RSS

    SNMP contexts

    Kingsley - CCSP/CCIP/ CCNP/CCIE Security

      Hi all

      Can someone please let me know the exact purpose/usage of SNMP contexts. I guess it is something related to view/access restriction. But I don't get one doc explaining it.

      Please see the highlighted configs below:

      Building configuration...


      Current configuration : 6567 bytes

      !

      version 12.4

      service timestamps debug datetime msec localtime

      service timestamps log uptime

      no service password-encryption

      !

      hostname ipsecf-3745b

      !

      boot-start-marker

      boot-end-marker

      !

      no logging console

      enable password lab

      !

      no aaa new-model

      !

      resource policy

      !

      memory-size iomem 5

      clock timezone PST -8

      clock summer-time PDT recurring

      ip subnet-zero

      ip cef

      !

      !

      ip vrf vrf1

       rd 1:101

       context vrf-vrf1-context

       route-target export 1:101

       route-target import 1:101

      !

      ip vrf vrf2

       rd 2:101

       context vrf-vrf2-context

       route-target export 2:101

       route-target import 2:101

      !

      no ip domain lookup

      !

      !

      crypto keyring vrf1-1 vrf vrf1

        pre-shared-key address 10.1.1.1 255.255.255.0 key vrf1-1

      crypto keyring vrf2-1 vrf vrf2

        pre-shared-key address 10.1.2.1 255.255.255.0 key vrf2-1

      !

      !

      crypto isakmp policy 1

       authentication pre-share

      !

      crypto isakmp policy 50

       authentication pre-share

      crypto isakmp key global1-1 address 10.1.151.1

      crypto isakmp key global2-1 address 10.1.152.1

      crypto isakmp profile vrf1-1

         keyring vrf1-1

         match identity address 10.1.1.1 255.255.255.255 vrf1

      crypto isakmp profile vrf2-1

         keyring vrf2-1

         match identity address 10.1.2.1 255.255.255.255 vrf2

      !

      crypto ipsec security-association lifetime kilobytes 99000

      crypto ipsec security-association lifetime seconds 5000

      !

      crypto ipsec transform-set tset ah-sha-hmac esp-des esp-sha-hmac 

      !

      crypto map global1-1 10 ipsec-isakmp 

       set peer 10.1.151.1

       set transform-set tset 

       match address 151

      !

      crypto map global2-1 10 ipsec-isakmp 

       set peer 10.1.152.1

       set transform-set tset 

       match address 152

      !

      crypto map vrf1-1 10 ipsec-isakmp 

       set peer 10.1.1.1

       set transform-set tset 

       set isakmp-profile vrf1-1

       match address 101

      !

      crypto map vrf2-1 10 ipsec-isakmp 

       set peer 10.1.2.1

       set transform-set tset 

       set isakmp-profile vrf2-1

       match address 102

      !

      !

      interface FastEthernet0/0

       ip address 10.1.38.25 255.255.255.0

       no ip mroute-cache

       duplex auto

       speed auto

      !

      interface Serial0/0

       no ip address

       shutdown

       clock rate 2000000

      !

      interface FastEthernet0/1

       no ip address

       no ip mroute-cache

       shutdown

       duplex auto

       speed auto

      !

      interface Serial0/1

       no ip address

       shutdown

       clock rate 2000000

      !

      interface Serial1/0

       no ip address

       encapsulation frame-relay

       no ip route-cache cef

       no ip route-cache

       no ip mroute-cache

       no keepalive

       serial restart-delay 0

       clock rate 128000

       no frame-relay inverse-arp

      !

      interface Serial1/0.1 point-to-point

       ip vrf forwarding vrf1

       ip address 10.3.1.1 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 21   

      !

      interface Serial1/0.2 point-to-point

       ip vrf forwarding vrf2

       ip address 10.3.2.1 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 22   

      !

      interface Serial1/0.151 point-to-point

       ip address 10.7.151.1 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 151   

      !

      interface Serial1/0.152 point-to-point

       ip address 10.7.152.1 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 152   

      !

      interface Serial1/1

       no ip address

       no ip mroute-cache

       shutdown

       serial restart-delay 0

      !

      interface Serial1/2

       no ip address

       encapsulation frame-relay

       no ip route-cache cef

       no ip route-cache

       no ip mroute-cache

       no keepalive

       serial restart-delay 0

       no frame-relay inverse-arp

      !

      interface Serial1/2.1 point-to-point

       ip vrf forwarding vrf1

       ip address 10.1.1.2 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 21   

       crypto map vrf1-1

      !

      interface Serial1/2.2 point-to-point

       ip vrf forwarding vrf2

       ip address 10.1.2.2 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 22   

       crypto map vrf2-1

      !

      interface Serial1/2.151 point-to-point

       ip address 10.5.151.2 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 151   

       crypto map global1-1

      !

      interface Serial1/2.152 point-to-point

       ip address 10.5.152.2 255.255.255.0

       no ip route-cache

       frame-relay interface-dlci 152   

       crypto map global2-1

      !

      interface Serial1/3

       no ip address

       no ip mroute-cache

       shutdown

       serial restart-delay 0

      !

      ip default-gateway 10.1.38.1

      ip classless

      ip route 10.1.1.6 255.255.255.255 10.1.151.1

      ip route 10.2.1.6 255.255.255.255 10.1.152.1

      ip route 10.6.2.1 255.255.255.255 10.7.151.2

      ip route 10.6.2.2 255.255.255.255 10.7.152.2

      ip route 172.19.216.110 255.255.255.255 FastEthernet0/0

      ip route vrf vrf1 10.20.1.1 255.255.255.255 10.1.1.1

      ip route vrf vrf1 10.22.1.1 255.255.255.255 10.30.1.1

      ip route vrf vrf2 10.20.2.1 255.255.255.255 10.1.2.1

      ip route vrf vrf2 10.22.2.1 255.255.255.255 10.30.1.2

      !

      !

      ip http server

      no ip http secure-server

      !

      ip access-list standard vrf-vrf1-context

      ip access-list standard vrf-vrf2-context

      !

      access-list 101 permit ip host 10.22.1.1 host 10.20.1.1

      access-list 102 permit ip host 10.22.2.1 host 10.20.2.1

      access-list 151 permit ip host 10.6.2.1 host 10.1.1.6

      access-list 152 permit ip host 10.6.2.2 host 10.2.1.6

      snmp-server group abc1 v2c context vrf-vrf1-context read view_vrf1 notify 
      *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf1-context

      snmp-server group abc2 v2c context vrf-vrf2-context read view_vrf2 notify 
      *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf2-context

      snmp-server view view_vrf1 iso included

      snmp-server view view_vrf2 iso included

      snmp-server community abc1 RW

      snmp-server community global1 RW

      snmp-server community abc2 RW

      snmp-server community global2 RW

      snmp-server enable traps tty

      snmp-server enable traps config

      snmp-server host 172.19.216.110 version 2c abc1 

      snmp-server host 172.19.216.110 vrf vrf1 version 2c abc1 udp-port 2001  ipsec isakmp

      snmp-server host 172.19.216.110 version 2c abc2 

      snmp-server host 172.19.216.110 vrf vrf2 version 2c abc2 udp-port 2002  ipsec isakmp

      snmp-server context vrf-vrf1-context

      snmp-server context vrf-vrf2-context

      !

      !

      snmp mib community-map  abc1 context vrf-vrf1-context

      snmp mib community-map  abc2 context vrf-vrf2-context

      !

      !

      control-plane

      !

      !

      line con 0

       exec-timeout 0 0

      line aux 0

      line vty 0 4

       login

      !

      !

      webvpn context Default_context

       ssl authenticate verify all

       !

       no inservice

      !

      !

      end




      With regards
      Kings