Hi all The contexts are used with VPNs. When you have VRFs then you can restrict SNMP access to particular context (vrfs).
ip vrf custA rd 123:123 context vrfA snmp-server context vrfA The following are commands that are used to associate context to community or a group. snmp mib community-map cisco context vrfA snmp-server group cisco v3 priv context vrfA snmp-server group cisco v2c context vrfA snmp-server group cisco v1 context vrfA On the SNMP NMS, you should provide the context name along with group name or community name, IP address and engine ID to send snmp request to SNMP agents. With regards Kings On Tue, Sep 14, 2010 at 7:14 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > Can someone please let me know the exact purpose/usage of SNMP contexts. I > guess it is something related to view/access restriction. But I don't get > one doc explaining it. > > Please see the highlighted configs below: > > Building configuration... > > > Current configuration : 6567 bytes > > ! > > version 12.4 > > service timestamps debug datetime msec localtime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname ipsecf-3745b > > ! > > boot-start-marker > > boot-end-marker > > ! > > no logging console > > enable password lab > > ! > > no aaa new-model > > ! > > resource policy > > ! > > memory-size iomem 5 > > clock timezone PST -8 > > clock summer-time PDT recurring > > ip subnet-zero > > ip cef > > ! > > ! > > ip vrf vrf1 > > rd 1:101 > > context vrf-vrf1-context > > route-target export 1:101 > > route-target import 1:101 > > ! > > ip vrf vrf2 > > rd 2:101 > > context vrf-vrf2-context > > route-target export 2:101 > > route-target import 2:101 > > ! > > no ip domain lookup > > ! > > ! > > crypto keyring vrf1-1 vrf vrf1 > > pre-shared-key address 10.1.1.1 255.255.255.0 key vrf1-1 > > crypto keyring vrf2-1 vrf vrf2 > > pre-shared-key address 10.1.2.1 255.255.255.0 key vrf2-1 > > ! > > ! > > crypto isakmp policy 1 > > authentication pre-share > > ! > > crypto isakmp policy 50 > > authentication pre-share > > crypto isakmp key global1-1 address 10.1.151.1 > > crypto isakmp key global2-1 address 10.1.152.1 > > crypto isakmp profile vrf1-1 > > keyring vrf1-1 > > match identity address 10.1.1.1 255.255.255.255 vrf1 > > crypto isakmp profile vrf2-1 > > keyring vrf2-1 > > match identity address 10.1.2.1 255.255.255.255 vrf2 > > ! > > crypto ipsec security-association lifetime kilobytes 99000 > > crypto ipsec security-association lifetime seconds 5000 > > ! > > crypto ipsec transform-set tset ah-sha-hmac esp-des esp-sha-hmac > > ! > > crypto map global1-1 10 ipsec-isakmp > > set peer 10.1.151.1 > > set transform-set tset > > match address 151 > > ! > > crypto map global2-1 10 ipsec-isakmp > > set peer 10.1.152.1 > > set transform-set tset > > match address 152 > > ! > > crypto map vrf1-1 10 ipsec-isakmp > > set peer 10.1.1.1 > > set transform-set tset > > set isakmp-profile vrf1-1 > > match address 101 > > ! > > crypto map vrf2-1 10 ipsec-isakmp > > set peer 10.1.2.1 > > set transform-set tset > > set isakmp-profile vrf2-1 > > match address 102 > > ! > > ! > > interface FastEthernet0/0 > > ip address 10.1.38.25 255.255.255.0 > > no ip mroute-cache > > duplex auto > > speed auto > > ! > > interface Serial0/0 > > no ip address > > shutdown > > clock rate 2000000 > > ! > > interface FastEthernet0/1 > > no ip address > > no ip mroute-cache > > shutdown > > duplex auto > > speed auto > > ! > > interface Serial0/1 > > no ip address > > shutdown > > clock rate 2000000 > > ! > > interface Serial1/0 > > no ip address > > encapsulation frame-relay > > no ip route-cache cef > > no ip route-cache > > no ip mroute-cache > > no keepalive > > serial restart-delay 0 > > clock rate 128000 > > no frame-relay inverse-arp > > ! > > interface Serial1/0.1 point-to-point > > ip vrf forwarding vrf1 > > ip address 10.3.1.1 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 21 > > ! > > interface Serial1/0.2 point-to-point > > ip vrf forwarding vrf2 > > ip address 10.3.2.1 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 22 > > ! > > interface Serial1/0.151 point-to-point > > ip address 10.7.151.1 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 151 > > ! > > interface Serial1/0.152 point-to-point > > ip address 10.7.152.1 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 152 > > ! > > interface Serial1/1 > > no ip address > > no ip mroute-cache > > shutdown > > serial restart-delay 0 > > ! > > interface Serial1/2 > > no ip address > > encapsulation frame-relay > > no ip route-cache cef > > no ip route-cache > > no ip mroute-cache > > no keepalive > > serial restart-delay 0 > > no frame-relay inverse-arp > > ! > > interface Serial1/2.1 point-to-point > > ip vrf forwarding vrf1 > > ip address 10.1.1.2 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 21 > > crypto map vrf1-1 > > ! > > interface Serial1/2.2 point-to-point > > ip vrf forwarding vrf2 > > ip address 10.1.2.2 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 22 > > crypto map vrf2-1 > > ! > > interface Serial1/2.151 point-to-point > > ip address 10.5.151.2 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 151 > > crypto map global1-1 > > ! > > interface Serial1/2.152 point-to-point > > ip address 10.5.152.2 255.255.255.0 > > no ip route-cache > > frame-relay interface-dlci 152 > > crypto map global2-1 > > ! > > interface Serial1/3 > > no ip address > > no ip mroute-cache > > shutdown > > serial restart-delay 0 > > ! > > ip default-gateway 10.1.38.1 > > ip classless > > ip route 10.1.1.6 255.255.255.255 10.1.151.1 > > ip route 10.2.1.6 255.255.255.255 10.1.152.1 > > ip route 10.6.2.1 255.255.255.255 10.7.151.2 > > ip route 10.6.2.2 255.255.255.255 10.7.152.2 > > ip route 172.19.216.110 255.255.255.255 FastEthernet0/0 > > ip route vrf vrf1 10.20.1.1 255.255.255.255 10.1.1.1 > > ip route vrf vrf1 10.22.1.1 255.255.255.255 10.30.1.1 > > ip route vrf vrf2 10.20.2.1 255.255.255.255 10.1.2.1 > > ip route vrf vrf2 10.22.2.1 255.255.255.255 10.30.1.2 > > ! > > ! > > ip http server > > no ip http secure-server > > ! > > ip access-list standard vrf-vrf1-context > > ip access-list standard vrf-vrf2-context > > ! > > access-list 101 permit ip host 10.22.1.1 host 10.20.1.1 > > access-list 102 permit ip host 10.22.2.1 host 10.20.2.1 > > access-list 151 permit ip host 10.6.2.1 host 10.1.1.6 > > access-list 152 permit ip host 10.6.2.2 host 10.2.1.6 > > snmp-server group abc1 v2c context vrf-vrf1-context read view_vrf1 notify > *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf1-context > > snmp-server group abc2 v2c context vrf-vrf2-context read view_vrf2 notify > *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf2-context > > snmp-server view view_vrf1 iso included > > snmp-server view view_vrf2 iso included > > snmp-server community abc1 RW > > snmp-server community global1 RW > > snmp-server community abc2 RW > > snmp-server community global2 RW > > snmp-server enable traps tty > > snmp-server enable traps config > > snmp-server host 172.19.216.110 version 2c abc1 > > snmp-server host 172.19.216.110 vrf vrf1 version 2c abc1 udp-port 2001 ipsec > isakmp > > snmp-server host 172.19.216.110 version 2c abc2 > > snmp-server host 172.19.216.110 vrf vrf2 version 2c abc2 udp-port 2002 ipsec > isakmp > > snmp-server context vrf-vrf1-context > > snmp-server context vrf-vrf2-context > > ! > > ! > > snmp mib community-map abc1 context vrf-vrf1-context > > snmp mib community-map abc2 context vrf-vrf2-context > > ! > > ! > > control-plane > > ! > > ! > > line con 0 > > exec-timeout 0 0 > > line aux 0 > > line vty 0 4 > > login > > ! > > ! > > webvpn context Default_context > > ssl authenticate verify all > > ! > > no inservice > > ! > > ! > > end > > > > > With regards > Kings > > > > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
