Browsing MACs in Catalyst using SNMPv3

[dstaro]

I am trying to use SNMPv3 to find out the MAC Address references known
to a Cisco Catalyst 3560 switch, as well as the interface associated with
those MACs. Although I am able to get all MACs for all VLANs using
community-string indexing in SNMPv2c, I could not find a similar mechanism
in SNMPv3. As a resuslt of this, I always get the MACs for the default VLAN
in V3 queries.

The use of SNMPv3 is very important for me because of authentication and
privacy reasons.

=========================================================================

These are the results I get if I use SNMPv2c:

First check the entity MIB for the different agent instances (i.e. VLANs):

# snmpwalk -v2c -c public 172.16.2.73 iso.3.6.1.2.1.47.1.2.1.1

iso.3.6.1.2.1.47.1.2.1.1.2.1 = STRING: "vlan1"
iso.3.6.1.2.1.47.1.2.1.1.2.2 = STRING: "vlan1002"
iso.3.6.1.2.1.47.1.2.1.1.2.3 = STRING: "vlan1004"
iso.3.6.1.2.1.47.1.2.1.1.2.4 = STRING: "vlan1005"
iso.3.6.1.2.1.47.1.2.1.1.2.5 = STRING: "vlan1003"
iso.3.6.1.2.1.47.1.2.1.1.2.6 = STRING: "vlan75"
iso.3.6.1.2.1.47.1.2.1.1.3.1 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.3.2 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.3.3 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.3.4 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.3.5 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.3.6 = OID: iso.3.6.1.2.1.17
iso.3.6.1.2.1.47.1.2.1.1.4.1 = STRING: "public@1"
iso.3.6.1.2.1.47.1.2.1.1.4.2 = STRING: "public@1002"
iso.3.6.1.2.1.47.1.2.1.1.4.3 = STRING: "public@1004"
iso.3.6.1.2.1.47.1.2.1.1.4.4 = STRING: "public@1005"
iso.3.6.1.2.1.47.1.2.1.1.4.5 = STRING: "public@1003"
iso.3.6.1.2.1.47.1.2.1.1.4.6 = STRING: "public@75"
iso.3.6.1.2.1.47.1.2.1.1.5.1 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.5.2 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.5.3 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.5.4 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.5.5 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.5.6 = Hex-STRING: AC 10 02 49 00 A1
iso.3.6.1.2.1.47.1.2.1.1.6.1 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.6.2 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.6.3 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.6.4 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.6.5 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.6.6 = OID: iso.3.6.1.6.1.1
iso.3.6.1.2.1.47.1.2.1.1.7.1 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.7.2 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.7.3 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.7.4 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.7.5 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.7.6 = Hex-STRING: 12 34 56 78 90
iso.3.6.1.2.1.47.1.2.1.1.8.1 = ""
iso.3.6.1.2.1.47.1.2.1.1.8.2 = ""
iso.3.6.1.2.1.47.1.2.1.1.8.3 = ""
iso.3.6.1.2.1.47.1.2.1.1.8.4 = ""
iso.3.6.1.2.1.47.1.2.1.1.8.5 = ""
iso.3.6.1.2.1.47.1.2.1.1.8.6 = ""

Suppose I am interested in VLANs 1 and 75 only, using community string indexing I will do:

For VLAN 1:

# snmpwalk -v2c -c public@1 172.16.2.73 iso.3.6.1.2.1.17.4.3.1.2

iso.3.6.1.2.1.17.4.3.1.2.0.4.35.190.111.75 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.7.233.3.236.13 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.7.233.84.222.234 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.8.161.22.174.124 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.12.241.214.189.253 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.13.86.235.68.20 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.13.86.235.86.234 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.13.86.250.139.60 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.14.12.8.112.37 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.15.31.93.117.134 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.15.31.200.185.205 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.18.30.160.60.230 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.18.63.148.36.40 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.18.63.246.73.103 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.19.70.104.84.192 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.19.70.104.85.0 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.20.34.186.215.19 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.20.34.188.127.113 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.144.71.0.173.253 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.144.251.2.253.99 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.160.248.102.211.130 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.160.248.113.80.16 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.160.248.205.238.183 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.192.159.148.205.174 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.192.168.129.70.114 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.192.168.137.144.96 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.208.183.196.110.67 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.224.129.33.164.31 = INTEGER: 26
iso.3.6.1.2.1.17.4.3.1.2.0.224.129.35.5.57 = INTEGER: 26

For VLAN 75:

# snmpwalk -v2c -c public@75 172.16.2.73 iso.3.6.1.2.1.17.4.3.1.2

iso.3.6.1.2.1.17.4.3.1.2.0.4.35.16.11.152 = INTEGER: 4

Now, if I use SNMPv3, no matter what I do, I always get information
for VLAN1. I would expect different SnmpEngineIDs for each VLAN, but
I don't know where to get them. I tried the following v3 commands:

# snmpwalk -v3 -l authPriv -u myuser -a MD5 -A 12345678 -x DES -X 12345678 172.16.2.73 iso.3.6.1.2.1.17.4.3.1.2

and

# snmpwalk -v3 -l authPriv -u myuser -a MD5 -A 12345678 -x DES -X 12345678 -E 1234567890 172.16.2.73 iso.3.6.1.2.1.17.4.3.1.2

They gave me the same results as the V2c commands with the default
community or the VLAN1 community, i.e., they only returned me MAC Addresses
in the default VLAN. The question is:

----> What would be the equivalent, in V3, to using the public@75 community index in V2c,
in order to browse for VLAN 75's MAC addresses?

=======================================================================

This is my switch's version information:

Switch#sh ver
Cisco IOS Software, C3560 Software (C3560-I5K91-M), Version 12.2(25)SE, RELEASE
SOFTWARE (fc)
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Wed 10-Nov-04 23:54 by yenanh

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWA
RE (fc2)

Switch uptime is 2 weeks, 3 days, 2 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-i5k91-mz.122-25.SE/c3560-i5k91-mz.122-25.SE.b
in"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3560-24PS (PowerPC405) processor (revision H0) with 118784K/12280K byt
es of memory.
Processor board ID CAT0843K022
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:12:7F:02:4D:80
Motherboard assembly number : 73-9299-02
Power supply part number : 341-0029-03
Motherboard serial number : CAT084305HW
Power supply serial number : LIT084108AY
Model revision number : H0
Motherboard revision number : A0
Model number : WS-C3560-24PS-E
System serial number : CAT0843K022
Top Assembly Part Number : 800-24814-02
Top Assembly Revision Number : B0
Version ID : N/A
Hardware Board Revision Number : 0x0A


Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560-24PS 12.2(25)SE C3560-I5K91-M


Configuration register is 0xF

===============================================================================

This is the switch's SNMP user configuration:

Switch#sh snmp user

User name: myuser
Engine ID: 1234567890
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: mygroup

===============================================================================

This is the switch's running configuration:


!
version 12.2
service config
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$TJ10$NruDleaiCog.ZEYgoHK8Z/
!
no aaa new-model
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport access vlan 75
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 75
switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address dhcp
!
ip classless
ip http server
ip http secure-server
!
!
!
!
snmp-server engineID local 1234567890
snmp-server group mygroup v3 priv
snmp-server community public RO
snmp-server community private RW
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end