Hi,
I’m observing an issue with the SNMP agent configuration in ConfD 8.0.6, related to the extraIpPorts parameter under /confdConfig/snmpAgent.
Summary
I have a network topology with two hosts (A and B) and one Layer-3 switch.
The switch has two L3 interfaces and one loopback interface, all configured under the same VRF.
SNMP requests are sent from host A and are expected to be answered by host B, as illustrated in the diagram below:
When I configure the loopback as the SNMP agent’s listening interface and set the VRF under /confdConfig/snmpAgent/vrf, the SNMP agent starts correctly and responds to queries (e.g., snmpget and snmpwalk) as expected.
However, when I try to configure the listening socket using /confdConfig/snmpAgent/extraIpPorts, for example:
"0.0.0.0:161|vrf=<vrf.2>",
instead of setting the VRF under /confdConfig/snmpAgent/vrf, SNMP communication stops working.
The agent appears to receive the requests but does not send replies — I no longer see packets reaching host B.
The binding defined by extraIpPorts seems to be recognized by ConfD, since the path /confd-state/snmp/listen is successfully evaluated using maapi_xpath_eval_expr() with the expression:
udp[ip='0.0.0.0' and port='161' and vrf='vrf.2']/ip
However, communication still fails. It seems that the socket may not actually be opened or applied correctly by the SNMP process.
Some of the SNMP configuration:
snmp agent enabled
snmp agent version v2c
snmp agent version v3
snmp agent engine-id from-mac-address fo:ba:fo:00:00:00
snmp agent listen interface loopback-1
...
confdConfig snmpAgent enabled
confdConfig snmpAgent extraIpPorts [ “0.0.0.0:161|vrf=vrf.2” [::] ]
confdConfig snmpAgent mibs file [ SNMP-COMMUNITY-MIB.bin SNMP-FRAMEWORK-MIB.bin SNMP-NOTIFICATION-MIB.bin SNMP-TARGET-MIB.bin SNMP-USER-BASED-SM-MIB.bin SNMP-VIEW-BASED-ACM-MIB.bin ]
confdConfig snmpAgent mibs fromLoadPath true
confdConfig snmpAgent snmpVersions v1 false
confdConfig snmpAgent snmpEngine snmpEngineID fo:ba:fo:00:00:00
confdConfig snmpAgent system sysDescr “Bar foo”
confdConfig snmpAgent system sysObjectID 1.3.6.1.4.1.3709.1.2.137
confdConfig snmpAgent system sysServices 2
Questions
-
Is this a known issue in ConfD 8.0.6 related to extraIpPorts with VRF?
-
Was there a fix or change regarding SNMP multi-binding in later ConfD versions (e.g., 8.1 or 8.2)?
-
Is there any workaround available for 8.0.6?
Thanks in advance.
Best regards,
Ittalo Santos
Little correction:
The binding is not recognized by ConfD when VRF is configured via /confdConfig/snmpAgent/extraIpPorts. Is there anything wrong with the expression being evaluated? Should the VRF be specified like that? How should it be?
Thanks.
Hi,
Is this the same configuration you had running in an earlier release? Or you are you trying to build it up for the first time. From the User Guide:
/confdConfig/snmpAgent/vrf (string)
The VRF interface name to which the listening socket should bind.
/confdConfig/snmpAgent/extraIpPorts (string)
This parameter may be given multiple times.
extraIpPorts is a leaf-list of pipe separated ip:port pairs, network namespace
names, and VRF interface names; which the SNMP agent also listens to. For IPv6
addresses, the syntax [ip]:port may be used. If the ':port' is omitted,
/confdConfig/snmpAgent/port is used. If the 'netns' is omitted, /confdConfig/
snmpAgent/netns is used. If the 'vrf' is omitted, /confdConfig/snmpAgent/vrf
used.
Example:
<extraIpPorts>192.168.15.3:4477|netns=ns1|vrf=vrf0</extraIpPorts>
<extraIpPorts>127.0.0.1|vrf=vrf1</extraIpPorts>
<extraIpPorts>:::88|netns=ns1</extraIpPorts>
<extraIpPorts>[::]</extraIpPorts>
I don’t see the vrf in your configuration. Here is a piece of an example configuration that shows how it can work:
<snmpAgent>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>4000</port>
<netns>/var/run/netns/east</netns>
<vrf>veth-east</vrf>
<extraIpPorts>192.168.15.3:4477|netns=east|vrf=veth-east</extraIpPorts>
Best,
Scott
Hi, Scott.
Thank you for answering me.
I am trying to use this VRF config from SNMP Agent for the first time.
Should I always set the path /confdConfig/snmpAgent/vrf?
I thought that the /confdConfig/snmpAgent/extraIpPorts was another alternative to set IP, port, VRF etc., since the doc says “If the ‘vrf’ is omitted, /confdConfig/snmpAgent/vrf is used.”. Besides, what if I want to configure more than one listen interfaces from different VRFs? Which one should I set in the /confdConfig/snmpAgent/vrf path?
Thanks again,
Ittalo
Hi,
I don’t see support for expressions like you tried. It is the case that the is there as a default in case you don’t have it in the and you should be able to specify it multiple times as it says in the documentation. I would suggest that because this is the first time you are trying, you start with a basic configuration and work up from there. You are probably familiar enough to know that it is sometimes difficult to get the full desired configuration correct on the first try.
I hope this helps,
Scott
Hi,
Thank you for getting back to me.
About the expressions. I was mistaken, sorry. It is not necessary to add the VRF in the expression. The expression with IP and Port should work even when the snmpAgent config has VRF.
About the VRF config. When I set the /confdConfig/snmpAgent/vrf, it works. But if I set the …/extraIpPorts instead, it doesn’t work.
I wish to understand how to use the VRF in extraIpPorts because today I have an entire solution already working for multiple interfaces/VRFs. We are using a mechanism based on ‘iptables’. However, as the ConfD offered support to VRF in the snmpAgent, we want to use it instead.
Both methods (iptables and VRF config from ConfD) do not work together.
My doubt is:
From the ConfD side, should SNMP listen work for other VRFs specified in the extraIpPorts even when the default VRF is specified in the /confdConfig/snmpAgent/vrf?
Thanks.
Ittalo
I would start without the default vrf configured and build up to see if just using the configuration gives you what you need. This is a rather specialized piece of configuration so it might take official support work if you have difficulties.
Best,
Scott
