A problem about snmp community config

kiwibird · ‎11-17-2025

Hi, guys. I find a problem that when I try to attach an acl on a snmp community, it returns a wrong notification, like this:

I'm sure that I have been create acl 5, but it didn't work. do you have any clue?

By the way, I have four communities on this device, but only this one have problem. are there any characters not be supported ?

Translator · ‎11-18-2025

您是否在SNMP社群字串中使用了「@」符號或「：」？這些字元不受支援，這可以解釋為什麼只有您的一個社群發生故障。

SNMP v.2社群字串中允許的字元 — Cisco社群

kiwibird · ‎11-19-2025

Thank you for your answer. I only have these characters < * and _ I think these are supported

Rockyw · ‎11-22-2025

Of course. Based on the error message in the image, here is a detailed analysis and the most likely solution to your problem.

You are absolutely correct in your suspicion. The error message is very specific, and the issue is almost certainly related to the characters used in the SNMP community string name.
Root Cause Analysis
The error is:
Error: CLI DN creation failed substituting values. Path sys/snmp/inst/community-[use-ipv4acl5]/acl
Let's break this down:
·DN stands for "Distinguished Name." This is a concept from the LDAP/X.500 protocol used to uniquely identify an object within a hierarchical directory. In this context, the network device's configuration is internally structured like a tree, and each configuration element (like an SNMP community) needs a unique path or "DN."
·The device is trying to create this internal path for your new SNMP community. The intended path is:
sys/snmp/inst/community-[use-ipv4acl5]/acl
·The failure happens when the system tries to insert your community name, use-ipv4acl5, into the path. The presence of the hyphen (-) is the most probable cause of the problem.
While hyphens are often allowed in community strings for the SNMP protocol itself, some software implementations (especially newer NX-OS or IOS-XE that use a structured configuration model) have strict rules about which characters can be used in the object namewithin the configuration database. Characters like hyphens, spaces, or underscores can sometimes be interpreted as delimiters or have special meaning when building these internal paths, leading to this "DN creation failed" error.
Why Your Other Communities Work
This explains why your other three communities work fine. Their names likely consist of alphanumeric characters (letters a-z, A-Z, numbers 0-9) without any special characters like hyphens. The name use-ipv4acl5is the only one containing a hyphen, making it the outlier.
Solution
The simplest and most effective solution is to recreate the ACL with a different SNMP community name that uses only alphanumeric characters.
1.Choose a new community name. For example, instead of use-ipv4acl5, use a name like use_ipv4acl5(underscore), useipv4acl5, or useIPv4Acl5.
2.Reconfigure the SNMP community. Remove the old, problematic one and create the new one with the updated name, associating it with ACL 5.

(config) # no snmp-server community use-ipv4acl5
(config) # snmp-server community use_ipv4acl5 use ipv4acl5

(Note: The second command uses use_ipv4acl5as the new community name and ipv4acl5as the ACL name, assuming that's the name of your ACL number 5).
If your ACL is simply numbered (e.g., standard ACL 5), the command would be:

(config) # snmp-server community use_ipv4acl5 5

Verification
After making the change, use the following commands to verify the configuration is correct and active:

# Check if the SNMP community is correctly configured
show running-config | include snmp-server community

# Check if the ACL 5 exists and is properly configured
show access-lists 5

By avoiding the hyphen in the community name, you should be able to apply the ACL without any issues. This is a known constraint on certain platforms, and using alphanumeric names is the recommended best practice to avoid such parsing errors.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !