Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
3
Replies

SNMP Failed | SNMP & ACL Problem \ Question

khnrjm
Level 1
Level 1

‎09-24-2024 02:03 AM - edited ‎09-24-2024 02:05 AM

Hello,

I am trying to configure SNMP access to NeDi on a Catalyst 9300 Switch. This is the current status:

Nedi:
Created the "nedimon" community string. (SNMP v2c)

C9300:
snmp-server community nedimon RO IPv4-RO-SNMP-LOCAL

Standard IP access list IPv4-RO-SNMP-LOCAL
10 permit 192.168.3.91
20 deny any log

...

 

This is the config part. In our switch, we have a few other ACLs too:

Standard IP access list IPv4-NTP-CLIENTS
10 permit X.X.X.X, wildcard bits 0.0.0.7 (37450 matches)
11 permit X.X.X.X, wildcard bits 0.0.0.15
12 permit X.X.X.X, wildcard bits 0.0.0.31
Standard IP access list IPv4-NTP-SERVER
10 permit X.X.X.X (293033 matches)
Standard IP access list IPv4-RO-SNMP-ACCESS
10 permit X.X.X.X, wildcard bits 0.0.0.15 (570214 matches)
20 permit X.X.X.X, wildcard bits 0.0.0.31 (2525698 matches)
30 permit X.X.X.X, wildcard bits 0.0.0.7 (615434 matches)
40 permit X.X.X.X, wildcard bits 0.0.0.15
50 permit X.X.X.X, wildcard bits 0.0.0.31 (30456294 matches)
60 permit X.X.X.X, wildcard bits 0.0.0.15
70 deny any log (1046 matches)
Standard IP access list IPv4-RO-SNMP-LOCAL
10 permit 192.168.3.91
20 deny any log

And if I run an SNMP discovery in Nedi, I've got this error: SNMP Failed

And I also saw in C9300 logs: %SEC-6-IPACCESSLOGS: list IPv4-RO-SNMP-ACCESS denied 192.168.3.91 packets

This is the ACL above my new ACL. Of course it is denied, because the 192.168.3.91 entry are in the different ACL: IPv4-RO-SNMP-LOCAL

 

How is this possible? Maybe if the ACL configured earlier with the 70 deny any log entry, denies the new ACL 192.168.3.91 entry too? But this is a two different ACL.

 

Thanks in advance!

 

 

Labels:
0 Helpful
3 Replies 3

marce1000
Hall of Fame
Hall of Fame

‎09-24-2024 07:28 AM

 

   - You should start with no ACL's  and then , kind of debugging , check where your ACLs start failing ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

khnrjm
Level 1
Level 1
In response to marce1000

‎09-26-2024 12:51 AM

Hello,

Thanks for your feedback!

I've tried everything without luck, and finally I managed to find the problem. The problem was on the NeDi side. I need to run an SNMP v2c connection test, and after that it worked well... it has certainly not worked like that so far. It looks like a bug to me.

 

 

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to khnrjm

‎09-26-2024 01:09 AM

 

 - If you think it is a bug on the Cisco device , then upgrade to the latest advisory software version and try again,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents