While configuring a new nexus 3K, I'd noticed some strange behavior I couldn't resolve regarding snmp.
I'd set up communities, bind to an access-list with certain permission to query the equipment, and it works. only permitted hosts in the acl allowed to query the equipment.
This is available only with issuing the command snmp-server protocol enable
The problem is, that once this is enabled, the snmpd process opens incoming access to tcp/161 with no dependency whatsoever to the acl.
NMAP from the world
[13:16]netmon~$ nmap <host>
Starting Nmap 4.20 ( http://insecure.org ) at 2015-03-02 13:18 IST
Interesting ports on <host> (ip)
Not shown: 1695 closed ports
PORT STATE SERVICE
161/tcp open snmp
Telnet from the world
[13:18]netmon~$ telnet <host> 161
Connected to <host>
Escape character is '^]'.
Connection closed by foreign host.
N7K-1-vdc1# sh processes | i snmpd
7996 S f6d914b2 1 - VL snmpd
N7K-1-vdc1# sh process stack 7996
PID: 7996, Cmdline: /isan/bin/snmpd-f-sudp:161udp6:161tcp:161tcp6:161
Process Kernel Stack:
[<ffffffff802cabfa>] [<ffffffff802edc38>] [<ffffffff802ee046>] [<ffffffff802298e2>] [<ffffffffffffffff>]