05-05-2018 07:16 AM - edited 03-01-2019 06:34 PM
Hi all,
While configuring a new nexus 3K, I'd noticed some strange behavior I couldn't resolve regarding snmp.
I'd set up communities, bind to an access-list with certain permission to query the equipment, and it works. only permitted hosts in the acl allowed to query the equipment.
This is available only with issuing the command snmp-server protocol enable
The problem is, that once this is enabled, the snmpd process opens incoming access to tcp/161 with no dependency whatsoever to the acl.
NMAP from the world
[13:16]netmon~$ nmap <host>
Starting Nmap 4.20 ( http://insecure.org ) at 2015-03-02 13:18 IST
Interesting ports on <host> (ip)
Not shown: 1695 closed ports
PORT STATE SERVICE
161/tcp open snmp
Telnet from the world
[13:18]netmon~$ telnet <host> 161
Trying (ip)...
Connected to <host>
Escape character is '^]'.
Connection closed by foreign host.
Process Outputs
N7K-1-vdc1# sh processes | i snmpd
7996 S f6d914b2 1 - VL snmpd
N7K-1-vdc1# sh process stack 7996
PID: 7996, Cmdline: /isan/bin/snmpd-f-sudp:161udp6:161tcp:161tcp6:161
Process Kernel Stack:
[<ffffffff802cabfa>] [<ffffffff802edc38>] [<ffffffff802ee046>] [<ffffffff802298e2>] [<ffffffffffffffff>]
Re-published from
Solved! Go to Solution.
09-11-2021 10:27 AM
Problem is resolved by restrict the connection on CoPP System, I set pps to 0 for any SNMP coming from outside, and then its closed
05-05-2018 11:21 PM
- That is normal, the snmp process has to be 'present' ; the ACL still has effect once a real snmp request is executed from a client.
M.
09-11-2021 10:27 AM
Problem is resolved by restrict the connection on CoPP System, I set pps to 0 for any SNMP coming from outside, and then its closed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide