Hi All 

  I have TrustSec between two SGTs to deny SNMP 161 and 162. I see the SGACLs hits and it's denied. but the snmp port still showing in the port scan. 

is this normal? it's just the ports showing in the scans ONLY.  I can't get any SNMP query. I tried a brute force attack on the port and didn't get anywhere. 

sh logging | in 10.XX.
Jun 8 10:46:08.634 CDT: %SEC-6-IPACCESSLOGP: list Deny_SNMP_Dst-01 denied udp 10.X.X.X(52586) -> 10.X.X.X(161), 1 packet
Jun 8 10:46:08.634 CDT: %RBM-6-SGACLHIT: ingress_interface='GigabitEthernet1/0/24' sgacl_name='Deny_SNMP_Dst-01' action='Deny' protocol='udp' src-vrf='def

show cts role-based permissions from 10002 to 10200
IPv4 Role-based permissions from group 10002:Network_Devices to group 10200:PLCs:
SNMP_Allow_Log-02
Permit IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

show cts role-based permissions from 0 to 10200
IPv4 Role-based permissions from group Unknown to group 10200:PLCs:
Deny_SNMP_Dst-01
Deny_SNMP_Src-01
Permit IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

show ip access-lists Deny_SNMP_Dst-01
Role-based IP access list Deny_SNMP_Dst-01 (downloaded)
10 deny udp dst eq snmp log (2170 matches)
20 deny udp dst eq snmptrap log (110 matches)

show ip access-lists Deny_SNMP_Src-01
Role-based IP access list Deny_SNMP_Src-01 (downloaded)
10 deny udp src eq snmp log (472 matches)
20 deny udp src eq snmptrap log