Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
52671
Views
10
Helpful
7
Replies

ACL to allow SNMP traffic

Go to solution
HMidkiff
Beginner
Beginner

‎10-22-2010 11:51 AM - edited ‎03-04-2019 10:12 AM

I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP

Additional permit statements omited.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to HMidkiff

‎10-22-2010 02:38 PM 

HMidkiff wrote:
Thanks again.   The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

So the server is the SNMP manager ? - in which case can you change your acl from -

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

to

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP

permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

snmptraps are sent to the server on port 162 so that line is correct. But the snmp line was wrong because the SNMP request is sent from the manager to destination port 161 on the x.x.0.0 device. Note that the source port is a random port.

When the device responds it sends the snmp response back to server. The destination port is the random port and source port is 161 so your original acl was wrong.

Give it a try and let me know.

Jon

View solution in original post

7 Replies 7

Go to solution
Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

‎10-22-2010 01:29 PM 

HMidkiff wrote:
I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.
HMidkiff wrote:
I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.

Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.

Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.

Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -

permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp

etc..

Jon

0 Helpful

Go to solution
HMidkiff
Beginner
Beginner
In response to Jon Marshall

‎10-22-2010 02:05 PM

Thanks for replying.  The ACL is applied on a router gig interface inbound.  If I remove the ACL snmp works fine.

0 Helpful

Go to solution
Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to HMidkiff

‎10-22-2010 02:15 PM

Where is the snmp coming from ie. from the x.x.0.0 network or from the server ?

Jon

0 Helpful

Go to solution
HMidkiff
Beginner
Beginner
In response to Jon Marshall

‎10-22-2010 02:24 PM

Thanks again.   The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

0 Helpful

Go to solution
Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to HMidkiff

‎10-22-2010 02:38 PM 

HMidkiff wrote:
Thanks again.   The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

So the server is the SNMP manager ? - in which case can you change your acl from -

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

to

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP

permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

snmptraps are sent to the server on port 162 so that line is correct. But the snmp line was wrong because the SNMP request is sent from the manager to destination port 161 on the x.x.0.0 device. Note that the source port is a random port.

When the device responds it sends the snmp response back to server. The destination port is the random port and source port is 161 so your original acl was wrong.

Give it a try and let me know.

Jon

Go to solution
HMidkiff
Beginner
Beginner
In response to Jon Marshall

‎10-23-2010 09:14 AM

Thanks for replying.   That fixed it!  Thanks so much.

0 Helpful

Go to solution
tf4string
Beginner
Beginner

‎08-27-2014 11:00 AM

Hello,

  I understand this is a very old post but I was hoping someone could advise on the same issue I am having. I run a snmp tester on my server and it cannot reach my switch, although they can both ping each other. There is NO router separating the devices, just a L3 core switch which has ACL's on it. I do not work with ACL at all so I am scared to put commands in that could interfere with an active network. Here is what I want to do:

Server 10.3.76.46/22 needs to get snmptraps from the 10.11.10.0/24 network.

Server is on vlan100 and we have a management vlan10 which carries IP info for my switches.

 

And this is what I am being told by a corporate office representative regarding SNMP:

snmp-server community [community name] RO [Access List allowing IP of server]
snmp-server host [Monitoring server IP] version 2c [community name]
snmp-server trap-source [your network management VLAN #]

 

Any help would be greatly appreciated. 

 

Thanks,

Tim

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents