04-13-2021 01:43 PM - edited 04-13-2021 01:44 PM
Hi there,
We have many SNMP strings over the years, but I didn't know any history of them. Is there anyway I can check which snmp being used or not? maybe in the logs? Then I can clean up the config. We are using catalyst and nexus switches. Any advice would be appreciated!! Thank you.
Solved! Go to Solution.
04-13-2021 02:29 PM
Hi there,
How about to each snmp-server community <value> RO line adding an ACL with just a permit ip any any log , eg:
! access-list 10 permit any log
! access-list 11 permit any log
!
snmp-server community FOO RO 10
snmp-server community BAR RO 11
!
If you already have ACLs attached to your SNMP statements (and you really should!) , then prepend the log keyword to the end of any permit ACEs in them.
You will need to dial up your logging level to 6 (informational) to see the IPACCESSLOGP messages. These will show you which ACL is being hit and you can then cross reference that to the community string it is attached to. Keep in mind when those permit statements start getting hit with SNMP GET requests your logs will fill up quickly.
cheers,
Seb.
04-13-2021 01:50 PM - edited 04-13-2021 01:51 PM
Hi,
If you issue the command "sh snmp" you should be able to see the number of input and output packets SNMP is using. If there are no packets incrementing then that SNMP community is most likely not being used. See sample:
319694656 SNMP packets input
0 Bad SNMP version errors
1341201 Unknown community name
318342153 SNMP packets output
HTH
04-13-2021 01:56 PM
Hi Reza,
thank you for the info. I did try on a 3560. It doesn't tell which SNMP string using input or output. The idea makes sense, but i'm not sure which SNMP string i'm looking at. Thanks.
04-13-2021 02:17 PM
Hi,
You can use "sh snmp community" you should be able to see the community names and the string each community is using.
HTH
04-13-2021 02:29 PM
Hi there,
How about to each snmp-server community <value> RO line adding an ACL with just a permit ip any any log , eg:
! access-list 10 permit any log
! access-list 11 permit any log
!
snmp-server community FOO RO 10
snmp-server community BAR RO 11
!
If you already have ACLs attached to your SNMP statements (and you really should!) , then prepend the log keyword to the end of any permit ACEs in them.
You will need to dial up your logging level to 6 (informational) to see the IPACCESSLOGP messages. These will show you which ACL is being hit and you can then cross reference that to the community string it is attached to. Keep in mind when those permit statements start getting hit with SNMP GET requests your logs will fill up quickly.
cheers,
Seb.
04-14-2021 10:08 AM
Hi Seb,
You're amazing. Your logic totally makes sense. I don't have time to try it out today, i will try it out asap and see if it works. Thank you so much!!
04-15-2021 01:22 PM
Hi Seb,
You're correct. I can see which ip is using which string now.
BTW, for anyone else interested, the log didn't fill up too quick (,maybe vary in different version and/or model). The log example is at below.
%SEC-6-IPACCESSLOGS: list 5 permitted 10.x.x.x 309 packets
04-13-2021 07:15 PM
hi,
what SNMP version are you using? can you post a 'show run | sec snmp' output?
maybe you can do it the other way, i.e. check from the NMS device setup.
in solarwinds NPM, you can see what SNMP version and the string being used. there's also a button to test SNMP.
alternatively, you can perform an SNMP walk on the device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide