Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2196
Views
0
Helpful
5
Replies

SNMP ACL permit agent and snmp host command

Go to solution
mahesh18
Level 6
Level 6

‎02-06-2013 11:01 AM - edited ‎03-07-2019 11:33 AM

                   Hi Everyone,

I read  to use standard ACL to permit only  IP address of your SNMP agent machines.

Does this mean that switches running SNMP ?

Say here  Switch has IP 192.168.10.3  Management IP

When i check ACL on switch it does not show switch IP address under acl  permit 

access-list 96 permit 192.168.10.3

But it shows these IPs

access-list 96 permit 172.16.x.10

access-list 96 permit 172.16.x.9

So need to know are these IPs of other switches and routers in network?

Secondly i read to use command snmp server host  command to identify SNMP manager.

But in this config there is no snmp server host command.

snmp-server community  RO 99

snmp-server community  RW 99

snmp-server community  RO 96

snmp-server location

snmp-server contact

snmp-server system-shutdown

snmp-server enable traps license

snmp ifmib ifalias long

snmp ifmib ifindex persist

when i do sh snmp host on switch there is no output.

when i do sh acl it shows

acl 96

60 permit 172.16.x.10 (7783560 matches)

    70 permit 172.16.x.9 (7030820 matches)

acl 99

Standard IP access list 99

           20 permit 172.16.x.206 (4969692 matches)
    40 permit 172.16.x.5 (1261582 matches)
    30 permit 172.16.x.18 (692704 matches)
    50 permit 172.31.x.71 (81712 matches)
    60 deny   any log (4 matches)

So need to know is this device sending SNMP traps to some manager as there is no host command in SNMP config?

Thanks

mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Gregory Snipes
Level 4
Level 4

‎02-06-2013 11:12 AM

When you configure the command "snmp-server community test RO 96" this translates to mean only hosts permitted in access-list 96 will be able to use the community string "test" to connect to this device and that they will only be able to read from the device, not write to it.

The hosts that are permitted to read or write SNMP to a network device are typically network monitoring tools (servers) or the workstations of the network engineers who maintain the device. However just because the device is permitted to read from the device will not mean the device sends traps to it automatically. If you want the device to send traps to a device you would need to use the "snmp-sever host " command to set where to send them to.

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎02-06-2013 11:15 AM

Mahesh,

The acl restricts the device from being polled from non-authorized managment agents. In your example, access-list 96 hosts are allowed read-only access to this switch (with whatever community is associated to it), and the access-list 99 hosts are allowed both RW (for whatever community) and RO (for whatever community). Anything that's not explicitly listed in the acl is not allowed to poll this device with snmp. A host doesn't need to be listed for a polling station to poll it. Another example would be something like Orion. Orion will connect to devices with their specified snmp community string, but on devices you'd have an acl only allowing the Orion server to poll it. You don't need a host for that.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4
In response to mahesh18

‎02-06-2013 11:37 AM

Correct, It is not sending traps. However SNMP is not limited to traps as a way to pass traffic. The device can be polled for information by the other side. Based on this output it defiantly appears that you have some type of host that is polling your network device. I would suspect this is some type of network monitoring device.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Gregory Snipes
Level 4
Level 4

‎02-06-2013 11:12 AM

When you configure the command "snmp-server community test RO 96" this translates to mean only hosts permitted in access-list 96 will be able to use the community string "test" to connect to this device and that they will only be able to read from the device, not write to it.

The hosts that are permitted to read or write SNMP to a network device are typically network monitoring tools (servers) or the workstations of the network engineers who maintain the device. However just because the device is permitted to read from the device will not mean the device sends traps to it automatically. If you want the device to send traps to a device you would need to use the "snmp-sever host " command to set where to send them to.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Gregory Snipes

‎02-06-2013 11:28 AM


Hi Gregory,

In this case as there is no snmp server host command so does it mean that switch is not sending any traps to any devices?

when i ran the sh snmp command

11321490 SNMP packets input
    0 Bad SNMP version errors
    28 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    59228952 Number of requested variables
    2587 Number of altered variables
    8767194 Get-request PDUs
    1717520 Get-next PDUs
    2875 Set-request PDUs
    0 Input queue packet drops (Maximum queue size 1000)
11321462 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    910 No such name errors
    288 Bad values errors
    0 General errors
    11321462 Response PDUs
    0 Trap PDUs
SNMP global trap: disabled

SNMP logging: disabled
SNMP agent enabled

so packets input and output are which type of packets are these?

are these poll packtes ,trap packets ?

Thanks

mahesh

0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4
In response to mahesh18

‎02-06-2013 11:37 AM

Correct, It is not sending traps. However SNMP is not limited to traps as a way to pass traffic. The device can be polled for information by the other side. Based on this output it defiantly appears that you have some type of host that is polling your network device. I would suspect this is some type of network monitoring device.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎02-06-2013 11:15 AM

Mahesh,

The acl restricts the device from being polled from non-authorized managment agents. In your example, access-list 96 hosts are allowed read-only access to this switch (with whatever community is associated to it), and the access-list 99 hosts are allowed both RW (for whatever community) and RO (for whatever community). Anything that's not explicitly listed in the acl is not allowed to poll this device with snmp. A host doesn't need to be listed for a polling station to poll it. Another example would be something like Orion. Orion will connect to devices with their specified snmp community string, but on devices you'd have an acl only allowing the Orion server to poll it. You don't need a host for that.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to John Blakley

‎02-06-2013 12:47 PM

Hi John & Gregory,

Thanks for explaining  me about SNMP polling concept.

We do have somes windows and other boxes which send probes to network devices for monitoring  purposes.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card