cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5869
Views
15
Helpful
6
Replies
Highlighted
Beginner

SNMPv3 ACL on Nexus?

Is it possible to limite SNMPv3 access on the Nexus platform with an ACL like you can in IOS?  It seems the Nexus platform does not support this other than for SNMPv1 or SNMPv2c (with an ACL tied to the community string).  I have auth/priv enabled however would like to limit by access list who can poll the switch.

Configuration example.

snmp-server user ro_user network-operator auth md5 readpass priv aes-128 readpass

snmp-server user rw_user network-admin auth md5 rwpass priv aes-128 rwpass

snmp-server globalEnforcePriv

snmp-server host 10.1.1.1 version 3 priv ro_user

Thanks!

Frank

6 REPLIES 6
Highlighted
Cisco Employee

Hi Frank,

Currently there is no support for acces-list with snmpv3, however an enhancement request has been submitted for the N7k:

http://http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn21553

This feature is targeted for the upcoming Freetown 6.2(2) release.

As a short-term solution you can use the following workarounds:

- Modify and utilize CoPP to restrict SNMP Polling

- Apply an ACL on the MGMT0 interface allowing SNMP polling from restricted hosts.

Kristof


Highlighted

I'm using a Nexus9K, and according to this document it's now possible to filter SNMPv3 requests via ACL?
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_9snmp.html#task_D3862190751F4B1A9F5353B015A888A7

I don't have the "snmp-server community name use-ipv4acl" or "snmp-server community name use-ipv6acl" commands on my device, even though the guide is for 6.x, and I'm on 7.x, so it should be included. Here's output from "show version"
Software
BIOS: version 07.34
NXOS: version 7.0(3)I2(4)
BIOS compile time: 08/11/2015
NXOS image file is: bootflash:///nxos.7.0.3.I2.4.bin
NXOS compile time: 9/13/2016 21:00:00 [09/13/2016 21:20:52]

 

Any ideas?

Highlighted

Just checked my 9ks i have it running below software

 

Hardware
  cisco Nexus9000 93180YC-EX chassis

oftware
  BIOS: version 07.56
  NXOS: version 7.0(3)I5(2)

 

(config)# snmp-server community mark ?
  <CR>
  group        Group to which the community belongs
  ro           Read-only access with this community string
  rw           Read-write access with this community string
  use-ipv4acl  Specify IPv4 ACL, the ACL name specified after must be IPv4 ACL.
  use-ipv6acl  Specify IPv6 ACL, the ACL name specified after must be IPv6 ACL.

Highlighted

Highlighted

This worked for me;

 

snmp-server user <Our_User> network-admin auth md5 <Our_PW> priv aes-128 <Our_PW> localizedkey
snmp-server user <Our_User> use-ipv4acl SNMP_Access
!
!
ip access-list SNMP_Access
10 permit ip <Our_NMS_Host>/32 any

 

this is on a N3K-C36180YC-R 

Highlighted
Beginner

I can second this for Nexus 5500.

Content for Community-Ad