Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9763
Views
20
Helpful
6
Replies

SNMPv3 ACL on Nexus?

frankemisak
Level 1
Level 1

‎07-24-2013 07:40 AM - edited ‎03-07-2019 02:33 PM

Is it possible to limite SNMPv3 access on the Nexus platform with an ACL like you can in IOS?  It seems the Nexus platform does not support this other than for SNMPv1 or SNMPv2c (with an ACL tied to the community string).  I have auth/priv enabled however would like to limit by access list who can poll the switch.

Configuration example.

snmp-server user ro_user network-operator auth md5 readpass priv aes-128 readpass

snmp-server user rw_user network-admin auth md5 rwpass priv aes-128 rwpass

snmp-server globalEnforcePriv

snmp-server host 10.1.1.1 version 3 priv ro_user

Thanks!

Frank

2 people had this problem
Labels:
0 Helpful
6 Replies 6

kdebrouw
Cisco Employee
Cisco Employee

‎07-26-2013 12:42 AM

Hi Frank,

Currently there is no support for acces-list with snmpv3, however an enhancement request has been submitted for the N7k:

http://http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn21553

This feature is targeted for the upcoming Freetown 6.2(2) release.

As a short-term solution you can use the following workarounds:

- Modify and utilize CoPP to restrict SNMP Polling

- Apply an ACL on the MGMT0 interface allowing SNMP polling from restricted hosts.

Kristof


0 Helpful

chrissutton
Level 1
Level 1
In response to kdebrouw

‎10-12-2017 06:17 PM - edited ‎10-12-2017 06:20 PM

I'm using a Nexus9K, and according to this document it's now possible to filter SNMPv3 requests via ACL?
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_9snmp.html#task_D3862190751F4B1A9F5353B015A888A7

I don't have the "snmp-server community name use-ipv4acl" or "snmp-server community name use-ipv6acl" commands on my device, even though the guide is for 6.x, and I'm on 7.x, so it should be included. Here's output from "show version"
Software
BIOS: version 07.34
NXOS: version 7.0(3)I2(4)
BIOS compile time: 08/11/2015
NXOS image file is: bootflash:///nxos.7.0.3.I2.4.bin
NXOS compile time: 9/13/2016 21:00:00 [09/13/2016 21:20:52]

 

Any ideas?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to chrissutton

‎10-13-2017 12:49 AM

Just checked my 9ks i have it running below software

 

Hardware
  cisco Nexus9000 93180YC-EX chassis

oftware
  BIOS: version 07.56
  NXOS: version 7.0(3)I5(2)

 

(config)# snmp-server community mark ?
  <CR>
  group        Group to which the community belongs
  ro           Read-only access with this community string
  rw           Read-write access with this community string
  use-ipv4acl  Specify IPv4 ACL, the ACL name specified after must be IPv4 ACL.
  use-ipv6acl  Specify IPv6 ACL, the ACL name specified after must be IPv6 ACL.

0 Helpful

luke.brooker1
Level 1
Level 1
In response to g.fabre

‎07-02-2018 08:59 PM

This worked for me;

 

snmp-server user <Our_User> network-admin auth md5 <Our_PW> priv aes-128 <Our_PW> localizedkey
snmp-server user <Our_User> use-ipv4acl SNMP_Access
!
!
ip access-list SNMP_Access
10 permit ip <Our_NMS_Host>/32 any

 

this is on a N3K-C36180YC-R 

Mathias Rufer
Level 1
Level 1

‎06-26-2014 01:06 AM

I can second this for Nexus 5500.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card