07-24-2013 07:40 AM - edited 03-07-2019 02:33 PM
Is it possible to limite SNMPv3 access on the Nexus platform with an ACL like you can in IOS? It seems the Nexus platform does not support this other than for SNMPv1 or SNMPv2c (with an ACL tied to the community string). I have auth/priv enabled however would like to limit by access list who can poll the switch.
Configuration example.
snmp-server user ro_user network-operator auth md5 readpass priv aes-128 readpass
snmp-server user rw_user network-admin auth md5 rwpass priv aes-128 rwpass
snmp-server globalEnforcePriv
snmp-server host 10.1.1.1 version 3 priv ro_user
Thanks!
Frank
07-26-2013 12:42 AM
Hi Frank,
Currently there is no support for acces-list with snmpv3, however an enhancement request has been submitted for the N7k:
This feature is targeted for the upcoming Freetown 6.2(2) release.
As a short-term solution you can use the following workarounds:
- Modify and utilize CoPP to restrict SNMP Polling
- Apply an ACL on the MGMT0 interface allowing SNMP polling from restricted hosts.
Kristof
10-12-2017 06:17 PM - edited 10-12-2017 06:20 PM
I'm using a Nexus9K, and according to this document it's now possible to filter SNMPv3 requests via ACL?
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_9snmp.html#task_D3862190751F4B1A9F5353B015A888A7
I don't have the "snmp-server community name use-ipv4acl" or "snmp-server community name use-ipv6acl" commands on my device, even though the guide is for 6.x, and I'm on 7.x, so it should be included. Here's output from "show version"
Software
BIOS: version 07.34
NXOS: version 7.0(3)I2(4)
BIOS compile time: 08/11/2015
NXOS image file is: bootflash:///nxos.7.0.3.I2.4.bin
NXOS compile time: 9/13/2016 21:00:00 [09/13/2016 21:20:52]
Any ideas?
10-13-2017 12:49 AM
Just checked my 9ks i have it running below software
Hardware
cisco Nexus9000 93180YC-EX chassis
oftware
BIOS: version 07.56
NXOS: version 7.0(3)I5(2)
(config)# snmp-server community mark ?
<CR>
group Group to which the community belongs
ro Read-only access with this community string
rw Read-write access with this community string
use-ipv4acl Specify IPv4 ACL, the ACL name specified after must be IPv4 ACL.
use-ipv6acl Specify IPv6 ACL, the ACL name specified after must be IPv6 ACL.
06-04-2018 01:18 AM
This does not applyt to SNMPv3, only v1 & v2c
ACL with SNMPv3 user is not supported :
07-02-2018 08:59 PM
This worked for me;
snmp-server user <Our_User> network-admin auth md5 <Our_PW> priv aes-128 <Our_PW> localizedkey
snmp-server user <Our_User> use-ipv4acl SNMP_Access
!
!
ip access-list SNMP_Access
10 permit ip <Our_NMS_Host>/32 any
this is on a N3K-C36180YC-R
06-26-2014 01:06 AM
I can second this for Nexus 5500.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: