cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2194
Views
0
Helpful
11
Replies

SNMP v1/2 rw command

olsonc0510
Level 1
Level 1

I have some 3524XL switches that don't support SNMPv3. I want to include snmp v1/2 RW for Ciscoworks but it is failing. Commands look OK as does the output for show snmp users/groups. My command is below:

access-list 5 permit <csworks IP>

snmp-server community <name> rw 5

I double-checked community name but "Management station to Device" test fails everytime. This is all I need according to Configuring SNMP Support document. What am I missing?

1 Accepted Solution

Accepted Solutions

Try this on the switch in a telnet session:

- term mon

- debug snmp packet

Do you see the ip address that you have listed in the access-list?

View solution in original post

11 Replies 11

olsonc0510
Level 1
Level 1

It has something to do with the access-list. It works without it but I want some additional security.

Are you doing any Network Address Translation?

Nope, Also, the access-list works on all the 3550's with SNMPv3.

I did do a package capture. It's attached. How do you read those files?

You may use Ethereal to open up the files:

http://www.ethereal.com/download.html

I see two different community strings that are attempted here, one that starts with SB and one that starts with R3

Which one is configured on the device?

The SB string is for RO access. The R3 is RW access.Both are configured on the device as shown:

A

CCESS LIST

access-list 5 permit 192.168.168.xxx

SNMP

snmp-server engineID local 0000000902000009432XXXX

snmp-server community ******** RO

snmp-server community ******** RW 5

what does show access-list 5 return?

CSSINTSW2#sho access-list

Standard IP access list 5

permit 192.168.168.XX

Do I need to do an extended list indicating UDP and eq snmp?

I was hoping it would show if it denied anything

I checked the packet. The only thing I can see is that the header checksum is not correct. Will this cause it to fail?

Internet Protocol, Src: 192.168.168.91 (192.168.168.91), Dst: 192.168.252.190 (192.168.252.190)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

Total Length: 72

Identification: 0xd569 (54633)

Flags: 0x00

Fragment offset: 0

Time to live: 128

Protocol: UDP (0x11)

Header checksum: 0x0000 [incorrect, should be 0x3ed0]

Source: 192.168.168.91 (192.168.168.91)

Destination: 192.168.252.190 (192.168.252.190)

User Datagram Protocol, Src Port: 3864 (3864), Dst Port: snmp (161)

Source port: 3864 (3864)

Destination port: snmp (161)

Length: 52

Checksum: 0x215f [correct]

Simple Network Management Protocol

Version: 1 (0)

Community: R3str1cted

PDU type: GET (0)

Request Id: 0x00000002

Error Status: NO ERROR (0)

Error Index: 0

Object identifier 1: 1.3.6.1.2.1.1.4.0 (SNMPv2-MIB::sysContact.0)

Value: NULL

Try this on the switch in a telnet session:

- term mon

- debug snmp packet

Do you see the ip address that you have listed in the access-list?

Thank you Nadin...and my apologies. You were right about the NAT issue. Unfortunately, I didn't dig deep enough on that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: