Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNMP v1/2 rw command

I have some 3524XL switches that don't support SNMPv3. I want to include snmp v1/2 RW for Ciscoworks but it is failing. Commands look OK as does the output for show snmp users/groups. My command is below:

access-list 5 permit <csworks IP>

snmp-server community <name> rw 5

I double-checked community name but "Management station to Device" test fails everytime. This is all I need according to Configuring SNMP Support document. What am I missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Red

Re: SNMP v1/2 rw command

Try this on the switch in a telnet session:

- term mon

- debug snmp packet

Do you see the ip address that you have listed in the access-list?

11 REPLIES
New Member

Re: SNMP v1/2 rw command

It has something to do with the access-list. It works without it but I want some additional security.

Red

Re: SNMP v1/2 rw command

Are you doing any Network Address Translation?

New Member

Re: SNMP v1/2 rw command

Nope, Also, the access-list works on all the 3550's with SNMPv3.

I did do a package capture. It's attached. How do you read those files?

Red

Re: SNMP v1/2 rw command

You may use Ethereal to open up the files:

http://www.ethereal.com/download.html

I see two different community strings that are attempted here, one that starts with SB and one that starts with R3

Which one is configured on the device?

New Member

Re: SNMP v1/2 rw command

The SB string is for RO access. The R3 is RW access.Both are configured on the device as shown:

A

CCESS LIST

access-list 5 permit 192.168.168.xxx

SNMP

snmp-server engineID local 0000000902000009432XXXX

snmp-server community ******** RO

snmp-server community ******** RW 5

Red

Re: SNMP v1/2 rw command

what does show access-list 5 return?

New Member

Re: SNMP v1/2 rw command

CSSINTSW2#sho access-list

Standard IP access list 5

permit 192.168.168.XX

Do I need to do an extended list indicating UDP and eq snmp?

Red

Re: SNMP v1/2 rw command

I was hoping it would show if it denied anything

New Member

Re: SNMP v1/2 rw command

I checked the packet. The only thing I can see is that the header checksum is not correct. Will this cause it to fail?

Internet Protocol, Src: 192.168.168.91 (192.168.168.91), Dst: 192.168.252.190 (192.168.252.190)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

Total Length: 72

Identification: 0xd569 (54633)

Flags: 0x00

Fragment offset: 0

Time to live: 128

Protocol: UDP (0x11)

Header checksum: 0x0000 [incorrect, should be 0x3ed0]

Source: 192.168.168.91 (192.168.168.91)

Destination: 192.168.252.190 (192.168.252.190)

User Datagram Protocol, Src Port: 3864 (3864), Dst Port: snmp (161)

Source port: 3864 (3864)

Destination port: snmp (161)

Length: 52

Checksum: 0x215f [correct]

Simple Network Management Protocol

Version: 1 (0)

Community: R3str1cted

PDU type: GET (0)

Request Id: 0x00000002

Error Status: NO ERROR (0)

Error Index: 0

Object identifier 1: 1.3.6.1.2.1.1.4.0 (SNMPv2-MIB::sysContact.0)

Value: NULL

Red

Re: SNMP v1/2 rw command

Try this on the switch in a telnet session:

- term mon

- debug snmp packet

Do you see the ip address that you have listed in the access-list?

New Member

Re: SNMP v1/2 rw command

Thank you Nadin...and my apologies. You were right about the NAT issue. Unfortunately, I didn't dig deep enough on that.

363
Views
0
Helpful
11
Replies