Solved: Re: ACL to allow SNMP traffic

HMidkiff · ‎10-22-2010

I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP

Additional permit statements omited.

Jon Marshall · ‎10-22-2010

HMidkiff wrote:

Thanks again. The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

So the server is the SNMP manager ? - in which case can you change your acl from -

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

to

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP

permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

snmptraps are sent to the server on port 162 so that line is correct. But the snmp line was wrong because the SNMP request is sent from the manager to destination port 161 on the x.x.0.0 device. Note that the source port is a random port.

When the device responds it sends the snmp response back to server. The destination port is the random port and source port is 161 so your original acl was wrong.

Give it a try and let me know.

Jon

View solution in original post

Jon Marshall · ‎10-22-2010

HMidkiff wrote:

I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP

Additional permit statements omited.

HMidkiff wrote:

I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP

Additional permit statements omited.

Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.

Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.

Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -

permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp

etc..

Jon

HMidkiff · ‎10-22-2010

Thanks for replying. The ACL is applied on a router gig interface inbound. If I remove the ACL snmp works fine.

Jon Marshall · ‎10-22-2010

Where is the snmp coming from ie. from the x.x.0.0 network or from the server ?

Jon

HMidkiff · ‎10-22-2010

Thanks again. The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

Jon Marshall · ‎10-22-2010

HMidkiff wrote:

Thanks again. The traffic is coming from nodes on the X.X.0.0 network which of coarse is the source.

So the server is the SNMP manager ? - in which case can you change your acl from -

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

to

ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP

permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap

snmptraps are sent to the server on port 162 so that line is correct. But the snmp line was wrong because the SNMP request is sent from the manager to destination port 161 on the x.x.0.0 device. Note that the source port is a random port.

When the device responds it sends the snmp response back to server. The destination port is the random port and source port is 161 so your original acl was wrong.

Give it a try and let me know.

Jon

HMidkiff · ‎10-23-2010

Thanks for replying. That fixed it! Thanks so much.

tf4string · ‎08-27-2014

Hello,

I understand this is a very old post but I was hoping someone could advise on the same issue I am having. I run a snmp tester on my server and it cannot reach my switch, although they can both ping each other. There is NO router separating the devices, just a L3 core switch which has ACL's on it. I do not work with ACL at all so I am scared to put commands in that could interfere with an active network. Here is what I want to do:

Server 10.3.76.46/22 needs to get snmptraps from the 10.11.10.0/24 network.

Server is on vlan100 and we have a management vlan10 which carries IP info for my switches.

And this is what I am being told by a corporate office representative regarding SNMP:

snmp-server community [community name] RO [Access List allowing IP of server]
snmp-server host [Monitoring server IP] version 2c [community name]
snmp-server trap-source [your network management VLAN #]

Any help would be greatly appreciated.

Thanks,

Tim