[c-nsp] Cisco Snmp failed-community question
Ryan Pavely
paradox at nac.net
Tue Aug 2 12:07:50 EDT 2011
We are hitting the snmp limit on a few cisco devices. Show Snmp shows a
large, and increasing, volume of Failed Community requests. Before I go
and find/limit the valid requests, I want to lock down these failed
community requests.
I was unable to obtain anything useful from "debug snmp (headers,
packets, requests, sessions)". I am assuming what I see in "debug snmp
packets" are only the packets that passed the ACL and security filters.
Any suggestions how we can trap/trace these?"
> %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
> #show snmp
> 21662 Unknown community name
We have an access-list applied to snmp..
> snmp-server engineID local 80000009030000D0032BAC00
> snmp-server community {community} RO 69
> snmp-server community {community} RW 70
> snmp-server ifindex persist
> snmp-server trap-source Loopback0
> access-list 69 permit {ip address}
> access-list 69 permit {ip address}
> access-list 69 permit {ip address}
> access-list 69 deny any log
--
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/
More information about the cisco-nsp
mailing list