[c-nsp] Cisco Snmp failed-community question
Peter Rathlev
peter at rathlev.dk
Tue Aug 2 12:33:33 EDT 2011
On Tue, 2011-08-02 at 12:07 -0400, Ryan Pavely wrote:
> We are hitting the snmp limit on a few cisco devices. Show Snmp shows
> a large, and increasing, volume of Failed Community requests. Before
> I go and find/limit the valid requests, I want to lock down these
> failed community requests.
>
> I was unable to obtain anything useful from "debug snmp (headers,
> packets, requests, sessions)". I am assuming what I see in "debug
> snmp packets" are only the packets that passed the ACL and security
> filters.
On a 3560G running 12.2(53)SE, it does seem to log packets with a wrong
SNMPv2 community when "debug snmp packets" is active. Something like:
003733: Aug 2 18:28:41.598 CEST: SNMP: Packet received via UDP from 192.0.2.10 on Vlan50
It doesn't specify the community used though. I think you would need a
sniffer to get that. What platform do you use? Some devices (e.g. ISR,
6500/7600) can capture traffic locally.
Otherwise you could try an inbound interface ACL to log the packets,
instead of the SNMP control-plane ACL.
--
Peter
More information about the cisco-nsp
mailing list