[c-nsp] Cisco Snmp failed-community question
Andriy Bilous
andriy.bilous at gmail.com
Tue Aug 2 14:07:01 EDT 2011
Funnily enough there is an authenticationFailure trap which contains
the address of misbehaving poller (no varbind with community though).
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800a9405.shtml
On Tue, Aug 2, 2011 at 6:07 PM, Ryan Pavely <paradox at nac.net> wrote:
> We are hitting the snmp limit on a few cisco devices. Show Snmp shows a
> large, and increasing, volume of Failed Community requests. Before I go and
> find/limit the valid requests, I want to lock down these failed community
> requests.
>
> I was unable to obtain anything useful from "debug snmp (headers, packets,
> requests, sessions)". I am assuming what I see in "debug snmp packets" are
> only the packets that passed the ACL and security filters.
>
>
> Any suggestions how we can trap/trace these?"
>
>
>
>> %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
>
>> #show snmp
>> 21662 Unknown community name
>
> We have an access-list applied to snmp..
>
>> snmp-server engineID local 80000009030000D0032BAC00
>> snmp-server community {community} RO 69
>> snmp-server community {community} RW 70
>> snmp-server ifindex persist
>> snmp-server trap-source Loopback0
>> access-list 69 permit {ip address}
>> access-list 69 permit {ip address}
>> access-list 69 permit {ip address}
>> access-list 69 deny any log
>
>
>
> --
>
> Ryan Pavely
> Director Research And Development
> Net Access Corporation
> http://www.nac.net/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list