[c-nsp] Cisco Snmp failed-community question

Peter Rathlev peter at rathlev.dk
Tue Aug 2 16:03:50 EDT 2011


On Tue, 2011-08-02 at 14:36 -0400, Ryan Pavely wrote:
> Looking at my 15min the only ips/vlans that are sending packets are my
> two 'expected' hosts.  Neither would be sending an invalid community.
> We were going to run 'debug snmp packets' for a longer period of time
> to get a good snapshot of data.

If you only see your "trusted" hosts, it could be that they're sending
something with a wrong community. This could be an invalid context when
searching e.g. BRIDGE-MIB. (I.e.: To search VLAN 2 you would use
"SomeCommunity at 2" as the community; you can see all valid communitites
and contexts with "show snmp community".)

> Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), 
> Version 12.2(33)SXI, RELEASE SOFTWARE (fc2)

Then you have a sniffer already. :-) Try a configuration like this:

ip access-list extended Capture-ACL
 deny   ip host 10.0.0.1 any
 deny   ip host 10.0.0.2 any
 permit udp any any eq snmp
!
monitor session 1 type capture
 filter access-group Capture-ACL
 source interface Gi2/40 rx
!

The two hosts in the ACL would be your normal management stations, which
you might not care about. You need to know the inbound interface, but
you can specify more than one.

With the above configuration you can start the capture from exec mode
with e.g. "monitor capture start for 100 packets" and get a dump of the
packets with "show monitor capture buffer dump".

-- 
Peter




More information about the cisco-nsp mailing list