1

I have a N3K-C3064PQ-10GX and here is my snmp configuration:

Community    Group / Access      context    acl_filter
_________    ______________      _______    __________
X            network-operator               ACL mapped: switch-input


IP access list switch-input
        10 permit ip 172.17.x.x/29 any
        20 deny ip any any

but when i tried to check open ports with nmap it shows snmp is open from everywhere, whats wrong? Thank yu.

Improve this question
2
  • 1
    I'm confused by how you would "check open ports with nmap". SNMP is essentially always UDP. Nmap would have no ability to detect whether the switch is listening on UDP/161, since the switch will silently discard invalid packets. Commented Nov 16, 2022 at 17:18
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. Commented Nov 19, 2022 at 23:27

1 Answer 1

Reset to default
0

I have no nexus where i can test this on, but this similar forum post :

https://community.cisco.com/t5/switching/snmp-acl-on-nexus/td-p/3335165

Says to try including source, destination and protocol.

The Cisco docs also say to include source, destination and port/protocol see :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/system_management/b_Cisco_Nexus_5000_Series_NX-OS_System_Management_Configuration_Guide/Cisco_Nexus_5000_Series_NX-OS_System_Management_Configuration_Guide_chapter9.html#task_D3862190751F4B1A9F5353B015A888A7

Even though these are different Nexus types, you could give it a shot.

Improve this answer
3
  • i have many svi so i need a general way Commented Oct 26, 2020 at 15:29
  • Could you maybe include your private networks that need access to the switch, then i can try to help you create a more general ACL. It might be enough to include the destination IP and eq SNMP Commented Oct 26, 2020 at 15:33
  • 2
    @blackmetal: That's where loopback interfaces help. Use an existing one or create one, and make sure its IP address is reachable/routeable from where you want to access it (you might want to add it's address to the dynamic rotuting protocol you are running). This brings down your SNMP ACL to just a single destination IP. Commented Oct 26, 2020 at 17:17

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.