Viewing SNMP ACL Policy counters, is it possible?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Is it possible to see the counters in an SNMP policy?

I have a policy that looks like this:
entry e1 { if { source-address 172.16.5.211/32; } then { permit; count prtg; }}
entry e2 { if { source-address 10.22.0.49/32; } then { permit; count rocnms; }}
entry e3 { if { source-address 10.21.12.49/32; } then { permit; count bsanms; }} entry e4 { if { source-address 172.16.5.226/32; } then { permit; count nmslinux; }} entry denyall { if { } then { deny; count denyall; }}
Pretty simple, but if I do a 'show access-list counter process snmp' I get this:
================================================================================
Access-list                                Permit Packets          Deny Packets
================================================================================
================================================================================
Total Rules : 0
The policy is working as expected, but I can't see the counters.  There was one thread from two years ago that said this may be expected behavior, but no alternative was given to seeing the counters.  I'd really like to know if anything else is trying to probe my cores via SNMP.
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Edward Tsui

Edward Tsui, Employee

  • 602 Points 500 badge 2x thumb
I am going to demonstrate using telnet access-profile, snmp should be the same.

1. create dynamic ACL

create access-list telnet_acl " source-address 192.168.100.101/32 ; destination-address 10.67.72.85/32 ; protocol tcp ; destination-port 23 ;" " permit  ;" application "Cli"

2. Add ACL to telnet access-profile

configure telnet access-profile add "telnet_acl" first

3. You should see the hit count when permit/deny

* X460-24t.35 # show access-list counter process telnet================================================================================
Access-list                                Permit Packets          Deny Packets     
================================================================================
telnet_acl                                              1                     0
================================================================================
Total Rules : 1


SNMP should be the same using snmp access-profile


Managing ACL Rules for SNMPBefore you can assign an ACL rule to SNMP, you must create a dynamic ACL rule as described in ACLs.
Managing the Switch

• To add or delete a rule for SNMP access, use the following command:
configure snmp access-profile [ access_profile {readonly | readwrite} | [[add
rule ] [first | [[before | after] previous_rule]]] | delete rule | none ]
• To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]