Header Only - DO NOT REMOVE - Extreme Networks

Viewing SNMP ACL Policy counters, is it possible?

Userlevel 2
Is it possible to see the counters in an SNMP policy?

I have a policy that looks like this:
entry e1 { if { source-address; } then { permit; count prtg; }} entry e2 { if { source-address; } then { permit; count rocnms; }}
entry e3 { if { source-address; } then { permit; count bsanms; }} entry e4 { if { source-address; } then { permit; count nmslinux; }} entry denyall { if { } then { deny; count denyall; }} [/code]Pretty simple, but if I do a 'show access-list counter process snmp' I get this:
================================================================================ Access-list Permit Packets Deny Packets
Total Rules : 0[/code]The policy is working as expected, but I can't see the counters. There was one thread from two years ago that said this may be expected behavior, but no alternative was given to seeing the counters. I'd really like to know if anything else is trying to probe my cores via SNMP.

1 reply

Userlevel 2
I am going to demonstrate using telnet access-profile, snmp should be the same.

1. create dynamic ACL

create access-list telnet_acl " source-address ; destination-address ; protocol tcp ; destination-port 23 ;" " permit ;" application "Cli"

2. Add ACL to telnet access-profile

configure telnet access-profile add "telnet_acl" first

3. You should see the hit count when permit/deny

* X460-24t.35 # show access-list counter process telnet================================================================================
Access-list Permit Packets Deny Packets
telnet_acl 1 0
Total Rules : 1

SNMP should be the same using snmp access-profile

Managing ACL Rules for SNMPBefore you can assign an ACL rule to SNMP, you must create a dynamic ACL rule as described in ACLs.
Managing the Switch

• To add or delete a rule for SNMP access, use the following command:
configure snmp access-profile [ access_profile {readonly | readwrite} | [[add
rule ] [first | [[before | after] previous_rule]]] | delete rule | none ]
• To display the access-list permit and deny statistics for an application, use the following command:
show access-list counters process [snmp | telnet | ssh2 | http]