Access lists using IPv4 and IPv6 for SNMPv2 queries

mdella · February 14, 2021, 4:33pm

So I’ve been using standard access lists for IPv4 filtering of my snmp queries to various routers using the code below:

ip access-list standard allowed-SNMP-IPv4
 permit 1.2.3.4
 deny any log
snmp-server community public RO allowed-SNMP-IPv4

This has worked for some time for me however, whenever I try to make an IPv6 access list and apply it, it removes the ‘snmp-server’ entry for IPv4:

ipv6 access-list allowed-SNMP-IPv6
 permit ipv6 host 2604:21C0::CAFE:ABBA any
 deny ipv6 any any log
snmp-server community public RO ipv6 allowed-SNMP-IPv6

When I’m done, the IPv4 RO is missing… am I doing this the wrong way or is there something else going on? I don’t want different community strings (my monitors use both IPv4 and IPv6 with IPv4 being the fallback protocol). Suggestions? Other methods?

lagapides · February 6, 2021, 10:11am

Hello Marcos

It turns out that there is a little trick you must employ in order to have both IPv4 and IPv6 support. This Cisco IOS command reference documentation states:

The snmp-server community command can be used to specify only an IPv6 named access list, only an IPv4 access list, or both. For you to configure both IPv4 and IPv6 access lists, the IPv6 access list must appear first in the command statement.

I hope this has been helpful!

Laz

mdella · March 2, 2021, 4:49pm

Ok, that was a rather esoteric statement from Cisco. I’ll give it a try. Going to have to do some reconfiguration of my Ansible scripting as I have most of it set up to do IPv4 work prior to IPv6 work. I’ll lab it up first before embarking on radical changes across the board

Marcos