So I’ve been using standard access lists for IPv4 filtering of my snmp queries to various routers using the code below:
ip access-list standard allowed-SNMP-IPv4
permit 1.2.3.4
deny any log
snmp-server community public RO allowed-SNMP-IPv4
This has worked for some time for me however, whenever I try to make an IPv6 access list and apply it, it removes the ‘snmp-server’ entry for IPv4:
ipv6 access-list allowed-SNMP-IPv6
permit ipv6 host 2604:21C0::CAFE:ABBA any
deny ipv6 any any log
snmp-server community public RO ipv6 allowed-SNMP-IPv6
When I’m done, the IPv4 RO is missing… am I doing this the wrong way or is there something else going on? I don’t want different community strings (my monitors use both IPv4 and IPv6 with IPv4 being the fallback protocol). Suggestions? Other methods?
The snmp-server community command can be used to specify only an IPv6 named access list, only an IPv4 access list, or both. For you to configure both IPv4 and IPv6 access lists, the IPv6 access list must appear first in the command statement.
Ok, that was a rather esoteric statement from Cisco. I’ll give it a try. Going to have to do some reconfiguration of my Ansible scripting as I have most of it set up to do IPv4 work prior to IPv6 work. I’ll lab it up first before embarking on radical changes across the board