No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

DMS Fails to Manage the Network of the NE20E Because SNMP ACL Rules of the NE20E Do Not Specify a VPN Instance

Publication Date:  2012-07-27 Views:  45 Downloads:  0
Issue Description
After the ACL is configured to control the SNMP read/write community name, the ping result is normal; however, the DMS cannot manage the network of the NE20E, and the NE20E cannot be added to the DMS. When the ACL control is removed from the SNMP read/write community name, the DMS restores the management over the network of the NE20E.
The IP address of the DMS server is 10.52.135.40.
acl number 2000
rule 0 permit source 10.52.135.40 0
rule 10 deny
snmp-agent community read public acl 2000
snmp-agent community write >evf;rf acl 2000 
 
Alarm Information
debug snmp-agent displays"Login through SNMP failed"
<NE20-NN>deb snmp-agent head
<NE20-NN>deb snmp-agent pack
<NE20-NN>deb snmp-agent proc
<NE20-NN>deb snmp-agent trap
<NE20-NN>t d
Info:Current terminal debugging is on
<NE20-NN>
Apr 9 2008 21:26:22 NE20-NN %%01SNMP/4/SNMP_FAIL(l): Login through SNMP failed(ip=10.52.135.40 times=1).
*0.447064816 NE20-NN SNMP/7/V12HEADERS:
Incoming SNMPv2c packet
community name:public
*0.447064816 NE20-NN SNMP/7/PACKETS_SRC:Packet received from 10.52.135.40<nms> via UDP
*0.447064816 NE20-NN SNMP/7/PACKETS:
get request
reqid:1172,errstat:0,erridx:0
*0.447064816 NE20-NN SNMP/7/VBLIST:
sysName.0 =
Apr 9 2008 21:26:27 NE20-NN %%01SNMP/4/SNMP_FAIL(l): Login through SNMP failed(ip=10.52.135.40 times=2).
*0.447069800 NE20-NN SNMP/7/V12HEADERS:
Incoming SNMPv2c packet
community name:public
*0.447069800 NE20-NN SNMP/7/PACKETS_SRC:Packet received from 10.52.135.40<nms> via UDP
*0.447069800 NE20-NN SNMP/7/PACKETS:
get request
reqid:1172,errstat:0,erridx:0
*0.447069800 NE20-NN SNMP/7/VBLIST:
sysName.0 =
Apr 9 2008 21:26:32 NE20-NN %%01SNMP/4/SNMP_FAIL(l): Login through SNMP failed(ip=10.52.135.40 times=3).
*0.447074816 NE20-NN SNMP/7/V12HEADERS:
Incoming SNMPv2c packet
community name:public
*0.447074816 NE20-NN SNMP/7/PACKETS_SRC:Packet received from 10.52.135.40<nms> via UDP
*0.447074816 NE20-NN SNMP/7/PACKETS:
get request
reqid:1172,errstat:0,erridx:0
*0.447074816 NE20-NN SNMP/7/VBLIST:
sysName.0 =
Apr 9 2008 21:26:37 NE20-NN %%01SNMP/4/SNMP_FAIL(l): Login through SNMP failed(ip=10.52.135.40 times=4).
*0.447079816 NE20-NN SNMP/7/V12HEADERS:
Incoming SNMPv2c packet
community name:public
*0.447079816 NE20-NN SNMP/7/PACKETS_SRC:Packet received from 10.52.135.40<nms> via UDP
*0.447079816 NE20-NN SNMP/7/PACKETS:
get request
reqid:1172,errstat:0,erridx:0
*0.447079816 NE20-NN SNMP/7/VBLIST:
sysName.0 = 
 
Handling Process
Modify the ACL rules to increase the VPN instance fields. After corresponding VPN instance is specified to filter packets, the DMS can manage the NE20E normally.
acl number 2000
rule 0 permit vpn-instance nms source 10.52.135.40 0
rule 10 deny 
 
Root Cause
The IP address of the server 10.52.135.40 communicates with the device through the following interface. This interface is bound to a VPN instance.
interface GigabitEthernet0/0/1.135
vlan-type dot1q 135
description ***MaintenanceVLAN
ip binding vpn-instance nms
ip address 10.52.135.61 255.255.255.224
traffic-policy assign_mpls_exp_nms inbound
When no VPN instance is specified, ACL rules process only public packets. Rules in this case allow only the public packets with the source address being 10.52.135.40 to pass. However, the NMS packets with the source address being 10.52.135.40 communicate with the NE20 through the NMS of the VPN instance.
After a VPN instance is specified, the data packet is filtered according to the name of the VPN instance. Therefore, the packets with the source address being 10.52.135.40 in the NMS of the VPN instance, excluding public packets or packets of other VPN instances, are allowed to pass. 
 
Suggestions
When configuring the ACL rules for the SNMP read/write community, note whether the DMS server accesses devices through a VPN instance. 

END