SNMP ACL (after community check?!)

Not my usual kind of post of "how to do ...blah" but something I'd come across yesterday that was a little interesting/annoying/silly.

Best practice dictates you apply an ACL to your SNMP config so only configured hosts can poll a router/switch even if the community is known. Seems like a good idea

Although after taking over some 6500s after an acquisition and tidying up the config it seems this ACL doesnt quite do what I thought it did. From my testing the ACL is only looked at AFTER the correct community string is used to poll the device.  This is the opposite way round from my expected behavior. I would have expected requests to pass the ACL then to have its community validated.

It does seem to be the case that on both Cisco and Junos device that the community is always checked before the ACL is applied! If you check the ACL used against the SNMP config an explicit "deny any" wont show any hits until the correct community is used. The device will also send traps for failed authentication for all SNMP access attempts even if the IPs trying to poll are configured to be blocked with an ACL!

This was tested with the following config:

Cisco IOS:

snmp-server community lalalala 10

access-list 10 permit 10.10.10.10
access-list 10 deny any log

Junos:

community lalalala {
authorization read-only;
clients {
10.10.10.10;
}
}

If anyone could explain the rational behind having the ACL processed this way round rather than the other way it would be quite interesting to hear :)

m00nie