Wired Intelligent Edge

After converting my network from a layer 2 flat network to layer 3, I noticed my inventory software(Track-IT) and my printer polling via snmp stopped polling devices on the new vlans.

I have a general understanding of ACL, that if I add an ACLto a vlan that it changes from permit all to deny all besides what is defined by a rule.  I have an ACL set up now for my public vlan, ableit I'm sure it's not perfect but it seems to work "mostly"

However now I want SNMP to work across all my private vlan's but I don't want to open up everything else or deny any broadcasts that are denied now by default.   Can someone help me along the right path??

Current situation with my current setup everything works A-ok.  Clients can get to all their apps and servers on diff vlans.  The only issue is no snmp 

Here is my ACL for public :

ip access-list extended "109"
10 permit ip 10.99.0.0 0.0.255.255 10.1.1.198 0.0.0.0 log
11 permit ip 10.99.0.0 0.0.255.255 10.1.1.199 0.0.0.0 log
20 deny ip 10.99.0.0 0.0.255.255 10.0.0.0 0.255.255.255 log
30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit

Here is a snippet of some of the other configuration:

vlan 11
name "Test"
ip helper-address 10.1.1.101
ip address 10.79.3.1 255.255.0.0
tagged D19,D24
exit
vlan 12
name "Test2"
ip helper-address 10.1.1.101
ip address 10.32.3.1 255.255.0.0
tagged D19,D24
exit
vlan 99
name "Public"
ip helper-address 10.99.0.1
ip address 10.99.3.1 255.255.0.0
tagged A5,A12,B3-B4,D19,D21-D24,Trk1-Trk2
ip access-group "109" in
ip access-group "109" out
exit

Could you please spell out the source & destination ip addresses for each of the two polling functions.

Your ACL looks fine, but you should remove it from the VLAN interface in the "out" direction.

This "out" will be doing nothing. 

("out" on VLAN99 means from other VLANs to VLAN99)

I want to create  an acl that will allow snmp to traverse across vlan 1, 11, and 12.   So my polling would be coming from 10.1.x.x polling via snmp something on 10.79.6.x or 10.32.6.x

1.  Wanted some clarity on how to create the ACL to just allow snmp.

2.  Should I do permit any so that it doesn't break anything that's working today?

3.  Since the default rule for no acl is to permit any why does snmp not work by default?

vlan 11
name "Test"
ip helper-address 10.1.1.101
ip address 10.79.3.1 255.255.0.0
tagged D19,D24
exit
vlan 12
name "Test2"
ip helper-address 10.1.1.101
ip address 10.32.3.1 255.255.0.0
tagged D19,D24
exit

If SNMP isn't working without any ACL, then you're not going to be able to fix it by adding any kind of ACL.

Assuming the devices are otherwise reachable, you need to review their SNMP configuration to fix it.

Please assist me if my understanding is incorrect:

I believe this is what my issue was:

SNMP is a broadcast protocol when conifgured to discover devices on the "domain".  All of the clients in question were part of the domain just on different vlans.

So the discovery would find everything on vlan1 but find nothing on the other vlans, because broadcast is limited to the local vlan.

However when manually entering the host range of the devices  I wanted to discover(on another vlan) it would find them.

So can I assume that snmp's discovery, unless configured to hunt an ip range, is a broadcast protocal which would be blocked by the nature of vlans.

I don't believe that SNMP is a broadcast protocol. It can only discover devices if you identify them by IP or identify their subnets so it can scan through each IP looking for responses.