diff --git a/Changes b/Changes
index 30fc6d9f..f9679fe7 100644
--- a/Changes
+++ b/Changes
@@ -5,6 +5,7 @@
   * #319 better fix for acceping ACL names or values in check_acl_*
   * #311 added duplicate devices report with option to delete
   * #263 discover neighbors advertising ipv6 management addresses
+  * #286 support only/no ACLs for snmp_auth stanza, update docs
 
   [BUG FIXES]
 
diff --git a/lib/App/Netdisco/Manual/Configuration.pod b/lib/App/Netdisco/Manual/Configuration.pod
index e69aaad8..a563780a 100644
--- a/lib/App/Netdisco/Manual/Configuration.pod
+++ b/lib/App/Netdisco/Manual/Configuration.pod
@@ -762,6 +762,7 @@ simply a friendly name used by Netdisco when referring to the configuration.
      only:
        - 192.0.2.0/30
        - 172.20.10.0/24
+     no: '172.20.10.1'
    - tag: v2aclexample
      community: s3kr1t
      read: false
@@ -773,14 +774,16 @@ global C<community>/C<community_rw> setting, this is not a list but a single
 item. That is, to configure multiple community strings, have one stanza per
 community, as in the examples above and below.
 
-You can add C<read> and/or C<write> restrictions, and an IP restriction using
-C<only> (see L</"ACCESS CONTROL LISTS">. Giving the stanza a C<tag> name is
-optional, but recommended.
+For any version of SNMP you can add C<read> and/or C<write> booleans to
+control operations for that stanza, and IP restrictions using C<only> and
+C<no> (see L</"ACCESS CONTROL LISTS"> for what you can use here).
 
-For SNMPv3 the C<tag> and C<user> keys are required. You can add C<read>
-and/or C<write> restrictions, and an IP restriction using C<only>. Providing
-an C<auth> section enables the authentication security level. Providing a
-C<priv> section enables the message encryption security level.
+For SNMPv3 the C<tag> and C<user> keys are required. Providing an C<auth>
+section enables the authentication security level, providing a C<priv> section
+enables the message encryption security level. When configuring multiple
+SNMPv3 stanza please use C<only> and/or C<no> ACLs for each, otherwise only
+the first stanza is ever used (this is a limitation in the underlying L<SNMP>
+library).
 
 The default SNMPv3 authentication security method is MD5, and the default
 encryption protocol is DES, with AES or AES256 being common alternatives. Note
@@ -793,7 +796,7 @@ key to a stanza to override this default.
 
 Netdisco caches both the successful SNMPv2 read and write community strings,
 as well as the C<tag> names if available. This allows for faster operations
-once a connection has previously been made to a device.
+once a connection has previously been made to a device. Tags are recommended.
 
 If you have SNMP connect failures, or notice that devices are not appearing in
 Netdisco, take a look at the "SNMP Connect Failures" Admin Report, and also
diff --git a/lib/App/Netdisco/Manual/Troubleshooting.pod b/lib/App/Netdisco/Manual/Troubleshooting.pod
index 6c336bea..1af16b63 100644
--- a/lib/App/Netdisco/Manual/Troubleshooting.pod
+++ b/lib/App/Netdisco/Manual/Troubleshooting.pod
@@ -117,9 +117,9 @@ example:
 
  ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
 
-You will see that SNMPv2 community strings are hidden by default, to make the
-output safe for sending to Netdisco developers. To show the community string,
-set the C<SHOW_COMMUNITY> environment variable:
+You will see that SNMP community strings and users are hidden by default, to
+make the output safe for sending to Netdisco developers. To show the community
+string and SNMPv3 protocols, set the C<SHOW_COMMUNITY> environment variable:
 
  SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ
 
diff --git a/lib/App/Netdisco/Util/SNMP.pm b/lib/App/Netdisco/Util/SNMP.pm
index 8caaeddd..c75a522d 100644
--- a/lib/App/Netdisco/Util/SNMP.pm
+++ b/lib/App/Netdisco/Util/SNMP.pm
@@ -136,9 +136,13 @@ sub _snmp_connect_generic {
 sub _try_connect {
   my ($device, $class, $comm, $mode, $snmp_args, $reclass) = @_;
   my %comm_args = _mk_info_commargs($comm);
-  my $debug_comm = ( $comm->{community}
-      ? $ENV{SHOW_COMMUNITY} ? $comm->{community} : '<hidden>'
-      : "v3user:$comm->{user}" );
+  my $debug_comm = '<hidden>';
+  if ($ENV{SHOW_COMMUNITY}) {
+    $debug_comm = ($comm->{community} ||
+      (sprintf 'v3:%s:%s/%s', ($comm->{user},
+                              ($comm->{auth}->{proto} || 'noAuth'),
+                              ($comm->{priv}->{proto} || 'noPriv'))) );
+  }
   my $info = undef;
 
   try {
@@ -293,14 +297,17 @@ sub _build_communities {
       $stanza->{tag} ||= $tag;
       ++$seen_tags->{ $stanza->{tag} };
       $stanza->{read} = 1 if !exists $stanza->{read};
+      $stanza->{no}   ||= [];
       $stanza->{only} ||= ['any'];
+      $stanza->{no}   = [$stanza->{no}] if ref '' eq ref $stanza->{no};
       $stanza->{only} = [$stanza->{only}] if ref '' eq ref $stanza->{only};
 
       die "error: config: snmpv3 stanza in snmp_auth must have a tag\n"
         if not $stanza->{tag}
            and !exists $stanza->{community};
 
-      if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})) {
+      if ($stanza->{$mode} and check_acl_only($device, $stanza->{only})
+            and not check_acl_no($device, $stanza->{no})) {
           if ($device->in_storage and
             $stored_tag and $stored_tag eq $stanza->{tag}) {
               # last known-good by tag