ACL bocking snmp question

Unanswered Question
Feb 15th, 2008

Hi,

I would like to block the snmp traffic generated from to PC and coming into my interface ATM PVC on my router.

the ip addresses are 10.10.10.202 10.10.10.123.

What is the best ACL that I can applie?

Thnaks

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
royalblues Fri, 02/15/2008 - 06:55

Do u mean to say the PC 10.10.10.202 and 10.10.10.123 should only be able to poll via SNMP?

for this you can do something like this

access-list 1 10.10.10.202 0.0.0.0

access-list 1 10.10.10.123 0.0.0.0

snmp-server community RO 1 --- the number 1 references the access-list and permits only those IPs for SNMP access

HTH

Narayan

Richard Burts Fri, 02/15/2008 - 08:05

Leonardo

I interpret your question a bit differently. Where Narayan things that you want to enable SNMP from these 2 addresses I believe that you want to block SNMP from these addresses. For that I would suggest an access list something like this:

access-list 101 deny udp host 10.10.10.123 any eq snmp

access-list 101 deny udp host 10.10.10.202 any eq snmp

access-list 101 permit ip any any

apply this access list inbound on the interface where the hosts are connected. The 2 deny statements will deny any snmp traffic sourced from these addresses. The permit any any will allow all other traffic. If there is already an existing access list then you would add these statements to the existing list.

HTH

Rick

vaisharm Mon, 02/18/2008 - 02:29

You would probably have to deny snmp traps as well.

access-list 101 deny udp host 10.10.10.123 any eq snmp

access-list 101 deny udp host 10.10.10.123 any eq snmptrap

access-list 101 deny udp host 10.10.10.202 any eq snmp

access-list 101 deny udp host 10.10.10.202 any eq snmptrap

access-list 101 permit ip any any

Actions

This Discussion