ACL bocking snmp question

Unanswered Question
Feb 15th, 2008
User Badges:
  • Community Spotlight Award,

    Spanish Member's Choice: May 2016

Hi,

I would like to block the snmp traffic generated from to PC and coming into my interface ATM PVC on my router.

the ip addresses are 10.10.10.202 10.10.10.123.

What is the best ACL that I can applie?

Thnaks

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
royalblues Fri, 02/15/2008 - 06:55
User Badges:
  • Green, 3000 points or more

Do u mean to say the PC 10.10.10.202 and 10.10.10.123 should only be able to poll via SNMP?


for this you can do something like this


access-list 1 10.10.10.202 0.0.0.0

access-list 1 10.10.10.123 0.0.0.0


snmp-server community RO 1 --- the number 1 references the access-list and permits only those IPs for SNMP access


HTH

Narayan

Richard Burts Fri, 02/15/2008 - 08:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leonardo


I interpret your question a bit differently. Where Narayan things that you want to enable SNMP from these 2 addresses I believe that you want to block SNMP from these addresses. For that I would suggest an access list something like this:

access-list 101 deny udp host 10.10.10.123 any eq snmp

access-list 101 deny udp host 10.10.10.202 any eq snmp

access-list 101 permit ip any any

apply this access list inbound on the interface where the hosts are connected. The 2 deny statements will deny any snmp traffic sourced from these addresses. The permit any any will allow all other traffic. If there is already an existing access list then you would add these statements to the existing list.


HTH


Rick

vaisharm Mon, 02/18/2008 - 02:29
User Badges:
  • Cisco Employee,

You would probably have to deny snmp traps as well.


access-list 101 deny udp host 10.10.10.123 any eq snmp

access-list 101 deny udp host 10.10.10.123 any eq snmptrap

access-list 101 deny udp host 10.10.10.202 any eq snmp

access-list 101 deny udp host 10.10.10.202 any eq snmptrap

access-list 101 permit ip any any

Actions

This Discussion