Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
4
Helpful
7
Replies

Allowing SNMP traffic to establish a flow through CSS

csbowser
Level 1
Level 1

‎02-09-2004 05:36 AM

One of my 'inside' customers needs to query and receive SNMP traps to systems outside the network. Inside customers have private IPs.

According to docs, the CSS (11506, ver 7.20) does not setup a flow for UDP 161/162. Therefore, the traffic won't get NAT'ed, and the traffic will die at the edge of the network.

Any suggestions on a work-around or fix for this?

Labels:
0 Helpful
7 Replies 7

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-09-2004 08:46 AM

With version 6.10 a command called 'flow-state' was created to override this restriction.

But it does not apply to CSS 115xx.

So, unfortunately, if you have a CSS11506 there is no workaround. You have to find a way to bypass the CSS to send this traffic.

Gilles.

0 Helpful

seilsz
Level 4
Level 4
In response to Gilles Dufour

‎02-09-2004 09:15 PM

Gilles,

Can you explain why snmp queries (udp 161) could not be configured with a source group to make this work?

In addition, would a normal udp content rule not work for the snmp traps (udp 162)?

Thanks,

Zach

0 Helpful

csbowser
Level 1
Level 1
In response to seilsz

‎02-11-2004 04:09 AM

Zach,

This is the problem! The CSS will not build a flow for several things:

67, /* BOOTP server */

68, /* BOOTP client */

137, /* NETBIOS name service */

138, /* NETBIOS datagram service */

161, /* SNMP */

162, /* SNMP traps */

520, /* RIP */

8089,/* Inktomi UDP only */

This means it will switch the data, but not apply it to a content rule - thus no NAT'ing takes place. One guess is, that it would be too hard to try and NAT the protocols listed - plus the vulnerabilities for some would be too great.

0 Helpful

seilsz
Level 4
Level 4
In response to csbowser

‎02-11-2004 05:05 AM

Chad,

Can you point me to where this is documented?

Thanks,

Zach

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to seilsz

‎02-11-2004 08:20 AM

You can check this document which is quite good to understand UDP traffic on the CSS

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801e05ee.shtml

For the non-flow traffic, check the following url:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_qanda_item09186a008009851a.shtml

Regards,

Gilles.

0 Helpful

seilsz
Level 4
Level 4
In response to Gilles Dufour

‎02-11-2004 11:23 AM

Ok, so FCB's are created for DNS by default but not for the ports listed in the second link. However, the behavior with the ports listed in the second link can be overridden with the 'flow-state' command, but only on the 110xx series switches?

When will the 'flow-state' command be available on the 115xx series switches?

Thanks,

Zach

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to seilsz

‎02-12-2004 01:57 AM

Zach,

This command is on the roadmap for the next 11500 Webns release - so July/August.

Gilles.

Customers Also Viewed These Support Documents