There is no snmp-server enable traps configured. The show snmp confirms that snmp global trap and snmp logging are disabled. The only command configured is snmp-server community XX . Why when I run a scan tool it shows that port udp 162 (snmptrap) is open?
How can I disable this port? This behavior happens in switch 2950, 3550 and 3750. Not in switch 2924.
If you just want to turn off SNMP completely, then you can do a no snmp-server on the CLI. Then a show snmp would show %SNMP agent not enabled to verfiy this. Or you can also apply an extended ACL to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations.
In fact, i'd like to understand why this port is open if i did not enable traps. I understood that there are only two options to enable traps:
using the commands snmp-server enable traps or snmp-server host X.
In this case, neither of the commands are enabled.
It seems that on those switches(3750, 2950, 3550) even when you enable only snmp-server community X both ports udp 161 and 162 are open.
It seems that the udp 162 stays open but it's not being used because no traps or informs are enabled to be sent. So in this case, there is no problem in having this port open. I'd like to confim this or there is any way to close this port but still have the port 161 open -the NMS needs only 161 enabled?
The switches do not need to be listening for snmp traps and they were not configured to be. This is the question, why this port appears?
My conjecture would be that the software is not built from the ground up with a strong security model in mind. Modules or code sections opening ports may be implemented spearately from the services on the box that use those modules. Historically the default model for IOS/ CatOS has not been "deny all and allow only that which is explicitly allowed" (e.g., a strong approach to security) but rather a platform for services in what used to be a much more benign environment.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...