Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

SNMP packets deny

Hello all!

I'm wondering if there is any other possibility that ACL to drop SNMP traffic on an interface (something like passive mode in OSPF which ignore packets).

I've tried to find it but no success until now.Maybe the ACL is the only one, but I said it is better to ask.

Thank you and have a nice day!

Br,

Calin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SNMP packets deny

Depending on your IOS version, you could use control plane policing to drop SNMP packets bound for the device. This would not affect packet switching, and would not hinder performance like an interface ACL. Here is an example:

access-list 113 deny udp 10.1.1.1 any eq 161

access-list 113 permit udp any any eq 161

access-list 114 deny ip any any

class-map match-all matchsnmp

match access-group 113

policy-map dropsnmp

class matchsnmp

drop

control-plane

service-policy input dropsnmp

This would allow SNMP from 10.1.1.1, but deny it from any other host. Other traffic bound for this device would be permitted.

2 REPLIES
Cisco Employee

Re: SNMP packets deny

Depending on your IOS version, you could use control plane policing to drop SNMP packets bound for the device. This would not affect packet switching, and would not hinder performance like an interface ACL. Here is an example:

access-list 113 deny udp 10.1.1.1 any eq 161

access-list 113 permit udp any any eq 161

access-list 114 deny ip any any

class-map match-all matchsnmp

match access-group 113

policy-map dropsnmp

class matchsnmp

drop

control-plane

service-policy input dropsnmp

This would allow SNMP from 10.1.1.1, but deny it from any other host. Other traffic bound for this device would be permitted.

Re: SNMP packets deny

Thanks jclarke!

After one or two hours after this post I found this: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080740975.html

which is exactly what you explained above.

Thanks once more for your time!

Br,

Calin

147
Views
0
Helpful
2
Replies
CreatePlease login to create content