02-18-2008 06:31 AM
Hello all!
I'm wondering if there is any other possibility that ACL to drop SNMP traffic on an interface (something like passive mode in OSPF which ignore packets).
I've tried to find it but no success until now.Maybe the ACL is the only one, but I said it is better to ask.
Thank you and have a nice day!
Br,
Calin
Solved! Go to Solution.
02-18-2008 07:11 AM
Depending on your IOS version, you could use control plane policing to drop SNMP packets bound for the device. This would not affect packet switching, and would not hinder performance like an interface ACL. Here is an example:
access-list 113 deny udp 10.1.1.1 any eq 161
access-list 113 permit udp any any eq 161
access-list 114 deny ip any any
class-map match-all matchsnmp
match access-group 113
policy-map dropsnmp
class matchsnmp
drop
control-plane
service-policy input dropsnmp
This would allow SNMP from 10.1.1.1, but deny it from any other host. Other traffic bound for this device would be permitted.
02-18-2008 07:11 AM
Depending on your IOS version, you could use control plane policing to drop SNMP packets bound for the device. This would not affect packet switching, and would not hinder performance like an interface ACL. Here is an example:
access-list 113 deny udp 10.1.1.1 any eq 161
access-list 113 permit udp any any eq 161
access-list 114 deny ip any any
class-map match-all matchsnmp
match access-group 113
policy-map dropsnmp
class matchsnmp
drop
control-plane
service-policy input dropsnmp
This would allow SNMP from 10.1.1.1, but deny it from any other host. Other traffic bound for this device would be permitted.
02-18-2008 10:13 AM
Thanks jclarke!
After one or two hours after this post I found this: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080740975.html
which is exactly what you explained above.
Thanks once more for your time!
Br,
Calin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: