Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How To Block a Protocal at the Router?

I am a little new to cisco routers and need some assistance. I would like to know if it is possible and how to block SNMP at the router. If possible please step me through the actions I will need to perform.

Thanks in advance!

5 REPLIES
Bronze

Re: How To Block a Protocal at the Router?

You block SNMP or any other IP traffic at the interface level by port number, SNMP is UDP port 161, so the command to block all SNMP traffic would be

access-list 101 deny udp any eq snmp any eq snmp

access-list 101 permit ip any any

You then apply this to the interfaces with the following command

ip access-group 101 in

See the following URL for more information on access lists

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scacls.htm

New Member

Re: How To Block a Protocal at the Router?

I am using a 2620 router.

I am in configure, then I enter the command "ip access-group 101 in" and get an error invalid input at... referencing group.

Any suggestions?

Bronze

Re: How To Block a Protocal at the Router?

Hello,

Where are you are in the command modes. I think you are trying from GLOBAL configuration mode. Try it from INTERFACE configuration mode. That you can reach, let's assume for "Serial 0" then

1. conf t

2. int s0

3. ip access-group 101 in

Regards...

--Ashok.

With best regards... Ashok ----------- Pls kindly rate if helpful or answered your question.
New Member

Re: How To Block a Protocal at the Router?

ASHOK , if we just remove snmp communities, then is it enough?

New Member

Re: How To Block a Protocal at the Router?

Do you need to block SNMP from a single interface or all interfaces? Here is the command sequence:

Router>EN

Router#config t

Router(config)#ip access ex 101

Router(config-ext-nacl)#deny udp any any eq snmp

Router(config-ext-nacl)#deny udp any any eq snmptrap

Router(config-ext-nacl)#permit ip any any

now do a CTRL+Z

you should now be at this promt: Router#

Now verify your access list: sh ip acce

you should see your access list

---now to apply it to a interface----

Router#configt

Router(config)#int f1 ---or what ever interface ex. s0/0, e0/0, etc. etc.

Router(config-if)#ip acce 101 in --inbound to the interface, out is also a option if you do not want to broadcast these packets to the network segment of the attached interface..

Now do a CTRL+Z

you should now be at the Router# prompt

now type:

Router#copy run start

Destination filename [startup-config]? (just hit enter)

Building configuration...

[OK]

Now you are done, you can repeat appling the list to any other interface..

JD

265
Views
0
Helpful
5
Replies