Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VACL for blocking SNMP read/write

Hello,

Because of security we have to allow SNMP requests only from MGT VLAN's.

This is how I want to handle it:

ip access-list extended SECURE-SNMP
 remark *** mgt vlans ***

 deny udp 172.16.21.0 0.0.0.255 any eq snmp
 deny udp any eq snmp 172.16.21.0 0.0.0.255
 deny udp 172.16.200.0 0.0.0.255 andy eq snmp
 deny udp any eq snmp 172.16.200.0 0.0.0.255

ip access-list extended SECURE-PERMIT-IP-ANY
 permit ip any any

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 action forward
 match ip address SECURE-PERMIT-IP-ANY

vlan filter SECURE-MGT vlan-list 110
 

Is this the correct way of handling?

1 ACCEPTED SOLUTION

Accepted Solutions

HelloLooks okay , just one

Hello

Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 

vlan filter SECURE-MGT vlan-list 110

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
4 REPLIES

HelloLooks okay , just one

Hello

Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 

vlan filter SECURE-MGT vlan-list 110

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Thanks for your reply Paul,

Thanks for your reply Paul, this is working fine for us.

Why not just apply an ACL to

Why not just apply an ACL to SNMP?

access-list 10 permit host 10.10.10.10

snmp-server community SoMeCoMmUnItY RO 10

And/or restrict on the management plane?

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1054074

New Member

Hello Collin,Thanks for your

Hello Collin,

Thanks for your reply.

We use that for Cisco equipment, but we have to block snmp to other systems as well.

 

114
Views
0
Helpful
4
Replies
CreatePlease to create content