topic SOLVED: Nexus ACL to limit SNMP between VLANS in Network Management

SOLVED: Nexus ACL to limit SNMP between VLANS

ApjHouston — Thu, 10 Sep 2020 01:51:50 GMT

I'm not sure if I'm overthinking this but I'm not sure where to make the ACL for the following purpose...

We have a WiFi controller bridging VLANS directly into a Nexus switch, there has been SNMP traffic going to VLAN 5 from 50 but I only want VLANS 5 and 6 to have SNMP traffic.

I have previously worked with implementations where the traffic is passed into a Fortigate or Sophos and policies would be created to allow or block the traffic between VLAN networks. I have just started with this network and am having trouble working out how to utilize the Nexus properly for this configuration.

I initially went the route of trying an ip acl and found it's not going to work for the VLANs, I was reading about VACLs yesterday but also see some configuration for access-list copp.

For this purpose should I be looking to create a VACL or adjusting the copp acl with the VLAN 5 and 6 networks being allowed.

Thank you for any guidance.

Re: Nexus ACL to limit SNMP between VLANS

ApjHouston — Tue, 01 Sep 2020 06:44:51 GMT

I wasn't able to find an answer to this today, I used a test network with the configuration below but nothing is allowed through. When I try to use a sequence number for an access-map I get "ERROR: Mutltiple access-maps not supported". I was trying to think of a way to have the access-list only match the snmp part, allow the rest and I would just apply it to the VLAN I don't want sending SNMP.

Configuration I used that blocked everything;

ip access-list snmp-drop
10 permit udp any any eq snmp
11 permit udp any any eq snmptrap
exi
!
ip access-list permit-any
20 deny ip any any
exi
!
vlan access-map acl-snmp-drop
match ip address snmp-drop
match ip address permit-any
action drop
exi
vlan filter acl-snmp-drop vlan-list 51

I'll watch some videos tonight to try wrap my head around it but I'm open to suggestions.

Thanks again.

Re: Nexus ACL to limit SNMP between VLANS

ApjHouston — Thu, 10 Sep 2020 01:50:21 GMT

The Nexus does not support multiple access-maps, I had tested it working with multiple access-maps on a 2960 but I'm not sure which of my notes was the correct one so won't put it in here.

I had a ticket open with Cisco and Jason gave me a solution as below;
ip access-list BLOCK_SNMP_ACL
10 deny udp any any eq snmp
11 deny udp any any eq snmptrap
20 permit ip any any
!
vlan access-map BLOCK_SNMP
match ip address BLOCK_SNMP_ACL
action forward
stat
!
vlan filter BLOCK_SNMP vlan-list 50

I have tested it working with my MIB walk being blocked when applied and my HTTPS and ICMP tested still going through.

Re: Nexus ACL to limit SNMP between VLANS

Jason Leschnik — Wed, 23 Sep 2020 05:18:48 GMT

It was a pleasure working with you Apj!

Regards,

Jason.