Re: CSS11000 (Arrowpoint)

kefah · ‎10-27-2002

Dear gurus,

Can anybody tell me how to securely implement SNMP on CSS11000 (formerly known as Arrowpoint), I want to allow only one IP address to receive SNMP information, please help if you can.

like what you do thru an access-list in routers.

Thanks

pknoops · ‎10-29-2002

I can't really speak on how to do this on the router, but on the CSS you can configure the CSS to only allow it receiving a request to it's circuit vlan for an SNMP request from a specific workstation.

For example

SNMP workstation polling the CSS - 10.1.1.1

CSS circuit ip address and on VLAN1 - 172.1.1.1

You could use ACLs on the CSS with this one in particular to only allow a request form this workstation on port 161

acl 25

clause 10 permit any 10.1.1.1 255.255.255.255 destination 172.1.1.1 255.255.255.255 eq 161

clause permit any any dest any

apply circuit -(VLAN1)

10.1.1.1 255.255.255.255 - only allows that host. You can play with the mask if you want more hosts in that subnet to snmp into the CSS

172.1.1.1 255.255.255.255 - same thing here. specific host ip address for the circuit vlan of the CSS.

apply it to circuit VLAN1 to analyze the incoming traffic to vlan1. Add necessary vlans as needed.

Regards

Pete Knoops

Cisco Systems

p.kodzis · ‎10-31-2002

acl enable

acl 1

clause 11 permit udp [the one ip] destination [css ip] eq 161

clause 41 deny udp any destination [css ip] eq 161

clause 50 permit any any destination any

apply circuit-(VLAN1)

pknoops · ‎10-31-2002

Perfect !!, You've got the idea here !!

Pete..

kefah · ‎11-03-2002

Got it!

Thank you so much all of you!

Regards,