10-27-2002 12:50 AM
Dear gurus,
Can anybody tell me how to securely implement SNMP on CSS11000 (formerly known as Arrowpoint), I want to allow only one IP address to receive SNMP information, please help if you can.
like what you do thru an access-list in routers.
Thanks
10-29-2002 04:48 AM
I can't really speak on how to do this on the router, but on the CSS you can configure the CSS to only allow it receiving a request to it's circuit vlan for an SNMP request from a specific workstation.
For example
SNMP workstation polling the CSS - 10.1.1.1
CSS circuit ip address and on VLAN1 - 172.1.1.1
You could use ACLs on the CSS with this one in particular to only allow a request form this workstation on port 161
acl 25
clause 10 permit any 10.1.1.1 255.255.255.255 destination 172.1.1.1 255.255.255.255 eq 161
clause permit any any dest any
apply circuit -(VLAN1)
10.1.1.1 255.255.255.255 - only allows that host. You can play with the mask if you want more hosts in that subnet to snmp into the CSS
172.1.1.1 255.255.255.255 - same thing here. specific host ip address for the circuit vlan of the CSS.
apply it to circuit VLAN1 to analyze the incoming traffic to vlan1. Add necessary vlans as needed.
Regards
Pete Knoops
Cisco Systems
10-31-2002 02:41 AM
acl enable
acl 1
clause 11 permit udp [the one ip] destination [css ip] eq 161
clause 41 deny udp any destination [css ip] eq 161
clause 50 permit any any destination any
apply circuit-(VLAN1)
10-31-2002 04:39 AM
Perfect !!, You've got the idea here !!
Pete..
11-03-2002 03:34 AM
Got it!
Thank you so much all of you!
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: