03-23-2020 11:17 AM - edited 03-23-2020 11:18 AM
Hello we have a cisco 3750X-48P in stack with multiple VLAN and ip routing enable
We have a device 192.168.10.139 on VLAN10 that have SNMP enable and we can turn if off because it's an old device
How can we deny snmp to this device for any vlan ?
Also how we could allow SNMP for just one ip address ( the server that monitor device)
I never really use access-list
Thanks for your help
03-23-2020 12:46 PM - edited 03-24-2020 01:26 AM
here is ACL example :
access-list 10 deny udp any 192.168.10.139 0.0.0.0 eq snmp
!
int vlan X
ip access-group 10 in
EDIT :
@Richard Burts you may be right, i may have gnored last bit of the orginal post - he looking to allow also for the specific device.
So let me re-review this, what is this device ? do you have any control on the device to allow only required device to query SNMP - if possible do it at device level.
- quick fix is, just change the coomunity string so only known SNMP device can query.
- or as suggested we can suggest for extended access list to allow only 1 IP address to query to that device.
03-23-2020 02:29 PM
I find several things about the original post confusing which makes it difficult to give good suggestions. But a couple of things were clear, there is a host in vlan 10 with address 192.168.10.139 and they want to deny SNMP for that device. Based on what is clear I would suggest that there are several possibilities which could achieve the objective of deny SNMP for that host (note that to deny SNMP for that host we can either deny SNMP from that host to a server, or we can deny SNMP from a server to that host):
1) an access list which would deny SNMP to that host. This access list would be applied outbound on interface vlan 10.
2) an access list which would deny SNMP from that host. This access list would be applied inbound on interface vlan 10.
3) an access list which would deny SNMP from that host. This access list would be applied outbound on the interface where the SNMP server is connected. This would be the most complicated solution and I do not recommend it.
The solution suggested by @balaji.bandi appears to be an implementation of 1). But there are several issues with this suggestion.
- The access list to accomplish this needs to be an extended access list. But access list 10 is a standard access list and not extended.
- The access list denying SNMP to the host needs to be applied outbound and this suggestion applies it inbound.
03-24-2020 05:35 AM
The device is an old device that was made back in 2013 so there is not a lot of control i can do. The manufacturer recommanded me to do this at the switch level. So i think that #1 would be the best option for me. Can you tell me what would be the best command
Thanks for your help !
03-24-2020 01:42 PM
If you can help us understand better what it is that you want to achieve then we can make better suggestions. The first part of the question may be easier to understand. You ask "How can we deny snmp to this device for any vlan". I can see 3 alternatives about this:
1) prevent that device from sending any SNMP to any other device on a remote network.
2) prevent any device on a remote network from sending any SNMP to that device.
3) prevent both sending and receiving SNMP by that device.
If you can help us understand which it is that you want we can suggest how to do it.
You also ask something else that I am not clear about.
"how we could allow SNMP for just one ip address ( the server that monitor device)"
Is this making an exception to the requirement in the first question? Or is this something separate?
03-25-2020 05:52 AM - edited 03-25-2020 05:53 AM
I would like that any device on all vlan on the network cannot send any SNMP packets except 2 ip address in vlan10 (192.168.10.xx and 192.168.10.yy)
192.168.10.xx is the server that monitor device on the network and yy is my pc for testing
We have multiple vlan (80-81-82-83-84-85-86-87-88....etc)
Thanks !
03-25-2020 07:40 AM
I believe that we have a better understanding of what you are trying to do. It can be addressed in 2 parts. The first part is about devices in other vlans not being able to send SNMP to this host 192.168.10.139. The previous suggestion from @balaji.bandi can be modified and could achieve the control that you want. If you make the access list into an extended access list (perhaps access-list 100 rather than access-list 10) with the same deny any 192.168.10.139 0.0.0.0 eq SNMP it would prevent snmp from remote vlans. Note that to allow traffic to other devices in the vlan that you need a second line in access-list 100 permit ip any any. Then apply the access list out rather than apply it in.
The second part is to allow 2 devices in the same vlan to send snmp to the host. The good news is that this is enabled by default. Any device within the same vlan (same subnet) can send to this host and since it does not need to go through the switch to reach the destination then the access list has no impact on it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide