Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1983
Views
0
Helpful
4
Replies

deny SNMP access on WAN

Michael Bartholomæussen
Level 1
Level 1

‎10-27-2016 12:16 AM

Hi,

This is a low-tech question, but recently I've been getting numerous community string errors on our WAN switch.

The ACL on our WAN interface has an ACE with "deny udp any any eq snmp"  - inbound - but I'm still getting the errors?

What am I missing here?

Regards,

Michael

Labels:
0 Helpful
4 Replies 4

Milos Megis
Level 3
Level 3

‎10-28-2016 12:27 AM

I am not sure but try this:
(config)#snmp-server community COMMUNITY ro ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD Access-list name
ipv6 Specify IPv6 Named Access-List

And except of question mark put name or number of ACL

Maybe you can create standard ACL:
Permit IP_address wildcard_mask and use this ACL

IP address range will be your private network and all other traffic will be denied by implicit deny any on the end of ACL

0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to Milos Megis

‎10-31-2016 11:26 AM

I've already put an ACL on SNMP access with "permit udp any "IP OF SERVER" eq snmp", and the ACL i've mentioned above, I have applied to all external interfaces.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michael Bartholomæussen

‎11-01-2016 12:56 PM

You have to call out the ACL in the snmp-server line explicitly.

Applying it to the interface only affects traffic through the box - not traffic to the box.

An alternative / additional technique you can use is Management Plane Protection (MPP). Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1061312

0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to Marvin Rhoads

‎11-03-2016 04:17 AM

Hi Marvin,

I've looked into MPP, and our Cat4506e doesn't seem to support it - please correct me if i'm wrong.

SNMP access is only allowed from our 99 network. Here is the ACL:

Standard IP access list 1
10 permit 192.168.99.0, wildcard bits 0.0.0.255

SNMP server i configured like this:

snmp-server group NORMAL v3 priv read NORMAL write NORMAL access 1

We are using HP iMC as NMS, and every now and then I'm receiving an SNMP traps like this one:

1.3.6.1.4.1.9.9.412.1.1.2.0 94.102.48.193

lookup from Cisco object Navigator:

"This contains the address of the host from which
snmp-agent has received a SNMP message that is not
authentic."

I'm thinking about wiresharking all ingress traffic on our WAN interface, but It could result i a hugh capture since the traps can be hours apart - any idea how to handle this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents