There is no snmp-server enable traps configured. The show snmp confirms that snmp global trap and snmp logging are disabled. The only command configured is snmp-server community XX . Why when I run a scan tool it shows that port udp 162 (snmptrap) is open?
How can I disable this port? This behavior happens in switch 2950, 3550 and 3750. Not in switch 2924.
Thanks in advance for your attention,
If you just want to turn off SNMP completely, then you can do a no snmp-server on the CLI. Then a show snmp would show %SNMP agent not enabled to verfiy this. Or you can also apply an extended ACL to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations.
In fact, i'd like to understand why this port is open if i did not enable traps. I understood that there are only two options to enable traps:
using the commands snmp-server enable traps or snmp-server host X.
In this case, neither of the commands are enabled.
It seems that on those switches(3750, 2950, 3550) even when you enable only snmp-server community X both ports udp 161 and 162 are open.
It seems that the udp 162 stays open but it's not being used because no traps or informs are enabled to be sent. So in this case, there is no problem in having this port open. I'd like to confim this or there is any way to close this port but still have the port 161 open -the NMS needs only 161 enabled?
The switches do not need to be listening for snmp traps and they were not configured to be. This is the question, why this port appears?
Thanks in advance,
My conjecture would be that the software is not built from the ground up with a strong security model in mind. Modules or code sections opening ports may be implemented spearately from the services on the box that use those modules. Historically the default model for IOS/ CatOS has not been "deny all and allow only that which is explicitly allowed" (e.g., a strong approach to security) but rather a platform for services in what used to be a much more benign environment.
Hope this helps, please rate helpful posts.
The only way I can think of to disable it, and I haven't tested this, would be the following:
snmp-server community XX 100
access-list 100 deny udp any any eq 162
access-list 100 permit udp (NMS IP) 0.0.0.0 eq 161
access-list 100 deny ip any any
This should block and packets coming in on port 162, and only allow your nms to poll it on port 161.
Thank you all for the attention and replies.
It really seems that the snmp agent enable/open this port unnecessarily. I wanted to disable/close the port but it seems i only have the option to filter the access.