03-29-2006 04:40 AM
Sirs,
There is no snmp-server enable traps configured. The show snmp confirms that snmp global trap and snmp logging are disabled. The only command configured is snmp-server community XX . Why when I run a scan tool it shows that port udp 162 (snmptrap) is open?
How can I disable this port? This behavior happens in switch 2950, 3550 and 3750. Not in switch 2924.
Thanks in advance for your attention,
Marcelle.
03-29-2006 11:14 AM
If you just want to turn off SNMP completely, then you can do a no snmp-server on the CLI. Then a show snmp would show %SNMP agent not enabled to verfiy this. Or you can also apply an extended ACL to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations.
03-29-2006 11:55 AM
But why does a router/switch need to be listening for SNMP traps?
03-30-2006 10:37 AM
In fact, i'd like to understand why this port is open if i did not enable traps. I understood that there are only two options to enable traps:
using the commands snmp-server enable traps or snmp-server host X.
In this case, neither of the commands are enabled.
It seems that on those switches(3750, 2950, 3550) even when you enable only snmp-server community X both ports udp 161 and 162 are open.
It seems that the udp 162 stays open but it's not being used because no traps or informs are enabled to be sent. So in this case, there is no problem in having this port open. I'd like to confim this or there is any way to close this port but still have the port 161 open -the NMS needs only 161 enabled?
The switches do not need to be listening for snmp traps and they were not configured to be. This is the question, why this port appears?
Thanks in advance,
03-30-2006 12:38 PM
My conjecture would be that the software is not built from the ground up with a strong security model in mind. Modules or code sections opening ports may be implemented spearately from the services on the box that use those modules. Historically the default model for IOS/ CatOS has not been "deny all and allow only that which is explicitly allowed" (e.g., a strong approach to security) but rather a platform for services in what used to be a much more benign environment.
Hope this helps, please rate helpful posts.
03-30-2006 01:25 PM
The only way I can think of to disable it, and I haven't tested this, would be the following:
snmp-server community XX 100
access-list 100 deny udp any any eq 162
access-list 100 permit udp (NMS IP) 0.0.0.0 eq 161
access-list 100 deny ip any any
This should block and packets coming in on port 162, and only allow your nms to poll it on port 161.
03-31-2006 04:23 AM
Thank you all for the attention and replies.
It really seems that the snmp agent enable/open this port unnecessarily. I wanted to disable/close the port but it seems i only have the option to filter the access.
05-18-2018 10:31 AM
But if I check the command show sockets connections the port still open or close ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: