cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5008
Views
5
Helpful
7
Replies

How to disable port udp 162 ( snmptrap)?

mmadruga
Level 1
Level 1

Sirs,

There is no snmp-server enable traps configured. The show snmp confirms that snmp global trap and snmp logging are disabled. The only command configured is snmp-server community XX . Why when I run a scan tool it shows that port udp 162 (snmptrap) is open?

How can I disable this port? This behavior happens in switch 2950, 3550 and 3750. Not in switch 2924.

Thanks in advance for your attention,

Marcelle.

7 Replies 7

rmushtaq
Level 8
Level 8

If you just want to turn off SNMP completely, then you can do a no snmp-server on the CLI. Then a show snmp would show %SNMP agent not enabled to verfiy this. Or you can also apply an extended ACL to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations.

But why does a router/switch need to be listening for SNMP traps?

In fact, i'd like to understand why this port is open if i did not enable traps. I understood that there are only two options to enable traps:

using the commands snmp-server enable traps or snmp-server host X.

In this case, neither of the commands are enabled.

It seems that on those switches(3750, 2950, 3550) even when you enable only snmp-server community X both ports udp 161 and 162 are open.

It seems that the udp 162 stays open but it's not being used because no traps or informs are enabled to be sent. So in this case, there is no problem in having this port open. I'd like to confim this or there is any way to close this port but still have the port 161 open -the NMS needs only 161 enabled?

The switches do not need to be listening for snmp traps and they were not configured to be. This is the question, why this port appears?

Thanks in advance,

My conjecture would be that the software is not built from the ground up with a strong security model in mind. Modules or code sections opening ports may be implemented spearately from the services on the box that use those modules. Historically the default model for IOS/ CatOS has not been "deny all and allow only that which is explicitly allowed" (e.g., a strong approach to security) but rather a platform for services in what used to be a much more benign environment.

Hope this helps, please rate helpful posts.

vettrock
Level 1
Level 1

The only way I can think of to disable it, and I haven't tested this, would be the following:

snmp-server community XX 100

access-list 100 deny udp any any eq 162

access-list 100 permit udp (NMS IP) 0.0.0.0 eq 161

access-list 100 deny ip any any

This should block and packets coming in on port 162, and only allow your nms to poll it on port 161.

Thank you all for the attention and replies.

It really seems that the snmp agent enable/open this port unnecessarily. I wanted to disable/close the port but it seems i only have the option to filter the access.

But if I check the command show sockets connections the port still open or close ?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: