Re: show snmp stats hosts shows a large number of external IPs

ahassiotis1 · ‎08-01-2024

EX-RO01#show snmp stats hosts
Request Count Last Timestamp Address
661 00:00:00 ago 119.147.192.2
1301 00:00:00 ago 119.147.192.78
425 00:00:00 ago 119.147.192.73
752 00:00:00 ago 119.147.192.131
513 00:00:00 ago 119.147.192.161
145 00:00:00 ago 119.147.192.69
163 00:00:00 ago 119.147.192.118
220 00:00:00 ago 119.147.192.125
782 00:00:00 ago 119.147.192.134
152 00:00:00 ago 119.147.192.1
15 00:00:00 ago 119.147.192.106
3808 00:00:00 ago 119.147.192.120

I can't seem to find a way to block these IPs from hitting my router.

snmp-server group mysnmpgroup v3 priv access 61

groupname: mysnmpgroup security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active access-list: 61

snmp-server community mycommunity RO 61

ip access-list standard 61
10 permit 172.16.4.30

balaji.bandi · ‎08-01-2024

what device model and what IOS Code running,

I have below IOS and IOS XE works as expected.

snmp-server group testsnmp_v3 v3 priv access My_ACL_IN
ip access-list standard My_ACL_IN
10 permit 192.168.100.1

still issue post the show run config, you can also try ACL on the interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahassiotis1 · ‎08-01-2024

It's C8300-1N1S-6T

Cisco IOS XE Software, Version 17.09.04a

I use zones for securing the external inteface, no ACL

interface GigabitEthernet0/0/1

zone-member security external

class-map type inspect match-all internet_in_map
match access-group name internet_in

policy-map type inspect internet_in_policy
class type inspect internet_in_map
inspect

service-policy type inspect internet_in_policy

ip access-list extended internet_in
10 deny ip 0.0.0.0 0.255.255.255 any
20 deny icmp any any timestamp-request
30 deny icmp any any timestamp-reply
40 permit icmp any any
50 deny ip 10.0.0.0 0.255.255.255 any
60 deny ip 100.64.0.0 0.63.255.255 any
70 deny ip 127.0.0.0 0.255.255.255 any
80 deny ip 169.254.0.0 0.0.255.255 any
90 deny ip 172.16.0.0 0.15.255.255 any
100 deny ip 192.0.2.0 0.0.0.255 any
110 deny ip 192.168.0.0 0.0.255.255 any
120 deny ip 198.18.0.0 0.1.255.255 any
130 deny ip 198.51.100.0 0.0.0.255 any
140 deny ip 203.0.113.0 0.0.0.255 any
150 deny ip 240.0.0.0 15.255.255.255 any
151 remark deny snmp attack
152 deny udp 119.147.192.0 0.0.0.255 any

....

and since I haven't made any change, it's still an issue.

MHM Cisco World · ‎08-01-2024

What zone pair you use ?

MHM

ahassiotis1 · ‎08-01-2024

Usual config:

zone-pair security in_out source internal destination external
zone-pair security out_in source external destination internal

MHM Cisco World · ‎08-01-2024

You need more zone

Zone pair out to self

Zone pair self to out

Add acl for snmp (allow traffic for specific server) to class map and policy map action pass.

Then check

MHM

MHM Cisco World · ‎08-01-2024

Or try @balaji.bandi suggestion if you not need to add more zone pair.

Zone pair in to our OR out to in not prevent traffic toward router itself

MHM

ahassiotis1 · ‎08-07-2024

Thanks for pointing that out. I need to make it work though as when applying the external to self and self to external, it's dropping my BGP sessions.