Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2804
Views
5
Helpful
3
Replies

SOLVED: Nexus ACL to limit SNMP between VLANS

Go to solution
ApjHouston
Level 1
Level 1

‎08-31-2020 05:20 PM - edited ‎09-09-2020 06:51 PM

I'm not sure if I'm overthinking this but I'm not sure where to make the ACL for the following purpose...

 

We have a WiFi controller bridging VLANS directly into a Nexus switch, there has been SNMP traffic going to VLAN 5 from 50 but I only want VLANS 5 and 6 to have SNMP traffic.

 

I have previously worked with implementations where the traffic is passed into a Fortigate or Sophos and policies would be created to allow or block the traffic between VLAN networks. I have just started with this network and am having trouble working out how to utilize the Nexus properly for this configuration.

 

I initially went the route of trying an ip acl and found it's not going to work for the VLANs, I was reading about VACLs yesterday but also see some configuration for access-list copp.

 

For this purpose should I be looking to create a VACL or adjusting the copp acl with the VLAN 5 and 6 networks being allowed.

 

Thank you for any guidance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ApjHouston
Level 1
Level 1

‎09-09-2020 06:50 PM

The Nexus does not support multiple access-maps, I had tested it working with multiple access-maps on a 2960 but I'm not sure which of my notes was the correct one so won't put it in here.

I had a ticket open with Cisco and Jason gave me a solution as below;
ip access-list BLOCK_SNMP_ACL
10 deny udp any any eq snmp
11 deny udp any any eq snmptrap
20 permit ip any any
!
vlan access-map BLOCK_SNMP
match ip address BLOCK_SNMP_ACL
action forward
stat
!
vlan filter BLOCK_SNMP vlan-list 50

 

I have tested it working with my MIB walk being blocked when applied and my HTTPS and ICMP tested still going through.

View solution in original post

3 Replies 3

Go to solution
ApjHouston
Level 1
Level 1

‎08-31-2020 11:44 PM

I wasn't able to find an answer to this today, I used a test network with the configuration below but nothing is allowed through. When I try to use a sequence number for an access-map I get "ERROR: Mutltiple access-maps not supported". I was trying to think of a way to have the access-list only match the snmp part, allow the rest and I would just apply it to the VLAN I don't want sending SNMP.

 

Configuration I used that blocked everything;

ip access-list snmp-drop
10 permit udp any any eq snmp
11 permit udp any any eq snmptrap
exi
!
ip access-list permit-any
20 deny ip any any
exi
!
vlan access-map acl-snmp-drop
match ip address snmp-drop
match ip address permit-any
action drop
exi
vlan filter acl-snmp-drop vlan-list 51

 

I'll watch some videos tonight to try wrap my head around it but I'm open to suggestions.

 

Thanks again.

0 Helpful

Go to solution
ApjHouston
Level 1
Level 1

‎09-09-2020 06:50 PM

The Nexus does not support multiple access-maps, I had tested it working with multiple access-maps on a 2960 but I'm not sure which of my notes was the correct one so won't put it in here.

I had a ticket open with Cisco and Jason gave me a solution as below;
ip access-list BLOCK_SNMP_ACL
10 deny udp any any eq snmp
11 deny udp any any eq snmptrap
20 permit ip any any
!
vlan access-map BLOCK_SNMP
match ip address BLOCK_SNMP_ACL
action forward
stat
!
vlan filter BLOCK_SNMP vlan-list 50

 

I have tested it working with my MIB walk being blocked when applied and my HTTPS and ICMP tested still going through.

Go to solution
Jason Leschnik
Cisco Employee
Cisco Employee
In response to ApjHouston

‎09-22-2020 10:18 PM

It was a pleasure working with you Apj!

Regards,

Jason.

0 Helpful
Customers Also Viewed These Support Documents