Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11362
Views
6
Helpful
4
Replies

How to disable SNMP or udp port 161 on my Internet gateway router

Go to solution
Mohammad Babjani
Level 1
Level 1

‎01-23-2020 06:42 PM

Hi Everyone,

 

We have an Internet gateway router(#CiscoASR) on which we have snmp configuration for monitoring purpose and we have secured it with ACL as well. But now our infosec team is saying that they are able to see the router as vulnerable for SNMP threats when they have done a vulnerability scan from internet, though we have secured it by using ACL's. Please suggest how to fix this.

 

Thanks,

Babjani.

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8
In response to Mohammad Babjani

‎01-24-2020 05:42 PM

Hi,

You need to use both snmp access-list and interface access-list. The snmp access-list specifies which devices can access snmp using the specified string. Therefore, the router will process snmp and reject or accept based on access-list and string. You, therefore, will need an access-list on the outside interface to block all snmp packets from the Internet.

There should be no impact on the router from having an access-list on the outside interface as long as you do not have excessive logging enabled on the access-list.

 

Thanks

John

**Please rate posts you find helpful**

View solution in original post

Go to solution
Mohammad Babjani
Level 1
Level 1
In response to Mohammad Babjani

‎01-24-2020 10:45 PM

Hi John/Everyone,

 

Thanks John for your time over this discussion.

We have applied an extended ACL over the Internet link interface deny snmp, snmptraps ntp traffic and permitting rest of the traffic. Hence the issue resolved.

 

 

Thanks,

Babjani.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
johnd2310
Level 8
Level 8

‎01-23-2020 08:42 PM

Hi,

What type of access-list are you using? Interface access-list, SNMP access-list.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Mohammad Babjani
Level 1
Level 1
In response to johnd2310

‎01-23-2020 10:19 PM - edited ‎01-23-2020 11:30 PM

Hi John,

 

We are using only standard ACL for SNMP as of now. In case if we use can use interface ACL, if we used interface ACL and it is the entry point to our organization and it is a 1Gig link. Will their be toll on cpu ? Please let me know.

 

 

Thanks,

Babjani.

0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Mohammad Babjani

‎01-24-2020 05:42 PM

Hi,

You need to use both snmp access-list and interface access-list. The snmp access-list specifies which devices can access snmp using the specified string. Therefore, the router will process snmp and reject or accept based on access-list and string. You, therefore, will need an access-list on the outside interface to block all snmp packets from the Internet.

There should be no impact on the router from having an access-list on the outside interface as long as you do not have excessive logging enabled on the access-list.

 

Thanks

John

**Please rate posts you find helpful**

Go to solution
Mohammad Babjani
Level 1
Level 1
In response to Mohammad Babjani

‎01-24-2020 10:45 PM

Hi John/Everyone,

 

Thanks John for your time over this discussion.

We have applied an extended ACL over the Internet link interface deny snmp, snmptraps ntp traffic and permitting rest of the traffic. Hence the issue resolved.

 

 

Thanks,

Babjani.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card