08-15-2023 12:43 PM - edited 08-15-2023 12:44 PM
So I have a few routers that need to disable SNMP on the internet facing port. Is there a command to accomplish this?
Or am I just doing an ACL?
08-15-2023 01:01 PM - edited 08-15-2023 01:04 PM
Might need to use an ACL, but not 100% positive.
What's the device and the IOS running on it?
BTW, a good ACL to start with, is one that blocks all traffic to the interface's IP.
08-15-2023 01:19 PM
Hello @DKershner12,
Agree with @Joseph W. Doherty.
If you only want to disable SNMP on specific interfaces, using ACLs is a more granular and controlled method.
08-15-2023 02:12 PM
Agreed with ACL option - below guide help you :
08-17-2023 06:45 AM
Thanks. It's been a long minute since I did an ACL and cisco descriptions are so bad
access list extended SNMP_deny
access list 110 deny udp any x.x.x.x 0.0.0.0 eq 161
access list 110 deny tcp any x.x.x.x 0.0.0.0 eq 161
permit any any
That's what I was basically thinking, where x.x.x.x is the IP of the port
08-17-2023 07:24 AM
i would all limited to required IP deny rest :
example :
ip access-list standard 10
permit 192.168.x.x
snmp-server community Mycomunity RO 10
or
snmp-server host 192.168.x.x mycommunity
08-17-2023 09:51 AM
I'm not entirely sure what you are trying to do.
All I want to do is block SNMP requests on internet facing ports from coming in. SNMP is already working internally. I just need to make sure a hacker doesn't use the latest SNMP vulnerability and enter our network through the internet facing port.
08-18-2023 09:34 AM
p access-list standard 10
permit 192.168.x.x ---< this is your IP address of NMS Server ( so rest all denied)
snmp-server community Mycomunity RO 10
08-18-2023 10:59 AM
OK. This is not about allowing SNMP through the internet facing port. RFC-1918 IPs are not routable on the internet.
This is only trying to keep external bad actors from using SNMP to gain access from EXTERNAL networks.
SNMP is done via the LAN not the WAN
SNMP must be blocked at the port facing the internet.
08-20-2023 12:10 AM
what i was suggested was only the IP can do the SNMP walk since we setup and ACL for SNMP
SNMP must be blocked at the port facing the internet.
if you like to do this, add ACL SNMP Block from Internet interface as example.
access-list 10 deny udp any any eq snmp
interface gig x/x
access-group 10 in
08-21-2023 04:37 AM
OK. Thanks. I have
ip access-list extended SNMP_deny
deny udp any any eq snmp
permit ip any any
interface GigabitEthernet0/0/0
ip access-group SNMP_deny in
08-22-2023 12:42 AM
yes in that context should be good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide