Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
5
Helpful
2
Replies

Data Plane filter SNMP traffic

Go to solution
WiKiD
Level 1
Level 1

‎03-18-2020 04:55 AM - edited ‎03-18-2020 04:57 AM 

Hello everyone,
Scenario:
Router 1 (Edge IP 1.1.1.1)
is connected to ISP Router 2 (IP 2.2.2.2) via BGP,
and via Tunnel to Internal Router (IP 3.3.3.3)
It´s now that transit traffic to SNMP Port 161 and 162 hits the Internal Router, means malicious traffic
(port scans / whatever).
My Question is:
How would a transit ACL for the Data Plane will look like to filter/block these attempts ?
and how is it applied to the Control Plane?
Or would a Interface  ACL inbound to the Router 1 (Edge) to the job.

Some helpful advice would be great.

Thank you all.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-18-2020 06:21 AM

Hi,

 

    It's recommended to filter that kind of traffic, inbound on your Edge router, before it hits the Internal router; this would be a regular ACL to deny traffic destined to UDP 161 and UDP 162 and allow other traffic that you want/need.

   At the same time, if you want to offer better protection to your internal router, which may be "attacked" from the inside network, additionally to what i stated above, you should configure control-plane protection on your Internal router and restrict which management protocols do you allow, and from which IP's.

 

https://tools.cisco.com/security/center/resources/copp_best_practices

 

Regards,

Cristian Matei.

View solution in original post

2 Replies 2

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-18-2020 06:21 AM

Hi,

 

    It's recommended to filter that kind of traffic, inbound on your Edge router, before it hits the Internal router; this would be a regular ACL to deny traffic destined to UDP 161 and UDP 162 and allow other traffic that you want/need.

   At the same time, if you want to offer better protection to your internal router, which may be "attacked" from the inside network, additionally to what i stated above, you should configure control-plane protection on your Internal router and restrict which management protocols do you allow, and from which IP's.

 

https://tools.cisco.com/security/center/resources/copp_best_practices

 

Regards,

Cristian Matei.

Go to solution
WiKiD
Level 1
Level 1
In response to Cristian Matei

‎03-24-2020 08:49 AM

Thank you Cristian,

that´s sound good.

 

 

0 Helpful
Customers Also Viewed These Support Documents