03-18-2020 04:55 AM - edited 03-18-2020 04:57 AM
Hello everyone, Scenario: Router 1 (Edge IP 1.1.1.1) is connected to ISP Router 2 (IP 2.2.2.2) via BGP, and via Tunnel to Internal Router (IP 3.3.3.3) It´s now that transit traffic to SNMP Port 161 and 162 hits the Internal Router, means malicious traffic
(port scans / whatever).
My Question is: How would a transit ACL for the Data Plane will look like to filter/block these attempts ? and how is it applied to the Control Plane? Or would a Interface ACL inbound to the Router 1 (Edge) to the job. Some helpful advice would be great. Thank you all.
Solved! Go to Solution.
03-18-2020 06:21 AM
Hi,
It's recommended to filter that kind of traffic, inbound on your Edge router, before it hits the Internal router; this would be a regular ACL to deny traffic destined to UDP 161 and UDP 162 and allow other traffic that you want/need.
At the same time, if you want to offer better protection to your internal router, which may be "attacked" from the inside network, additionally to what i stated above, you should configure control-plane protection on your Internal router and restrict which management protocols do you allow, and from which IP's.
https://tools.cisco.com/security/center/resources/copp_best_practices
Regards,
Cristian Matei.
03-18-2020 06:21 AM
Hi,
It's recommended to filter that kind of traffic, inbound on your Edge router, before it hits the Internal router; this would be a regular ACL to deny traffic destined to UDP 161 and UDP 162 and allow other traffic that you want/need.
At the same time, if you want to offer better protection to your internal router, which may be "attacked" from the inside network, additionally to what i stated above, you should configure control-plane protection on your Internal router and restrict which management protocols do you allow, and from which IP's.
https://tools.cisco.com/security/center/resources/copp_best_practices
Regards,
Cristian Matei.
03-24-2020 08:49 AM
Thank you Cristian,
that´s sound good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide