Access list problem bloch snmp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2020 01:10 AM
Hi All
I have problem with extended access list. I'm trying to block snmp traffic to a host. All traffic falls into permit
"CISCO1921/K9 c1900-universalk9-mz.SPA.152-4.M5.bin
rxxx#sh ip access-lists ACL
Extended IP access list ACL
10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)
interface GigabitEthernet0/1
ip address 10.209.2.253 255.255.255.0 secondary
ip address 10.209.102.253 255.255.255.0 secondary
ip address 10.209.2.254 255.255.255.0
ip flow ingress
ip flow egress
duplex auto
speed auto
ip access-group ACL in
rxxx#sh arp | i 10.209.102.111
Internet 10.209.102.111 3 b4b5.2ff8.c00b ARPA GigabitEthernet0/1
also i try create access list on switch and pin to port wher is conect host. Problem the same
- Labels:
-
LAN Switching
-
Other Routers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2020 04:55 AM
since we are not sure how the devices connected, we believe that G0/1 ingress you like to block for SNMP ( Hope you are not testing from device to test) this ACL works when the traffic transit using the device.
deny udp any host 10.209.102.111 range 161 <<- see if that works to test for 161 port
if that works add
deny udp any host 10.209.102.111 range 161 163

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2020 05:16 AM
Hello,
turn on access list debugging and check which traffic is actually sent on which port. In order to be able to debug the access list, you need to change the named ACL you have to a numbered ACL:
access-list 101 deny udp any host 10.209.102.111 eq snmp
access-list 101 deny udp any host 10.209.102.82 eq snmp
access-list 101 permit ip any any
debug ip packet 101
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2020 05:57 AM - edited 09-13-2020 05:58 AM
Hello
As you wish to deny snmp to the management plane of that rtr you could append a simple MPP policy and allow just the protocols you wish access to a certain interface no need for an access-list to deny snmp then
conf t
control-plane host
management-interface x/x allow ssh telnet http etc...
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2020 09:25 AM
We have several interesting suggestions. But none address the fundamental problem of the original post. The access list seems to be valid,
10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)
but is not applied correctly. It is applied "in". When applied in then 10.209.102.111 would be the source and the acl specifies it as destination. If the configuration is changed so that the acl is applied out then I believe that it will work.
Rick
