cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
952
Views
0
Helpful
4
Replies

Access list problem bloch snmp

psi2338_1
Level 1
Level 1

Hi All

I have problem with extended access list. I'm trying to block snmp traffic to a host. All traffic falls into permit

 

"CISCO1921/K9 c1900-universalk9-mz.SPA.152-4.M5.bin

 

rxxx#sh ip access-lists ACL
Extended IP access list ACL
10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)

 

interface GigabitEthernet0/1

ip address 10.209.2.253 255.255.255.0 secondary
ip address 10.209.102.253 255.255.255.0 secondary
ip address 10.209.2.254 255.255.255.0
ip flow ingress
ip flow egress
duplex auto
speed auto
ip access-group ACL in

rxxx#sh arp | i 10.209.102.111
Internet 10.209.102.111 3 b4b5.2ff8.c00b ARPA GigabitEthernet0/1

 

also i try create access list on switch and pin to port wher is conect host. Problem the same

 

 

 

 

 

 

 

 

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

since we are not sure how the devices connected, we believe that G0/1 ingress you like to block for SNMP  ( Hope you are not testing from device to test) this ACL works when the traffic transit using the device.

 

deny udp any host 10.209.102.111 range 161  <<- see if that works to test for 161 port

if that works add

 

deny udp any host 10.209.102.111 range 161 163

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

turn on access list debugging and check which traffic is actually sent on which port. In order to be able to debug the access list, you need to change the named ACL you have to a numbered ACL:

 

access-list 101 deny udp any host 10.209.102.111 eq snmp
access-list 101 deny udp any host 10.209.102.82 eq snmp
access-list 101 permit ip any any

 

debug ip packet 101

Hello
As you wish to deny snmp to the management plane of that rtr you could append a simple MPP policy and allow just the protocols you wish access to a certain interface no need for an access-list to deny snmp then


conf t
control-plane host
management-interface x/x allow ssh telnet http etc...


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts
Hall of Fame
Hall of Fame

We have several interesting suggestions. But none address the fundamental problem of the original post. The access list seems to be valid,

10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)

but is not applied correctly. It is applied "in". When applied in then 10.209.102.111 would be the source and the acl specifies it as destination. If the configuration is changed so that the acl is applied out then I believe that it will work.

HTH

Rick