Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
4
Replies

Access list problem bloch snmp

psi2338_1
Level 1
Level 1

‎09-13-2020 01:10 AM

Hi All

I have problem with extended access list. I'm trying to block snmp traffic to a host. All traffic falls into permit

 

"CISCO1921/K9 c1900-universalk9-mz.SPA.152-4.M5.bin

 

rxxx#sh ip access-lists ACL
Extended IP access list ACL
10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)

 

interface GigabitEthernet0/1

ip address 10.209.2.253 255.255.255.0 secondary
ip address 10.209.102.253 255.255.255.0 secondary
ip address 10.209.2.254 255.255.255.0
ip flow ingress
ip flow egress
duplex auto
speed auto
ip access-group ACL in

rxxx#sh arp | i 10.209.102.111
Internet 10.209.102.111 3 b4b5.2ff8.c00b ARPA GigabitEthernet0/1

 

also i try create access list on switch and pin to port wher is conect host. Problem the same

 

 

 

 

 

 

 

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎09-13-2020 04:55 AM

since we are not sure how the devices connected, we believe that G0/1 ingress you like to block for SNMP  ( Hope you are not testing from device to test) this ACL works when the traffic transit using the device.

 

deny udp any host 10.209.102.111 range 161  <<- see if that works to test for 161 port

if that works add

 

deny udp any host 10.209.102.111 range 161 163

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎09-13-2020 05:16 AM

Hello,

 

turn on access list debugging and check which traffic is actually sent on which port. In order to be able to debug the access list, you need to change the named ACL you have to a numbered ACL:

 

access-list 101 deny udp any host 10.209.102.111 eq snmp
access-list 101 deny udp any host 10.209.102.82 eq snmp
access-list 101 permit ip any any

 

debug ip packet 101

0 Helpful

paul driver
VIP
VIP

‎09-13-2020 05:57 AM - edited ‎09-13-2020 05:58 AM

Hello
As you wish to deny snmp to the management plane of that rtr you could append a simple MPP policy and allow just the protocols you wish access to a certain interface no need for an access-list to deny snmp then


conf t
control-plane host
management-interface x/x allow ssh telnet http etc...


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎09-13-2020 09:25 AM

We have several interesting suggestions. But none address the fundamental problem of the original post. The access list seems to be valid,

10 deny udp any host 10.209.102.111 range snmp 163
11 deny udp any host 10.209.102.82 range snmp 163
20 permit ip any any (9888 matches)

but is not applied correctly. It is applied "in". When applied in then 10.209.102.111 would be the source and the acl specifies it as destination. If the configuration is changed so that the acl is applied out then I believe that it will work.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents