Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3254
Views
5
Helpful
18
Replies

ACL Help

Go to solution
dcanady55
Level 3
Level 3

‎01-25-2016 07:03 AM - edited ‎03-05-2019 03:12 AM

Hello,

I have the following subnet 10.73.23.0/24

printers are in the 20-100 range for IP's and I want to create an ACL to lock down SNMP from a few managers only to those printers. Is there a way to do this without putting in 80 lines of ACL's using the specific hosts IP? 

Thanks,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to dcanady55

‎01-25-2016 09:59 AM

When it's about actually using a subnet (assigning IPs from it to devices), indeed you cannot use .20 or .23 from 10.73.23.20/30 (well, it's actually possible for /31 on point-to-point links, even on Ethernet).  But when it comes to ACLs, an entry containing 10.73.23.20/30 will match anything from .20 to .23 (an ACL can't verify devices' netmasks, it doesn't care which subnet the IP it verifies comes from, it just checks if that IP fits an entry or not).

I just tried to cover the .20-.100 range with as few blocks like .B-of-length-2^x as possible, where B is a multiple of 2^x (for example, .32/27 and .64/27, even though consecutive, cannot be written as .32/26).

View solution in original post

0 Helpful

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to dcanady55

‎01-26-2016 06:16 AM

This config allows those four 10.73.23. subnets to send UDP packets with destination IP 10.73.100.7 and destination port 161 (SNMP), then drops any UDP packets entering interface Fa0/0.3 with destination port 161, then permits everything.  Basically it allows those subnets to query 10.73.100.7 by SNMP (which I don't think is what you intended), and under this config all devices that have SNMP enabled (not just .70) should respond to SNMP queries from everywhere.

If you need to allow 10.73.100.7 to query 10.73.23.24/29 by SNMP you can

a) either use "ip access-group XXX in"

permit udp 10.73.23.24 0.0.0.7 eq snmp host 10.73.100.7

deny udp any eq snmp any

permit ip any any

(which filters the devices' responses to SNMP queries from outside - notice the position of "eq snmp", meaning "source port snmp")

b) or use "ip access-group XXX out"

permit udp host 10.73.100.7 10.73.23.24 0.0.0.7 eq snmp

deny udp any any eq snmp

permit ip any any

(which filters SNMP queries from outside - this is preferred, since it prevents unwanted traffic to reach the devices)

View solution in original post

0 Helpful
18 Replies 18

Go to solution
Iulian Vaideanu
Level 4
Level 4

‎01-25-2016 07:56 AM

Well, you could cover the 20-100 range with six lines (which I guess will get multiplied by the number of (ranges of) managers), like this:

- 20-23 (/30)

- 24-31 (/29)

- 32-63 (/27)

- 64-95 (/27)

- 96-99 (/30)

- 100 (/32 (host))

If it's relatively easy to give up 100 and relocate 96-99 to 16-19 then you'll only have three (/28, /27, /27).

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Iulian Vaideanu

‎01-25-2016 08:26 AM

Hi Iulian,

Could you help me understand how you came up with that? My sub netting experience so far has revolved around 5 questions basically.

How many subnets does the chosen subnet mask produce?

Which equals 2^x  where X is the number of bits turned on in the subnet mask

How many hosts per subnet? 2^y-2 where y is the number of host bits or 0s in the subnet mask

What are the valid subnets? 256-subnet mask=Block size

What's the broadcast address for each subnet? The broadcast address is always the number right before for the next subnet.

If I take 10.73.23.20/30 the .20 is my subnet and I cannot use that. I'm sure Im missing something basic here from my studies.

Thanks for your time. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎01-25-2016 08:52 AM

Edited - just noticed Iulian has replied.

Jon

0 Helpful

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to dcanady55

‎01-25-2016 09:59 AM

When it's about actually using a subnet (assigning IPs from it to devices), indeed you cannot use .20 or .23 from 10.73.23.20/30 (well, it's actually possible for /31 on point-to-point links, even on Ethernet).  But when it comes to ACLs, an entry containing 10.73.23.20/30 will match anything from .20 to .23 (an ACL can't verify devices' netmasks, it doesn't care which subnet the IP it verifies comes from, it just checks if that IP fits an entry or not).

I just tried to cover the .20-.100 range with as few blocks like .B-of-length-2^x as possible, where B is a multiple of 2^x (for example, .32/27 and .64/27, even though consecutive, cannot be written as .32/26).

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Iulian Vaideanu

‎01-25-2016 01:41 PM

maybe you could help explain the following behavior. To test my ACL I have a scanner that uses SNMP and when I scan my range it comes back and says a device at .70 which should be blocked responded. What am I missing? I thought line 60 says deny udp traffic from any source going to any destination using SNMP port 161? 

on that ACL i created 

30 permit udp 10.73.23.64 0.0.0.31 host 10.73.100.7 eq snmp log
40 permit udp 10.73.23.96 0.0.0.3 host 10.73.100.7 eq snmp log
50 permit udp host 10.73.23.100 host 10.73.100.7 eq snmp log
60 deny udp any any eq snmp log
70 permit ip any any (94856

0 Helpful

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to dcanady55

‎01-26-2016 01:11 AM

Are those the only lines of the ACL?  What does the config of the interface it's applied on look like?

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Iulian Vaideanu

‎01-26-2016 05:41 AM

interface FastEthernet0/0.3
description Data
encapsulation dot1Q 73
ip address 10.73.23.1 255.255.255.0
ip access-group SNMP-Filter in
no cdp enable

ip access-list extended SNMP-Filter
permit udp 10.73.23.24 0.0.0.7 host 10.73.100.7 eq snmp log
permit udp 10.73.23.32 0.0.0.31 host 10.73.100.7 eq snmp log
permit udp 10.73.23.64 0.0.0.31 host 10.73.100.7 eq snmp log
permit udp 10.73.23.96 0.0.0.3 host 10.73.100.7 eq snmp log
permit udp host 10.73.22.100 host 10.73.100.7 eq snmp log
deny udp any any eq snmp log
permit ip any any

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎01-26-2016 06:01 AM

What IP address is the scanner ?

If it is on a different IP subnet can you add this line before your permit ip any any line -

"deny udp any any eq 162"

note if that works you need to modify your entire acl.

Jon

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Jon Marshall

‎01-26-2016 06:09 AM

yes, the scanner sits on a different subnet but for now I'm just testing using my own PC and a program I found online. I also am on a different subnet but I edited the interface to include my ACL in the out direction as well and it worked. My test scan received no reply from any printer. I just don't understand why my first config with ACL of the IN direction didn't resolve it. I'm simply trying to lock down all the printers in that range so they only can talk to the one server 10.73.100.7 via SNMP but all other traffic to those printers can flow. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎01-26-2016 06:21 AM

SNMP uses two port numbers.

The manager sends SNMP messages using port 161 which equates to snmp in your acl.

The agents (printers) respond using port 162 which I believe is snmp-trap in an acl.

Your acl was applied inbound so it filtered traffic coming from the printers not going to the printers.

So the scanner sent an SNMP message using port 161 to the printer and the acl has no effect here.

The printers responded on port 162 but your acl is not blocking that port ie, the match for that packet is made on the "permit ip any any" line which is why it was allowed through.

Edit - please ignore the above, as pointed out by Iulian it is completely wrong :)

Jon

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Jon Marshall

‎01-26-2016 06:21 AM

maybe I'm missing something but to me the line in my acl that reads 

deny udp any any eq snmp

means that any udp traffic from any source going to any destination using SNMP port 161 should be blocked and since I applied this to the interface in the IN direction my laptop which is sending snmp request on port 161 should of never been allowed through...correct? 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎01-26-2016 07:16 AM

Edited due to a mistake by me, see previous post in thread.

Jon

0 Helpful

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to Jon Marshall

‎01-26-2016 07:16 AM

Hello Jon,

Are you saying that when I "snmpwalk" a device, the IP packets containing the device's response come back with port source 162 (or port destination 162)?  I'm looking at a tcpdump on a Cacti server, and I'm only seing traffic with <polled-device>.161 and <cacti-server>.nnnnn...  I believe port 162 is for SNMP traps (when an event happens on a device - like an interface going down - the device informs the configured trap server about it, so that the trap server can do stuff (like sending an e-mail or an SMS) based on that event).

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Iulian Vaideanu

‎01-26-2016 07:23 AM

Hi Iulian

Yes you may well be right on that one and I made a mistake.

Thanks for clarifying and apologies to Derek for the misleading information.

I can see why I confused you :)

Jon

0 Helpful
Customers Also Viewed These Support Documents