Solved: ACL Help - Page 2

dcanady55 · ‎01-25-2016

Hello,

I have the following subnet 10.73.23.0/24

printers are in the 20-100 range for IP's and I want to create an ACL to lock down SNMP from a few managers only to those printers. Is there a way to do this without putting in 80 lines of ACL's using the specific hosts IP?

Thanks,

Jon Marshall · ‎01-26-2016

Just to add, if that does work there are two different ways to do your acl and it depends on exactly what you want to achieve.

Jon

Iulian Vaideanu · ‎01-26-2016

This config allows those four 10.73.23. subnets to send UDP packets with destination IP 10.73.100.7 and destination port 161 (SNMP), then drops any UDP packets entering interface Fa0/0.3 with destination port 161, then permits everything. Basically it allows those subnets to query 10.73.100.7 by SNMP (which I don't think is what you intended), and under this config all devices that have SNMP enabled (not just .70) should respond to SNMP queries from everywhere.

If you need to allow 10.73.100.7 to query 10.73.23.24/29 by SNMP you can

a) either use "ip access-group XXX in"

permit udp 10.73.23.24 0.0.0.7 eq snmp host 10.73.100.7

deny udp any eq snmp any

permit ip any any

(which filters the devices' responses to SNMP queries from outside - notice the position of "eq snmp", meaning "source port snmp")

b) or use "ip access-group XXX out"

permit udp host 10.73.100.7 10.73.23.24 0.0.0.7 eq snmp

deny udp any any eq snmp

permit ip any any

(which filters SNMP queries from outside - this is preferred, since it prevents unwanted traffic to reach the devices)

dcanady55 · ‎01-26-2016

sorry, didn't see this post before Jon's last post. My intentions are to allow all the hosts in this case printers in those 4 subnets to be allowed to talk to 10.73.100.7 via UDP using port 161 SNMP and just block SNMP request coming from any other source except 10.73.100.7. Does that help?

dcanady55 · ‎01-26-2016

Guys thanks a lot for the assistance as I understand now how I got mixed up.