Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
1
Helpful
3
Replies

Block SNMP on ASR1002 on WAN

Gonzo_fernando
Level 1
Level 1

‎04-06-2025 10:28 PM

Hello,

i had try to block snmp query from Internet to my WAN Interface. I have ASR 1002 with system image: asr1000rp1-advipservicesk9.03.16.10.S.155-3.S10-ext.b"

What i did ? I create access-list like bellow:

access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 permit ip any any

and set this ALC to my WAN interface using this command:

ip access-group 100 in

But popular network scanner like shodan.io still show that i have available my device throut SNMP (161 UDP) and report for example real "uptime" my router.

How to definitly block this queryies?

Labels:
0 Helpful
3 Replies 3

M02@rt37
VIP
VIP

‎04-06-2025 10:49 PM

Hello @Gonzo_fernando 

Even though you've applied an ACL to the WAN interface, SNMP responses from the router itself may bypass interface ACLs because they're considered control plane traffic.

So, see to use CoPP. Control Plane Policing ensures that traffic destined to the router itself (like SNMP queries) is filtered.

-- 

class-map match-any BLOCK-SNMP
match protocol snmp

policy-map CONTROL-PLANE-INBOUND
class BLOCK-SNMP
drop
class class-default
pass

control-plane
service-policy input CONTROL-PLANE-INBOUND

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-06-2025 11:51 PM

Hello @Gonzo_fernando ,

you can use an ACL to define what hosts and subnets can make queries to your device . The exact syntax depends on what version of SNMP you have enabled on your device. Assuming you have SNMP v2c  when you define the read only community you can specify an ACL to decribe allowed hosts.

The configuration suggested by M02@rt37  does not allow any SNMP query also those coming from internal networks.

if you still want to use SNMP queries sourced by one or more internal subnets you need to use an ACL either with the snmp RO community definition for SNMP v2c of with snmp view snmp user creation for snmp version 3

Hope to help

Giuseppe

 

0 Helpful

Gonzo_fernando
Level 1
Level 1
In response to Giuseppe Larosa

‎04-07-2025 12:08 AM

I have additional configuration like bellow:

snmp-server community MYPASSWORD RO 95
snmp-server drop unknown-user

 

On access-list 95 i defined host with should communication to my router via SNMP:

access-list 95 permit MYHOST
access-list 95 deny any

but this is not resolve my problem and shodan still show my router uptime.

 

One thing is interesting because shodan.io show SNMP version 3 which i don't use. I don't know what that means, but regardless of all that - the uptime is correct anyway

 

161 / udp

SNMP: Versions: 3
Engineid Format: mac
Engine Boots: 11
Engineid Data: 58:97:bd:1a:d3:00
Enterprise: 9
Engine Time: 428 days, 7:51:43

0 Helpful
Customers Also Viewed These Support Documents