06-30-2014 06:50 AM - edited 03-04-2019 11:15 PM
Hello,
Because of security we have to allow SNMP requests only from MGT VLAN's.
This is how I want to handle it:
ip access-list extended SECURE-SNMP
remark *** mgt vlans ***
deny udp 172.16.21.0 0.0.0.255 any eq snmp
deny udp any eq snmp 172.16.21.0 0.0.0.255
deny udp 172.16.200.0 0.0.0.255 andy eq snmp
deny udp any eq snmp 172.16.200.0 0.0.0.255
ip access-list extended SECURE-PERMIT-IP-ANY
permit ip any any
vlan access-map SECURE-MGT 10
action drop log
match ip address SECURE-SNMP
vlan access-map SECURE-MGT 50
action forward
match ip address SECURE-PERMIT-IP-ANY
vlan filter SECURE-MGT vlan-list 110
Is this the correct way of handling?
Solved! Go to Solution.
06-30-2014 07:12 AM
Hello
Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .
vlan access-map SECURE-MGT 10
action drop log
match ip address SECURE-SNMP
vlan access-map SECURE-MGT 50
vlan filter SECURE-MGT vlan-list 110
res
Paul
06-30-2014 07:12 AM
Hello
Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .
vlan access-map SECURE-MGT 10
action drop log
match ip address SECURE-SNMP
vlan access-map SECURE-MGT 50
vlan filter SECURE-MGT vlan-list 110
res
Paul
07-03-2014 12:52 AM
Thanks for your reply Paul, this is working fine for us.
07-02-2014 07:32 PM
Why not just apply an ACL to SNMP?
access-list 10 permit host 10.10.10.10
snmp-server community SoMeCoMmUnItY RO 10
And/or restrict on the management plane?
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1054074
07-03-2014 12:51 AM
Hello Collin,
Thanks for your reply.
We use that for Cisco equipment, but we have to block snmp to other systems as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide