Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
4
Replies

VACL for blocking SNMP read/write

Go to solution
hvangruijthuijsen
Level 1
Level 1

‎06-30-2014 06:50 AM - edited ‎03-04-2019 11:15 PM

Hello,

Because of security we have to allow SNMP requests only from MGT VLAN's.

This is how I want to handle it:

ip access-list extended SECURE-SNMP
 remark *** mgt vlans ***
 deny udp 172.16.21.0 0.0.0.255 any eq snmp
 deny udp any eq snmp 172.16.21.0 0.0.0.255
 deny udp 172.16.200.0 0.0.0.255 andy eq snmp
 deny udp any eq snmp 172.16.200.0 0.0.0.255

ip access-list extended SECURE-PERMIT-IP-ANY
 permit ip any any

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 action forward
 match ip address SECURE-PERMIT-IP-ANY

vlan filter SECURE-MGT vlan-list 110
 

Is this the correct way of handling?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎06-30-2014 07:12 AM

Hello

Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 

vlan filter SECURE-MGT vlan-list 110

 

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul driver
VIP
VIP

‎06-30-2014 07:12 AM

Hello

Looks okay , just one thing by default the Vacl action on a stanza is action forward. so you don't need to have the
any other traffic to allow it .

vlan access-map SECURE-MGT 10
 action drop log
 match ip address SECURE-SNMP

vlan access-map SECURE-MGT 50
 

vlan filter SECURE-MGT vlan-list 110

 

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
hvangruijthuijsen
Level 1
Level 1
In response to paul driver

‎07-03-2014 12:52 AM

Thanks for your reply Paul, this is working fine for us.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎07-02-2014 07:32 PM

Why not just apply an ACL to SNMP?

access-list 10 permit host 10.10.10.10

snmp-server community SoMeCoMmUnItY RO 10

And/or restrict on the management plane?

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1054074

0 Helpful

Go to solution
hvangruijthuijsen
Level 1
Level 1
In response to Collin Clark

‎07-03-2014 12:51 AM

Hello Collin,

Thanks for your reply.

We use that for Cisco equipment, but we have to block snmp to other systems as well.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card