SNMP walks from other host

nfreeman44 · ‎01-21-2009

Howdy Folks, How do i limit SNMP queries from other host outside of the host needed for management? the security team is kicking my butt on this one. Help

Cisco 9513 v3.2 and 9506s

all the best,

Michael Brown · ‎01-21-2009

If the SNMP queries are sent via UDP, you can create an access list to deny UDP from any host, then permit TCP from any host. Once created, apply this access list to inbound packtes on the mgmt 0 interface. FM and DM use SNMP over TCP to access the MDS, as well as sometimes they use telnet or SSH under the covers to obtain info from the MDS CLI.

Here is a quick example:

pod4-9222i-98(config)# ip access-list nosnmp deny udp any any

pod4-9222i-98(config)# ip access-list nosnmp permit tcp any any

pod4-9222i-98(config)# int mgmt 0

pod4-9222i-98(config-if)# ip access-group nosnmp in

With this access list in place, you will not be able to use TFTP to load files...only FTP or SFTP.

Hope this helps,

Mike

nfreeman44 · ‎01-21-2009

Thanks Mike,

the second i followed this list I lost SNMP to DM. In addition, I'm using mgmt software ecc and emc smarts and they listening on ports 161.

M

Michael Brown · ‎01-22-2009

Hmmm...I thought that as of 3.x all SNMP for FM and DM used TCP. Not sure about ECC. If you put in an access list to only permit SNMP from certain hosts, that would prevent SNMP from any host not in the list. The problem there is that only the hosts in the list can use FM/DM to manage the MDS. You could work with your security guys and come up with the desired access list to limit which hosts can access the MDS via SNMP.

Access list on the mgmt 0 interface is the only way I know of to lock down the MDS for SNMP queries.

Thanks,

Mike

nfreeman44 · ‎01-22-2009

Thanks Mike ! I'll give it a try today.