cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
261
Views
10
Helpful
5
Replies
divadko
Beginner

Block SNMP and NTP

Hi all,

 

how can i block snmp and ntp ports on my Public L3 switch Cat 4506e?

I have multiple interfaces as router interfaces and on all of them are these ports open.

How can i block them from the piblic internet and allow only from my local netwoks IP range?

Thank you

dave

5 REPLIES 5
paul driver
VIP Mentor

Hello
Applying management plane policing(MPP) can do it -

example:

control-plane host
management-interface x/x allow ssh snmp

or

access-list 10 permit 172.16.1.0 0.0.0.255
access-list 20 permit 192.168.100.1

snmp-server community snmp-ro RO 10
snmp-server community snmp-rw RW 20

 

crypto key generate rsa label local general-keys modulus 2048
ip ssh time-out 60
ip ssh authentication-retries 2

line vty 0 4
transport input ssh
access-group x in



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hello, i used access list to permit my local network like

acces-list 98 permit 10.20.30.0 0.0.0.255

snmp-server community public ro 98

 

but the ports are still open.

 

From the moment i put my L3swit to public IPs the cli is bit laggy.

I want to close this ports from outside of my nework.

 

About NTP, i dont want to run NTP servr on hw. Just ntp client. I used a commat "no ntp master"

But port 123 is also open

 

The CLI is protected like this:

 

access-list 99 permit 10.20.30.0 0.0.0.255

 

line vty 0 4
access-class 99 in
password xxxxxxxx
login

 

Tis looks ok becouse o dont have anymore open telnet ports from internet.

 

BR

Dave

how are you scanning and confirming that ports are open ? from outside network ? 

 

can you post an example output for us to understand.

 

 



BB


*** Rate All Helpful Responses ***

Hi, i tryed it with nmap from mobile internet connection... from different IP source and it shows open ports.

johnd2310
Collaborator

Hi,

 

To disable NTP on Interfaces use the interface command "ntp disable". You would use this command on all your Internet facing interfaces and leave ntp enabled on your lan facing interfaces.

 

Thanks

John

**Please rate posts you find helpful**