Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
10
Helpful
5
Replies

Block SNMP and NTP

divadko
Level 1
Level 1

‎03-05-2021 03:19 PM

Hi all,

 

how can i block snmp and ntp ports on my Public L3 switch Cat 4506e?

I have multiple interfaces as router interfaces and on all of them are these ports open.

How can i block them from the piblic internet and allow only from my local netwoks IP range?

Thank you

dave

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎03-05-2021 03:50 PM

Hello
Applying management plane policing(MPP) can do it -

example:

control-plane host
management-interface x/x allow ssh snmp

or

access-list 10 permit 172.16.1.0 0.0.0.255
access-list 20 permit 192.168.100.1

snmp-server community snmp-ro RO 10
snmp-server community snmp-rw RW 20

 

crypto key generate rsa label local general-keys modulus 2048
ip ssh time-out 60
ip ssh authentication-retries 2

line vty 0 4
transport input ssh
access-group x in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

divadko
Level 1
Level 1
In response to paul driver

‎03-05-2021 11:33 PM

Hello, i used access list to permit my local network like

acces-list 98 permit 10.20.30.0 0.0.0.255

snmp-server community public ro 98

 

but the ports are still open.

 

From the moment i put my L3swit to public IPs the cli is bit laggy.

I want to close this ports from outside of my nework.

 

About NTP, i dont want to run NTP servr on hw. Just ntp client. I used a commat "no ntp master"

But port 123 is also open

 

The CLI is protected like this:

 

access-list 99 permit 10.20.30.0 0.0.0.255

 

line vty 0 4
access-class 99 in
password xxxxxxxx
login

 

Tis looks ok becouse o dont have anymore open telnet ports from internet.

 

BR

Dave

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to divadko

‎03-06-2021 04:44 AM

how are you scanning and confirming that ports are open ? from outside network ? 

 

can you post an example output for us to understand.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

divadko
Level 1
Level 1
In response to balaji.bandi

‎03-06-2021 07:48 AM

Hi, i tryed it with nmap from mobile internet connection... from different IP source and it shows open ports.

0 Helpful

johnd2310
Level 8
Level 8

‎03-05-2021 05:13 PM

Hi,

 

To disable NTP on Interfaces use the interface command "ntp disable". You would use this command on all your Internet facing interfaces and leave ntp enabled on your lan facing interfaces.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card