Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3114
Views
0
Helpful
15
Replies

Blocking SNMP from Internet

Toothless
Level 1
Level 1

‎12-05-2023 08:50 AM - edited ‎12-05-2023 09:11 AM

I have a Cisco border router (CAT9K_IOSXE) that connects to the Internet and inside the network. Per Shodoan.io, I have hits on SNMP which are SVI IPs on the border router. So basically, anyone from the internet can snmp scan using SVI IP. I would like to block that. There is a Firewall on the inside that takes care of SNMP but my main goal is to prevent the border router from responding to SNMP scans from the Internet.

The easier solution would be ACL on the outside interface but we have a lot of servers that are doing SNMP to the outside system, which goes through the border router. ACL will complicate things as I will have to audit and maintain ACL for any new or removed server.

The second option is to block SVI IPs using SNMP on ACL and permit all else on the outside interface. The issue is we have a lot of SVIs and it also adds overhead on the outside interface.

The third option which I am not sure will work is to apply ACL on SVI (L3 Vlans, inbound) and block all SNMP. This should block SVIs from responding to SNMP requests.

The last option is what Cisco TAC suggested but did not provide a great deal of details. The config is:

(config)#snmp-server drop unknown-user
(config)#snmp-server drop report access ACL# (This ACL has IPs of legit monitoring SNMP hosts and denies all at the end)

I checked online and I am not sure if this will work. The first line seems to be blocking SNMP traffic with an unknown snmpv3 user name. The issue here is, per my research, the border router would need all user names/SNMP strings that all hosts on my inside network are using to talk to the outside system. I will then need to add all these into the border router's config. If I miss one, that legit traffic will be affected.

Is anyone more familiar with these configs and know if they will work for this case? Any other suggestions or feedback?

1 person had this problem
Labels:
0 Helpful
15 Replies 15

Ethan-H
Level 1
Level 1
In response to Toothless

‎12-28-2023 08:18 AM - edited ‎12-28-2023 08:20 AM

Hi,

we have exactly the same problem - our Cisco routers are answering SNMP V3 requests on the outside interface... which is kind of ridiculous, as we do have a mgmt-interface (vrf) in place and Cisco TAC couldn't provide me any legit answer why the routers would even listen for management traffic (SNMP) on these interfaces (or why can't I just configure to ignore it without affecting productive traffic). 

I got the same answer from TAC months ago for a workaround, which is basically disabling snmp(v3) on the router for me:
snmp-server drop unknown-user
snmp-server drop report access #ACL

I was wondering if there has been any fix or better workaround for this problem in the meantime?
Obviously, many routers are affected by it?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card