Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
3
Replies

C9300 - Close SNMP Port with ACL

sidney123
Level 1
Level 1

‎05-14-2025 05:19 AM

Hi,

we have multiple C9300s with public IP addresses. 

They are running SNMPv3 for monitoring which works but when you do a scan from the internet / outside with nmap / censys / shodan / ... the UDP port 161 for SNMP is responding.

We want to make this port only accessible from selected IP addresses. How can I make a ACL and apply it on the snmp server directly, so the port actually closes?

The goal is to really close the port so external scanners can not find it anymore.

I do not want to put a access list on the WAN interfaces as this would generate a lot of overhead and needed configuration.

As example, I was able to close the SSH port from public by applying ip access-list on the "line vty's". Is there something similar for SNMP?

Labels:
0 Helpful
3 Replies 3

Torbjørn
VIP
VIP

‎05-14-2025 06:10 AM

You can either apply an ACL to your WAN interface(recommended) or do it with CPPr(not recommended). There is currently no method to apply an ACL to the SNMP server process only.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎05-14-2025 06:28 AM - edited ‎05-14-2025 09:08 AM

 

 - Fyi : https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html

 For ios-xe you may need extended access lists like for instane :
    conf t
                  ip access-list extended BLOCK_SNMPv3
                  deny udp any any eq 161
                  deny udp any any eq 162
                  permit ip any any
                  exit
                    interface <your_management_interface>
                  ip access-group BLOCK_SNMPv3 in
   exit

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Jens Albrecht
Level 4
Level 4

‎05-14-2025 07:50 AM - edited ‎05-14-2025 07:50 AM

Hi @sidney123,

it is possible to protect SNMPv3 with a standard access-list that is applied to the snmp-server group.

A basic example may look like this:

ip access-list standard RESTRICT_SNMP
    permit 10.20.30.0 0.0.0.255
    deny any
!
snmp-server view ALL_ACCESS iso included
snmp-server group GROUP_READ v3 priv read ALL_ACCESS access RESTRICT_SNMP

This will limit SNMP access to hosts in the 10.20.30.0/24 network.

HTH!

0 Helpful
Customers Also Viewed These Support Documents