Solved: How to disable SNMP on a Specific Interface?

brian.emil.harris · ‎02-14-2018

In the context of an ISR4431, how do I disable SNMP access on a specific interface?

I have an ISR4431 at my Internet edge - ISP is plugged into one of the Gi interfaces, and I want to disable/block udp/161 access to that interface from Internet traffic.

Rob Ingram · ‎02-14-2018

Hi, An ACL applied to snmp should give you what you want. Just permit access from the internal SNMP server(s). Example:

ip access-list standard ACL_SNMP
permit host 192.168.10.5
deny any log

snmp-server group SNMP_GRP v3 auth
snmp-server user SNMPUSER SNMP_GRP v3 auth sha PASSWORD priv aes 256 PASSWORD access ACL_SNMP

View solution in original post

Rob Ingram · ‎02-14-2018

Hi, An ACL applied to snmp should give you what you want. Just permit access from the internal SNMP server(s). Example:

ip access-list standard ACL_SNMP
permit host 192.168.10.5
deny any log

snmp-server group SNMP_GRP v3 auth
snmp-server user SNMPUSER SNMP_GRP v3 auth sha PASSWORD priv aes 256 PASSWORD access ACL_SNMP

Dennis Mink · ‎02-14-2018

Alternatively, if you put an ACL on the actual interface facing your provider and allow only what you want to allow and block all else, which would include port 161 (which is probably a slighty more impractical option than just dping an ACL on snmp)

Please remember to rate useful posts, by clicking on the stars below.

brian.emil.harris · ‎02-14-2018

So, I do have an SNMP ACL, but a recent vulnerability test indicates that udp/161 is open on our edge routers.

I'm not so much afraid of someone getting "in" via that, as my SNMP ACL is suitably restrictive, but would like to just "block" that from being visible via whatever scan detected this.