Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5885
Views
0
Helpful
3
Replies

How to disable SNMP on a Specific Interface?

Go to solution
brian.emil.harris
Beginner
Beginner

‎02-14-2018 10:14 AM - edited ‎03-08-2019 01:51 PM

In the context of an ISR4431, how do I disable SNMP access on a specific interface?

 

I have an ISR4431 at my Internet edge - ISP is plugged into one of the Gi interfaces, and I want to disable/block udp/161 access to that interface from Internet traffic.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎02-14-2018 12:06 PM - edited ‎02-14-2018 12:06 PM

Hi, An ACL applied to snmp should give you what you want. Just permit access from the internal SNMP server(s). Example:

ip access-list standard ACL_SNMP
permit host 192.168.10.5
deny any log

snmp-server group SNMP_GRP v3 auth
snmp-server user SNMPUSER SNMP_GRP v3 auth sha PASSWORD priv aes 256 PASSWORD access ACL_SNMP

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎02-14-2018 12:06 PM - edited ‎02-14-2018 12:06 PM

Hi, An ACL applied to snmp should give you what you want. Just permit access from the internal SNMP server(s). Example:

ip access-list standard ACL_SNMP
permit host 192.168.10.5
deny any log

snmp-server group SNMP_GRP v3 auth
snmp-server user SNMPUSER SNMP_GRP v3 auth sha PASSWORD priv aes 256 PASSWORD access ACL_SNMP

0 Helpful

Go to solution
Dennis Mink
Advisor
Advisor
In response to Rob Ingram

‎02-14-2018 02:48 PM

Alternatively, if you put an ACL on the actual interface facing your provider and allow only what you want to allow and block all else, which would include port 161 (which is probably a slighty more impractical option than just dping an ACL on snmp)

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
brian.emil.harris
Beginner
Beginner
In response to Rob Ingram

‎02-14-2018 02:54 PM

So, I do have an SNMP ACL, but a recent vulnerability test indicates that udp/161 is open on our edge routers.

 

I'm not so much afraid of someone getting "in" via that, as my SNMP ACL is suitably restrictive, but would like to just "block" that from being visible via whatever scan detected this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents