[c-nsp] snmp access list
Phil Mayers
p.mayers at imperial.ac.uk
Sat May 3 11:36:19 EDT 2008
Jeff Fitzwater wrote:
> Does anybody know how a numbered standard ACL that is applied to snmp
> traffic via commands shown below, actually works?
> Does the SNMP process still get touched when a DENY is hit?
Yes. If you think about it, it has to - the combination that's permitted is:
(community AND ACL)
...so the SNMP process has to run at least as far as parsing the first
bits of the SNMP packet to extract the community string.
This means that actual IP ACLs (or CoPP, on supporting platforms) should
also be used to drop SNMP (and other management traffic) in hardware/CEF
before the process is invoked, for complete security
>
>
> snmp-server community xxxx RO 99
> snmp-server community xxxx RW 99
>
>
>
> Thanks for any info.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list