[c-nsp] snmp access list

[Tassos Chatzithomaoglou]

The debug shows that the snmp packet is received by the SNMP process, although it's dropped afterwards:

May  3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on FastEthernet0
May  3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet


I believe the acl check could be done first, before it even touches the snmp process.
After that, snmp packet data could be checked.

What's the meaning of checking inside the snmp data, if the packet is to be dropped eventually?

--
Tassos


Phil Mayers wrote on 3/5/2008 6:36 μμ:
> Jeff Fitzwater wrote:
>> Does anybody know how a numbered standard ACL that is applied to snmp  
>> traffic via commands shown below, actually works?
>> Does the SNMP process still get touched when a DENY is hit?
> 
> Yes. If you think about it, it has to - the combination that's permitted is:
> 
> (community AND ACL)
> 
> ...so the SNMP process has to run at least as far as parsing the first 
> bits of the SNMP packet to extract the community string.
> 
> This means that actual IP ACLs (or CoPP, on supporting platforms) should 
> also be used to drop SNMP (and other management traffic) in hardware/CEF 
> before the process is invoked, for complete security
> 
>>
>> snmp-server community xxxx RO 99
>> snmp-server community xxxx RW 99
>>
>>
>>
>> Thanks for any info.
>>
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>