[c-nsp] snmp access list

Phil Bedard philxor at gmail.com
Sat May 3 14:19:54 EDT 2008 

That's what ingress packet ACLs or CoPP is for.   Having the SNMP  
process ACL there as a last resort is probably a good idea in case  
someone screws up the first layer of security, but I wouldn't rely on  
it alone.

Phil


On May 3, 2008, at 12:59 PM, Tassos Chatzithomaoglou wrote:

>
> The debug shows that the snmp packet is received by the SNMP  
> process, although it's dropped afterwards:
>
> May  3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on  
> FastEthernet0
> May  3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet
>
>
> I believe the acl check could be done first, before it even touches  
> the snmp process.
> After that, snmp packet data could be checked.
>
> What's the meaning of checking inside the snmp data, if the packet  
> is to be dropped eventually?
>
> --
> Tassos
>
>
> Phil Mayers wrote on 3/5/2008 6:36 μμ:
>> Jeff Fitzwater wrote:
>>> Does anybody know how a numbered standard ACL that is applied to  
>>> snmp
>>> traffic via commands shown below, actually works?
>>> Does the SNMP process still get touched when a DENY is hit?
>>
>> Yes. If you think about it, it has to - the combination that's  
>> permitted is:
>>
>> (community AND ACL)
>>
>> ...so the SNMP process has to run at least as far as parsing the  
>> first
>> bits of the SNMP packet to extract the community string.
>>
>> This means that actual IP ACLs (or CoPP, on supporting platforms)  
>> should
>> also be used to drop SNMP (and other management traffic) in  
>> hardware/CEF
>> before the process is invoked, for complete security
>>
>>>
>>> snmp-server community xxxx RO 99
>>> snmp-server community xxxx RW 99
>>>
>>>
>>>
>>> Thanks for any info.
>>>
>>>
>>>
>>> Jeff Fitzwater
>>> OIT Network Systems
>>> Princeton University
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list