[c-nsp] snmp access list

Dale W. Carder dwcarder at wisc.edu
Sat May 3 19:40:56 EDT 2008


...... Original Message .......
On Fri, 02 May 2008 17:05:50 -0400 "Jeff Fitzwater" <jfitz at Princeton.EDU> 
wrote:
>Does anybody know how a numbered standard ACL that is applied to snmp  
>traffic via commands shown below, actually works?
>Does the SNMP process still get touched when a DENY is hit?

Yes.  You probably want to use CoPP to have the effect I think you want. 

We had a host mistakenly pounding the snmp process on one of our 6500's.  
While the ACL "stopped" the traffic, the cpu was pegged.  SNMP is a lower 
priority process and this didn't have much or any impact on production 
traffic, but impeded our ability to manage the box.  We turned on CoPP to 
block snmp from all but our NMS systems and to also police it to a low rate.

Dale



More information about the cisco-nsp mailing list