[c-nsp] snmp access list

Андрей Сластенов slastenov at corbina.net
Sun May 4 06:24:41 EDT 2008



SNMP use udp. So, someone (if know community of course) may spoof IP source
address of SNMP request. 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale W. Carder
Sent: Sunday, May 04, 2008 3:41 AM
To: Jeff Fitzwater
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] snmp access list


...... Original Message .......
On Fri, 02 May 2008 17:05:50 -0400 "Jeff Fitzwater" <jfitz at Princeton.EDU> 
wrote:
>Does anybody know how a numbered standard ACL that is applied to snmp  
>traffic via commands shown below, actually works?
>Does the SNMP process still get touched when a DENY is hit?

Yes.  You probably want to use CoPP to have the effect I think you want. 

We had a host mistakenly pounding the snmp process on one of our 6500's.  
While the ACL "stopped" the traffic, the cpu was pegged.  SNMP is a lower 
priority process and this didn't have much or any impact on production 
traffic, but impeded our ability to manage the box.  We turned on CoPP to 
block snmp from all but our NMS systems and to also police it to a low rate.

Dale

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list