[c-nsp] snmp access list
Phil Mayers
p.mayers at imperial.ac.uk
Sun May 4 07:23:59 EDT 2008
Tassos Chatzithomaoglou wrote:
>
> The debug shows that the snmp packet is received by the SNMP process,
> although it's dropped afterwards:
>
> May 3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on
> FastEthernet0
> May 3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet
>
>
> I believe the acl check could be done first, before it even touches the
> snmp process.
I think that could be quite complicated in the fully general case. The
SNMP server would have to merge the ACLs for *all* the community
strings, and those ACLs could have conflicting permit/deny statements so
you'd have to merge e.g. all the permits and append a "deny any" and
*then* re-apply the original ACL after you'd decoded the community string.
Much simpler is to use CoPP or ACLs for router interface addresses at
the border. This is best practice anyway.
More information about the cisco-nsp
mailing list