[c-nsp] How to disable ILMI/SNMP CSCvs33325
Gert Doering
gert at greenie.muc.de
Wed Sep 21 06:37:11 EDT 2022
Hi,
so, more on this...
- on ASR9k, SNMPv3 is subject to regular control plane ACLs, so
unless a SNMPv3 sender shows up in
control-plane
management-plane
inband
interface all
allow all peer
address ipv4 1.2.3.4/32
!
allow SNMP peer
address ipv4 3.4.5.6/32
the ASR9k will not reply (I assume that's generic IOS XR). Good.
- on IOS XE, I found something that "seems to do the right thing", as
in, block all SNMPv3 packets, including discovery, while still permitting
SNMPv2
asr920(config)#access-list 99 deny any log
asr920(config)#snmp-server drop report access 99
asr920(config)#do term mon
asr920(config)#
Sep 21 12:25:07: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 1 packet
Sep 21 12:25:11: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 1 packet
Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 5 packets
Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 5 packets
(these are the two test hosts that could do SNMP v3 discovery before)
- since we're not using SNMPv3 anywhere, that is good enough for us.
This is on IOS XE 16.06.10.
Older IOS XE and IOS versions have "snmp-server drop unknown-user", but
that still permits discovery.
So maybe the "snmp-server drop report" will at least help Hank... :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220921/14e41668/attachment.sig>
More information about the cisco-nsp
mailing list