• November 17, 2019, 11:17:47 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Anyone have a solution to block SNMP ver. 1 & 2 so it does not even process?  (Read 606 times)

0 Members and 1 Guest are viewing this topic.

Offline oldNortelguy

  • Jr. Member
  • **
  • Posts: 32
Our security group has ramp'ed up their tool-set intensity the past few years. One thing that has begun happening because the 8600's function as a core with many VLANs for different floors and many IP's for each VLAN and a VRRP address, that they will be hitting 20-30 IP's on same switch at same time testing SNMP. It will stress the CPU and cause it to switch to the standby processor. I would like to instead of processing the SNMP query and failing the login attempt based on password, to I setup an access policy that if not coming from a specific IP (our Solarwinds Orion server and a few JDM stations) that it will ignore/ deny/ drop the SNMP query. Anyone have a similar setup I assume in access policy config?


Offline MatzeKS

  • Sr. Member
  • ****
  • Posts: 311
    • matzeks
    • Controlware GmbH - Germany
Are you referring to the ERS-8600 and/or VSP-8600 ?
------------------------------------------------------
ACE-Fx #00050

Offline oldNortelguy

  • Jr. Member
  • **
  • Posts: 32
sorry,  ERS-8600

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
The ERS and ES series edge switches use IPMGR.  Very easy.
In the 8600, you can build an access policy.
Quick snag from an old config.

access-policy 1 mode deny
access-policy 1 rlogin snmpv3 tftp
access-policy 5 name "SNMP Server" mode deny network 10.X.X.X 32 username ""
access-policy 5 ssh telnet tftp