ACL to deny SNMP

  • 0
  • 1
  • Question
  • Updated 4 years ago
Hello!

Can you, please, give me example of ACL that deny SNMP on Extreme switches.

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,768 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Photo of Alexandr P

Alexandr P, Embassador

  • 12,768 Points 10k badge 2x thumb
Hello, Sumit!

Yes - this issue is drop snmp requests

But when I try to scan open ports on switch - scanner show that snmp port (161) is open.
How I can close this port?

If {
protocol udp;
destination-address 161;
}
then { deny

this policy don't deny port-scanner.

Thank you!
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
entry test
{
if
{
protocol udp;
destination-port 161;
}
then
{
deny;
}
}

Try above Policy and test it. If you still see policy is not denying the traffic then you could try to mentioned "deny-cpu" in then statement and test it again. 

Once you enabled the SNMP, the port 161 would be enabled and I am not sure we can block it using the ACL. Better to disable it if you are not using SNMP protocol.
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Let us know the result after applying the above ACL.