help with ACL

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hi! I want to know if the next ACL can be simplified



entry VLAN_Admin_snmp {
  if {
      source-address 10.170.70.0/24;
      protocol udp;
      destination-port 161;
  } then {
      permit;
  }
}
entry VLAN_Admin_snmptrap {
  if {
      source-address 10.170.70.0/24;
      protocol udp;
      destination-port 162;
  } then {
      permit;
  }
}
entry VLAN_AdminCarso_snmptrap {
  if {
      source-address 172.30.110.200/29;
      protocol udp;
      destination-port 161;
  } then {
      permit;
  }
}
entry VLAN_AdminCarso_snmptrap {
  if {
      source-address 172.30.110.200/29;
      protocol udp;
      destination-port 162;
  } then {
      permit;
  }
}
entry VLAN_AdminSERMET_snmptrap {
  if {
      source-address 10.170.95.192/28;
      protocol udp;
      destination-port 161;
  } then {
      permit;
  }
}
entry VLAN_AdminSERMET_snmptrap {
  if {
      source-address 10.170.95.192/28;
      protocol udp;
      destination-port 162;
  } then {
      permit;
  }
}
entry Block_SNMP {
  if match all {
      source-address 0.0.0.0/0;
      protocol udp;
      destination-port 161;
  } then {
      deny;
  }
}
entry block_SNMPTRAPS {
  if {
      source-address 0.0.0.0/0;
      protocol udp;
      destination-port 162;
  } then {
      deny;
  }
}
Photo of Daniel Valera

Daniel Valera

  • 734 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
I would use 'port range' in the 'destination-port' statements. 

entry VLAN_Admin_snmp_trap {
  if {
      source-address 10.170.70.0/24;
      protocol udp;
      destination-port 161 - 162;
  } then {
      permit;
  }
}
Photo of Daniel Valera

Daniel Valera

  • 734 Points 500 badge 2x thumb
Thanks Kevin... regards