Header Only - DO NOT REMOVE - Extreme Networks

help with ACL


Userlevel 1
Hi! I want to know if the next ACL can be simplified

entry VLAN_Admin_snmp {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_Admin_snmptrap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry Block_SNMP {
if match all {
source-address 0.0.0.0/0;
protocol udp;
destination-port 161;
} then {
deny;
}
}
entry block_SNMPTRAPS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 162;
} then {
deny;
}
}

2 replies

Userlevel 4
I would use 'port range' in the 'destination-port' statements.

entry VLAN_Admin_snmp_trap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161 - 162;
} then {
permit;
}
}
Userlevel 1
Kevin Kim wrote:

I would use 'port range' in the 'destination-port' statements.

entry VLAN_Admin_snmp_trap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161 - 162;
} then {
permit;
}
}

Thanks Kevin... regards

Reply