Header Only - DO NOT REMOVE - Extreme Networks

S/N/K-Series Policy to permit SNMP Requests only from Specific IP Addresses

  • 18 September 2014
  • 0 replies
  • 334 views

Userlevel 3
Article ID: 14649

Products
S-Series
Matrix N-Series DFE
K-Series

Goals
Sample configuration.
Configure Policy so that only certain IP addresses can SNMP-access the device.

Solution
This may be accomplished as follows:

code:
set policy profile 1 name "SNMP_protect"


Establish policy role/profile #1, with no default actions.

code:
set policy rule admin-profile udpsourceport 161 mask 16 admin-pid 1


Invoke policy role/profile #1 if the UDP Source Port value is 161, identifying SNMP traffic. This test and action occur on behalf of all ingress ports in the system.

code:
set policy rule 1 ipsourcesocket
<[code]allowed user IP address[/code]>
code:
mask 32 forward


Within the role, permit processing to continue by exiting the role if the source IP address is allowed to request SNMP data from the protected IP address(es). Multiple rules of this type can be stacked if multiple users are allowed. If any of these rules "hits", then the drop rule(s) below will be ignored - because "
code:
IPSource (12)
" rules have a higher precedence than "
code:
IPDest (13)
" rules.

code:
set policy rule 1 ipdestsocket
<[code]protected switch/router IP address[/code]>
code:
mask 32 drop


Within the role, we know that this SNMP traffic is not from an allowed user. If it's destined to a protected address, then drop it. Otherwise, exit the role after taking no default action. Multiple rules of this type can be stacked if multiple (host/router) management IP addresses to be protected exist on this system.

The resulting configuration may then be reviewed: N7(su)->show policy profile 1 -verbose
Profile Index :1
Profile Name :SNMP_protect
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :fe.1.28
Oper Profile Usage :none
Dynamic Profile Usage :fe.1.28
N7(su)->show policy rule admin-profile -verbose
========================================
Profile Index :Admin-Profile
Rule Type :UDP port source
Rule Data :161
Mask :16
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :lag.0.1;host.0.1
Dynamic-PID :-1
Admin-PID :1
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->show policy rule 1 -verbose
========================================
Profile Index :1
Rule Type :IP source address
Rule Data :1.2.3.4
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :4095 (Forward)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
Profile Index :1
Rule Type :IP destination address
Rule Data :1.2.3.1
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :0 (Drop)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->[/code]

0 replies

Be the first to reply!

Reply