help with ACL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-17-2016 12:25 PM
Hi! I want to know if the next ACL can be simplified
entry VLAN_Admin_snmp {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_Admin_snmptrap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry Block_SNMP {
if match all {
source-address 0.0.0.0/0;
protocol udp;
destination-port 161;
} then {
deny;
}
}
entry block_SNMPTRAPS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 162;
} then {
deny;
}
}
entry VLAN_Admin_snmp {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_Admin_snmptrap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminCarso_snmptrap {
if {
source-address 172.30.110.200/29;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 161;
} then {
permit;
}
}
entry VLAN_AdminSERMET_snmptrap {
if {
source-address 10.170.95.192/28;
protocol udp;
destination-port 162;
} then {
permit;
}
}
entry Block_SNMP {
if match all {
source-address 0.0.0.0/0;
protocol udp;
destination-port 161;
} then {
deny;
}
}
entry block_SNMPTRAPS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 162;
} then {
deny;
}
}
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-17-2016 03:01 PM
I would use 'port range' in the 'destination-port' statements.
entry VLAN_Admin_snmp_trap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161 - 162;
} then {
permit;
}
}
entry VLAN_Admin_snmp_trap {
if {
source-address 10.170.70.0/24;
protocol udp;
destination-port 161 - 162;
} then {
permit;
}
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-17-2016 03:01 PM
Thanks Kevin... regards
