This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNMP 'disabled' log - more details or suppress?

SNMP 'disabled' log - more details or suppress?

Frank
Contributor II

‎04-30-2019 10:18 AM

Some of my L3 switches (BD8800) are Internet-exposed, so I only enable SNMP on the management VR. Of course that doesn't stop the rest of the world to try to query those switches.
That, in turn, triggers log entries like "SNMP.Master: MSM-A: SNMP is currently disabled on VR VR-Default. Hence dropping the SNMP request on this VR"

Is there a way to log the source-IP of the dropped request? Because that would be quite useful so I can auto-block IPs that are "too curious"

If not, what's the best way to exclude those messages from the log? I don't want to suppress all SNMP messages, just the "request denied" ones.
0 Kudos
2 REPLIES 2

Frank
Contributor II

‎04-30-2019 10:51 AM

Good point about the "drop in hardware vs. drop by CPU" - thanks!

An ACL approach with "my own" IP addresses is tricky to maintain, though. The BD is the default-gw for many client VLANs with their own public IP subnets - and it's a pair of BDs with VRRP.
So for every client VLAN where the BD is the default-gw, I have 2 IP addresses that I have to block in the ACL, 3 if I want to be lazy and just copy ACL config blocks between the BD pair, multiply by "X" clients, keep up-to-date on each addition (trivial) and deletion - or change.
And of course I can't block all ingress-SNMP traffic because some clients want to snmp-query their own stuff from the Internet.

I should revisit that once I'm better with automation (read: python). "once a day, gather list of all my IPs, rebuild ACL"
0 Kudos

OscarK
Extreme Employee

‎04-30-2019 10:27 AM

It would be good to create an ingress access-list on the interface towards the internet to deny SNMP access to all switch IP addresses. This way you can deny these packets in hardware instead of having these blocked by the CPU. Even if snmp is disabled on vr vr-default it will still be send to the CPU (which will block) but dropping it in hardware would be better. The only way to do that would be an ingress ACL denying all SNMP packets destined for the IP addresses of the switch.
0 Kudos
GTM-P2G8KFN