Some of my L3 switches (BD8800) are Internet-exposed, so I only enable SNMP on the management VR. Of course that doesn't stop the rest of the world to try to query those switches.
That, in turn, triggers log entries like "SNMP.Master: MSM-A: SNMP is currently disabled on VR VR-Default. Hence dropping the SNMP request on this VR"
Is there a way to log the source-IP of the dropped request? Because that would be quite useful so I can auto-block IPs that are "too curious"
If not, what's the best way to exclude those messages from the log? I don't want to suppress all SNMP messages, just the "request denied" ones.
Good point about the "drop in hardware vs. drop by CPU" - thanks!
An ACL approach with "my own" IP addresses is tricky to maintain, though. The BD is the default-gw for many client VLANs with their own public IP subnets - and it's a pair of BDs with VRRP.
So for every client VLAN where the BD is the default-gw, I have 2 IP addresses that I have to block in the ACL, 3 if I want to be lazy and just copy ACL config blocks between the BD pair, multiply by "X" clients, keep up-to-date on each addition (trivial) and deletion - or change.
And of course I can't block all ingress-SNMP traffic because some clients want to snmp-query their own stuff from the Internet.
I should revisit that once I'm better with automation (read: python). "once a day, gather list of all my IPs, rebuild ACL"
It would be good to create an ingress access-list on the interface towards the internet to deny SNMP access to all switch IP addresses. This way you can deny these packets in hardware instead of having these blocked by the CPU. Even if snmp is disabled on vr vr-default it will still be send to the CPU (which will block) but dropping it in hardware would be better. The only way to do that would be an ingress ACL denying all SNMP packets destined for the IP addresses of the switch.