This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Training, Documentation, & General Discussions
- FAQs
- S/N/K-Series Policy to permit SNMP Requests only f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
S/N/K-Series Policy to permit SNMP Requests only from Specific IP Addresses
S/N/K-Series Policy to permit SNMP Requests only from Specific IP Addresses
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-18-2014 05:38 PM
Article ID: 14649
Products
S-Series
Matrix N-Series DFE
K-Series
Goals
Sample configuration.
Configure Policy so that only certain IP addresses can SNMP-access the device.
Solution
This may be accomplished as follows:
Establish policy role/profile #1, with no default actions.
Invoke policy role/profile #1 if the UDP Source Port value is 161, identifying SNMP traffic. This test and action occur on behalf of all ingress ports in the system.
Within the role, permit processing to continue by exiting the role if the source IP address is allowed to request SNMP data from the protected IP address(es). Multiple rules of this type can be stacked if multiple users are allowed. If any of these rules "hits", then the drop rule(s) below will be ignored - because "
Within the role, we know that this SNMP traffic is not from an allowed user. If it's destined to a protected address, then drop it. Otherwise, exit the role after taking no default action. Multiple rules of this type can be stacked if multiple (host/router) management IP addresses to be protected exist on this system.
The resulting configuration may then be reviewed: N7(su)->show policy profile 1 -verbose
Profile Index :1
Profile Name :SNMP_protect
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :fe.1.28
Oper Profile Usage :none
Dynamic Profile Usage :fe.1.28
N7(su)->show policy rule admin-profile -verbose
========================================
Profile Index :Admin-Profile
Rule Type :UDP port source
Rule Data :161
Mask :16
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :lag.0.1;host.0.1
Dynamic-PID :-1
Admin-PID :1
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->show policy rule 1 -verbose
========================================
Profile Index :1
Rule Type :IP source address
Rule Data :1.2.3.4
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :4095 (Forward)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
Profile Index :1
Rule Type :IP destination address
Rule Data :1.2.3.1
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :0 (Drop)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->
Products
S-Series
Matrix N-Series DFE
K-Series
Goals
Sample configuration.
Configure Policy so that only certain IP addresses can SNMP-access the device.
Solution
This may be accomplished as follows:
code:
set policy profile 1 name "SNMP_protect"
Establish policy role/profile #1, with no default actions.
code:
set policy rule admin-profile udpsourceport 161 mask 16 admin-pid 1
Invoke policy role/profile #1 if the UDP Source Port value is 161, identifying SNMP traffic. This test and action occur on behalf of all ingress ports in the system.
code:
<set policy rule 1 ipsourcesocket
allowed user IP address>
code:
mask 32 forward
Within the role, permit processing to continue by exiting the role if the source IP address is allowed to request SNMP data from the protected IP address(es). Multiple rules of this type can be stacked if multiple users are allowed. If any of these rules "hits", then the drop rule(s) below will be ignored - because "
code:
" rules have a higher precedence than "IPSource (12)
code:
" rules.IPDest (13)
code:
<set policy rule 1 ipdestsocket
protected switch/router IP address>
code:
mask 32 drop
Within the role, we know that this SNMP traffic is not from an allowed user. If it's destined to a protected address, then drop it. Otherwise, exit the role after taking no default action. Multiple rules of this type can be stacked if multiple (host/router) management IP addresses to be protected exist on this system.
The resulting configuration may then be reviewed: N7(su)->show policy profile 1 -verbose
Profile Index :1
Profile Name :SNMP_protect
Row Status :active
Port VID Status :disabled
Port VID Override :1
CoS Status :disabled
CoS :0
Tagged Egress VLAN List :none
Forbidden VLAN List :none
Untagged VLAN List :none
Replace TCI Status :disabled
Rule Precedence :1-8,12-19,21-22,25-28,31
:MACSource (1), MACDest (2), IPXSource (3),
:IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6),
:IPXClass (7), IPXType (8), IPSource (12),
:IPDest (13), IPFrag (14), UDPSrcPort (15),
:UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18),
:ICMPType (19), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :fe.1.28
Oper Profile Usage :none
Dynamic Profile Usage :fe.1.28
N7(su)->show policy rule admin-profile -verbose
========================================
Profile Index :Admin-Profile
Rule Type :UDP port source
Rule Data :161
Mask :16
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :lag.0.1;host.0.1
Dynamic-PID :-1
Admin-PID :1
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->show policy rule 1 -verbose
========================================
Profile Index :1
Rule Type :IP source address
Rule Data :1.2.3.4
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :4095 (Forward)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
Profile Index :1
Rule Type :IP destination address
Rule Data :1.2.3.1
Mask :32
Port :All ports
- - - - - - - - - - - - - - - - - - - -
Status :active
Storage Type :nonVolatile
Ports Used :None
VLAN :0 (Drop)
CoS :-1 (Unconfigured)
Audit Syslog Status :disabled
Audit Trap Status :disabled
Disable Port Status :disabled
========================================
N7(su)->
0 REPLIES 0
