Hi, so, more on this...
- on ASR9k, SNMPv3 is subject to regular control plane ACLs, so
unless a SNMPv3 sender shows up in
control-plane
management-plane
inband
interface all
allow all peer
address ipv4 1.2.3.4/32
!
allow SNMP peer
address ipv4 3.4.5.6/32
the ASR9k will not reply (I assume that's generic IOS XR). Good.
- on IOS XE, I found something that "seems to do the right thing", as
in, block all SNMPv3 packets, including discovery, while still permitting
SNMPv2
asr920(config)#access-list 99 deny any log
asr920(config)#snmp-server drop report access 99
asr920(config)#do term mon
asr920(config)#
Sep 21 12:25:07: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 1 packet
Sep 21 12:25:11: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 1 packet
Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 5 packets
Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 5 packets
(these are the two test hosts that could do SNMP v3 discovery before)
- since we're not using SNMPv3 anywhere, that is good enough for us.
This is on IOS XE 16.06.10.
Older IOS XE and IOS versions have "snmp-server drop unknown-user", but
that still permits discovery.
So maybe the "snmp-server drop report" will at least help Hank... :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
