Access lists SNMP blocking

[spydyr]

Cisco is contradicting themselves, unless I'm not understanding what I'm reading.

I'm preparing for my CCNA and currently reading about Access Lists. The book I'm reading specifically mentions, in a few places, that access lists are only used for traffic being routed through the router and not traffic destined for it.

In a Cisco Security Advisory, Cisco suggests blocking SNMP traffic destine for the router with an access list applied to an inbound interface E 0/0. From what the CCNA book tells me, this won't work.

Here's a link to the advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

And the snippet from the advisory that's confusing me:

"The following extended access-list can be adapted to your network. This example assumes that the router has IP addresses 192.168.10.1 and 172.16.1.1 configured on its interfaces, that all SNMP access is to be restricted to a management station with the IP address of 10.1.1.1, and that the management station need only communicate with IP address 192.168.10.1:

access-list 101 permit udp host 10.1.1.1 host 192.168.10.1 range 161 162
access-list 101 permit udp host 10.1.1.1 host 192.168.10.1 range 49152 65535
access-list 101 deny udp any host 192.168.10.1 range 161 162
access-list 101 deny udp any host 192.168.10.1 range 49152 65535
access-list 101 deny udp any host 172.16.1.1 range 161 162
access-list 101 deny udp any host 172.16.1.1 range 49152 65535
access-list 101 permit ip any any
The access-list must then be applied to all interfaces using the following configuration commands:

interface ethernet 0/0
ip access-group 101 in"


Can someone explain this to me?

 

[ADB100]

Not too sure about the advisory but you can prevent SNMP access by adding an ACL no to the community statement:

snmp-server community public ro 10
!
access-list 10 permit host 10.1.1.1

Andy

 

[lgarner]

I see the confusion. ACL's work before the router processes the packets. Like a lock on the door. So, the ACL looks ok to me. First, allow SNMP from the management station to the interface. Then, block all other SNMP to the router. Finally, allow everything *else* to the router, and *everything* through the router.

 

[spydyr]

But the part that's confusing me is they are blocking snmp traffic destine for the router with an access list applied to an interface. According to this Cisco Press CCNA book I'm reading, access lists only work for traffic going THROUGH the router not destine for it.

 

[lgarner]

The ACL can block traffic destined "to" or "through" the router, or "from" with an outbound list. In your example, blocking packets destined for the interface address would work.

There is another consideration, through: Routers can accept and reply to packets which traverse them to their opposite interfaces. In other words, a workstation on the LAN can normally communicate with the WAN interface on the router. So you'd really need to block SNMP destinations to any interface, including loopback. It does work, though.

 

[spydyr]

Ahh, I misread my CCNA book. Here's the line that confused me, "Access lists identify traffic to be filtered in transit through the router, but they do not filter traffic originating from the router". And they used telnet as the example as traffic originating from the router that can't be filtered. I some how read Telnet and misread originating as destine. My bad. Thanks for the responses.