ACL to block SNMP traffic to 1 host on same vlan 1

[drewdown]

I have a vlan (192.168.99.0/24) I have 1 host on that vlan (192.168.99.34) that I need to block all SNMP traffic from the rest of the hosts on that vlan, is that possible?

IE:
deny udp 192.168.99.0 0.0.0.255 host 192.168.99.34 eq snmp

But where to put it and would that even work? I haven't had much luck with it at this point.

 

[jimfixit]

I am not sure I understand what you are trying to do. But in general if you want to stop a type of traffic on a given vlan, you apply the ACL to the vlan interface like thus:

access-list 123 deny udp 10.32.8.8 0 0 0 0 eq snmp any

int vlan 11
ip access-group 123 out

this would stop snmp traffic from 10.32.8.8 from getting to any device on that vlan. If you are trying to do the reverse (stop others from sending snmp traffic to that unit) you'd have to make some changes:

access-list 123 deny udp any 10.32.8.8 0.0.0.0 eq snmp

int vlan 11
ip access-group 123 in

But not all traffic goes in and out the vlan interface. Depends on if it's being routed or switched. In your case the traffic you are blocking to and from are on the same network. I kind of think you really want to apply your access list to the port that 192.168.99.34 is physcially plugged into.


HTH

 

[drewdown]

Thanks man.

I want to block SNMP to that specific host from all other hosts on the same vlan. Any other host is fine, only because that specific vlan generates a ton of SNMP traffic due to the nature of devices that reside on it. Because of the physical location of the host it was easiest for me to put it on that vlan, although it would be better served on another vlan that I can block traffic to/from.

I didn't want to attempt to do it on the port level because its on a crappy linksys gig switch, which is connected to a 3750 (not trunking). I could always run a cable from the 3750 directly to that device. If I did do that and I created the acl and applied at the port level would it be the same syntax?

access-list 123 deny udp any 10.32.8.8 0.0.0.0 eq snmp

int fa1/0/x
ip access-group 123 in

 

[unclerico]

You'll want a VLAN ACL.

!create the ACL
ip access-list extended Deny_Traffic
 permit udp 192.168.99.0 0.0.0.255 host 192.168.99.34 eq snmp

!create the access-map for the VLAN
vlan access-map 10
 match ip address Deny_Traffic
 action drop
vlan access-map 20
 action forward

!apply the VACL to the vlan
vlan filter Stop_SNTP vlan-list <vlan_id>

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

unclerico,


I want to deny SNMP to 192.168.99.34, so wouldn't it be:

deny udp 192.168.99.0 0.0.0.255 host 192.168.99.34 eq snmp
permit ip any any

 

[unclerico]

nope, that's not how VACLs work

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

and i forgot to name the access-map in my code. it should be:

vlan access-map [b]Stop_SNTP[/b] 10
 match ip address Deny_Traffic
 action drop
vlan access-map [b]Stop_SNTP[/b] 20
 action forward

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

I applied it on my core switch with no luck, snmp is still allowed to that device from any other device on that subnet.

ET-ANN-SW-CORE(config)#ip access-list extended 04-SNMP 
NET-ANN-SW-CORE(config-ext-nacl)#permit udp 192.168.99.0 0.0.0.255 host 192.168.99.34 eq snmp
NET-ANN-SW-CORE(config-ext-nacl)#exit
NET-ANN-SW-CORE(config)#vlan access-map 10
NET-ANN-SW-CORE(config-access-map)#match ip address 04-SNMP
NET-ANN-SW-CORE(config-access-map)#action drop
NET-ANN-SW-CORE(config-access-map)#exit
NET-ANN-SW-CORE(config)#vlan access-map 20
NET-ANN-SW-CORE(config-access-map)#action forward
NET-ANN-SW-CORE(config-access-map)#vlan filter 04-BLOCK vlan-list 22     
NET-ANN-SW-CORE(config)#vlan filter 04 vlan-list 22
% Warning. VLAN map 04-BLOCK does not exist yet.

vlan access-map 10 10
 action drop
 match ip address 04-SNMP
vlan access-map 20 10
 action forward
!
vlan filter 04-BLOCK vlan-list 22
ip access-list extended 04-SNMP
 permit udp 172.23.22.0 0.0.0.255 host 172.23.22.34 eq snmp

 

[drewdown]

Excuse my typo in the second coded part, I copy/pasted from my text file. I changed it to incorporate the right IP address and the access-map code.

Seems to be working now, thanks a ton my man.

 

[drewdown]

FYI I assumed this was working but after a short while it apparently wasn't as SNMP requests were still reaching that device.

I had to migrate that device and all other similar devices onto their own separate vlan and then create a vlan access-map to block SNMP traffic. Same syntax but separate vlans.

Thanks for your help.

 

[unclerico]

Really?? Hmm, interesting. It wouldn't work while on the previous vlan but it will work on a new vlan??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

Yeah man, with the device residing on the same vlan I couldn't get it to block SNMP, once I separated them it worked fine.

Here is my current config regarding the vlan access-map:

!
vlan access-map BLOCK_SNMP 10
 action drop
 match ip address UPS_SNMP
vlan access-map BLOCK_SNMP 20
 action forward
!
vlan filter BLOCK_SNMP vlan-list 22
vlan internal allocation policy ascending
!
!
!
ip access-list extended UPS_SNMP
 permit udp 172.23.22.0 0.0.0.255 host 192.168.55.2 eq snmp
 permit udp 172.23.22.0 0.0.0.255 host 192.168.55.3 eq snmp
 permit udp 172.23.22.0 0.0.0.255 host 192.168.55.4 eq snmp

 

[brianinms]

Well if you are on the same vlan it would have been routed to the switch and thus wouldn't have been run through the vacl.

 

[drewdown]

^ Which is what I thought as well. If it wasn't a vlan and a just a physical subnet and I wanted to do it how would I? The traffic would never leave that switch and I would have to do it at the port level.

 

[brianinms]

Correction:

Well if you are on the same vlan it WOULDN'T have been routed to the switch and thus wouldn't have been run through the vacl.

That is correct you would have to block it at the port level. Instead of blocking it why not just turn it off at the device?

 

[unclerico]

VACL's were created for the exact reason that you posted and that is to filter traffic that stays within the same VLAN. I'll give you working example that I have setup in my lab. I have created an SVI and given it the address 192.168.100.254/24. I have three hosts on this VLAN; 192.168.100.9, 192.168.100.10, and 192.168.100.11. The .11 host has a web and ftp server running on it. I want to deny any web traffic from any host on my VLAN destined for .11, all other traffic will be allowed including web traffic to other hosts.

ip access-list extended BLOCK_HTTP
 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.11 eq www

vlan access-map BLOCK 10
 match ip address BLOCK_HTTP
 action drop
vlan access-map BLOCK 20
 action forward

vlan filter BLOCK vlan-list 10

This works exactly as it is written. All web traffic from all hosts on VLAN10 is denied when trying to access host .11. I am able to ping and ftp to .11. Host .11 is able to fully interact with every other host on VLAN10.

drew, perhaps your source/destination addresses are backwards which is why it isn't working??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

Source/destination are right.

Did you configure it on the same switch the devices are connected to? In my case I didn't, I configured it on my core switch, the devices that I wanted to block SNMP from were connected to another trunked switch. That did not work, which I assumed was because the traffic wouldn't leave the local switch if it was on the same vlan so the VACL wouldn't be applied to that traffic. It never crossed my mind that I maybe I shouuld have configured it on the local switch? Is that correct?

I got it working by moving the devices to seperate vlan and configuring my vlan access-map on my core 3750.

 

[brianinms]

I am going to have to lab this myself over the weekend as I have never needed to achieve this functionality. I primarily use VACLS to direct traffic to IDSM blades and NAM modules.

unclerico,

What platform did you use to test this on?

 

[unclerico]

brian, I used a 3550 running 12.2(46)SE

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

Thanks unclerico, this may come handy in handy sometime in the future. It's just an odd concept to be able to block traffic at the layer 2 level.