Block/drop/ignore SNMP requests from IP

[thermseeker]

Hello all,

On an OS6900-T40, is it possible to block/drop/ignore SNMP requests from a known address on a certain port? At our central adm there seems to be a scanner shooting SNMP requests with default credentials (public). As I don't have public community available, the switch generates an authentication failure trap to OV2500, who in turn sends me an email. About 50/day, actually. I'd like to get rid of that, and asking ppl at CA to shut down that thing didn't produce any effect.

Disable snmp authentication-trap is not an option as I want to be notified if someone tries to log in.
One option would be to enable public SNMPv2 community, but.... that feels wrong

Thanks in advance...
Tales/thermseeker

[silvio]

With policies this is possible. I will try to create one (without access to a switch):
policy condition BAD-SNMP source port 1/1/1 source udp-port 162
policiy action BLOCK disposition drop
policy rule BLOCK-BAD-SNMP condition BAD-SNMP action BLOCK
qos apply

regards
Silvio

[thermseeker]

Hi Silvio,

Sorry I haven't received a notification about your reply.

Yes that would probably work, but would drop every SNMP packet coming in through the port, right? It happens that they host a printer server from a service provider monitoring our printers through SNMP so I can't drop everything. I need to filter only one specific IP address. Or, MAC address would do too.

Maybe instead of the udp-port I could use the MAC address of the offendind server in the condition? I'll take a better look at "policy", I had seen it in the documentation but read only superficially.

Thank you very much.

Regards,
Tales

[silvio]

Hi,
the udp is necessary to drop only incomming snmp. But you can add "source ip" or "source mac" in the condition.
regards
Silvio