Enabling And Configuring Snmp Application Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
SNMP Inspection
Enabling and Configuring SNMP Application Inspection
To change the default configuration for SNMP inspection, perform the following steps:
Determine the ports that network devices behind the FWSM listen to for SNMP traffic. The default ports
Step 1
are TCP ports 161 and 162.
Create a class map or modify an existing class map to identify SNMP traffic. Use the class-map
Step 2
command to do so, as follows:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Use a match command to identify traffic sent to the SNMP ports you determined in
Step 3
If you need to assign a range of contiguous ports, use the range keyword, as in the following example:
hostname(config-cmap)# match port tcp range begin_port_number end_port_number
where begin_port_number is the lowest port in the range of SNMP ports and end_port_number is the
highest port.
Tip
Create an SNMP map that will contain the parameters of SNMP inspection. Use the snmp-map
Step 4
command to do so, as follows:
hostname(config-cmap)# snmp-map map_name
hostname(config-snmp-map)#
where map_name is the name of the SNMP map. The CLI enters SNMP map configuration mode.
Specify the versions of SNMP permitted by the SNMP map. To do so, use the deny version command
Step 5
to disallow the versions that you do not want to permit, as follows:
hostname(config-snmp-map)# deny version version
hostname(config-snmp-map)#
where version with an SNMP version that you want to restrict. Valid values of version are 1, 2, 2c, and
3. You can enter as many deny version commands as needed.
Create a policy map or modify an existing policy map that you want to use to apply the SNMP inspection
Step 6
engine to the SNMP traffic. To do so, use the policy-map command, as follows:
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Specify the class map, created in
Step 7
so, as follows:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-98
To identify two or more non-contiguous ports, enter the access-list extended command and
define an ACE to match each port. Then, rather than the match port command, use the match
access-list command to associate the access list with the SNMP traffic class.
Step
Chapter 22
Applying Application Layer Protocol Inspection
2, that identifies the SNMP traffic. Use the class command to do
Step
1.
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
