Guest

Cisco 7200 Series Routers

Field Notice: HSRP: Software Crash Forced When Doing HSRP SNMP Query


Revised February 10, 2005

January 24, 2005


Products Affected

Products Affected

Comments

7200, c7200 - All

012.003(002.001), 012.002, 12.0(26)S01, 12.3(05)A, 12.2(23.1)S1

Problem Description

A router with an HSRP group configured on a subinterface will stop responding, and ultimately reload, when an HSRP SNMP query is performed.

The problem only occurs when an SNMP poll is done on HSRP. This does not occur for HSRP groups configured on major interfaces.

Background

A cisco 7206VXR (NPE400) running IOS(tm)7200 Software(C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group HSRP table.

Note:

This problem is not limited to 7200.

Problem Symptoms

This symptom is observed when an HSRP Simple Network Management Protocol (SNMP) query is performed. The symptom occurs only when HSRP is configured on a subinterface. The symptom does not occur for an HSRP group that is configured on a major interface.

Workaround/Solution

Turn SNMP off in the device. This is an effective workaround, but removes management capability to the device. This can be done using the following configure command:

no snmp-server

Verify SNMP server status by issuing the show snmp command in enable mode. You should see a response of %SNMP agent not enabled .

Alternate Workaround:

Issue the snmp-server global command to specify which HSRP MIBS are available.

To prevent access to the affected MIBs, configure:

snmp-server view HSRP internet included 
snmp-server view HSRP ciscoHsrpMIB excluded 
snmp-server view HSRP ciscoHsrpExtMIB excluded 

Additionally, SNMP requests should only be accepted from trusted hosts using suitably obscure community strings.

Apply SNMP community-based access-lists (ACL's) to allow SNMP only from trusted network management workstations using the following configure commands:

access-list 1 remark Permit SNMP read-only access from range of networks 
access-list 1 permit 10.0.0.0 0.0.0.255 
access-list 1 permit 11.0.1.0 0.0.0.255 
access-list 1 deny any log 

access-list 2 remark Permit SNMP read-write access to SPECIFIC NMS servers 
access-list 2 permit 10.0.0.2 
access-list 2 permit 10.0.0.7 
access-list 2 permit 11.0.1.10 
access-list 2 deny any 

snmp-server community public view HSRP RO 1 
snmp-server community private view HSRP RW 2

In this example, the trusted network management stations with SNMP READ access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 11.0.1.0 255.255.255.0. READ-WRITE access is only allowed from trusted hosts 10.0.0.2, 10.0.0.7, and 11.0.1.10.

Alternatively, an interface access-list or Control Plane Policing (CoPP) can be configured to allow SNMP requests only from trusted hosts.

Apply an extended access list (ACL) on each interface to only allow protocol UDP port 161 from trusted network management workstations. This can be done using the following configure commands:

access-list 100 permit udp 10.0.0.0 0.0.0.255 any eq snmp 
access-list 100 permit udp 11.0.1.0 0.0.0.255 any eq snmp 
access-list 100 deny udp any any eq snmp 
access-list 100 permit ip any any 

Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 11.0.1.0 255.255.255.0, interface access-lists can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.

This access list must be applied to all interfaces using the following configure commands:

interface < interface type > < module/port > 
ip access-group 100 in 

The Control Plane Policing (CoPP) feature may be used to only allow protocol UDP port 161 from trusted network management workstations and IP subnetworks.

access-list 140 deny udp 10.0.0.0 0.0.0.255 any eq snmp 
access-list 140 deny udp 11.0.1.0 0.0.0.255 any eq snmp 
access-list 140 permit udp any any eq snmp 
access-list 140 deny ip any any 

class-map match-all snmp-class 
match access-group 140 

policy-map control-plane-policy 
class snmp-class 
police 8000 1500 1500 conform-action drop exceed-action drop 

control-plane 
service-policy input control-plane-policy 

Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 11.0.1.0 255.255.255.0., CoPP can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.

CoPP is available in IOS release trains 12.2S and 12.3T. Additional information on the configuration and use of the CoPP feature can be found at the Deploying Control Plane Policing White Paper.

Interface ACLs and CoPP will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the router.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCec26539 (registered customers only)

A cisco 7206VXR (NPE400) running IOS(tm)7200 Software (C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group hsrp table.

CSCin18200 (registered customers only)

SNMP Query for HSRP-MIB returns with wrong ifIndex.

CSCed52163 (registered customers only)

Crash or CPUHOG when doing HSRP SNMP query

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.