Revised February 10, 2005
January 24, 2005
7200, c7200 - All
012.003(002.001), 012.002, 12.0(26)S01, 12.3(05)A, 12.2(23.1)S1
A router with an HSRP group configured on a subinterface will stop responding, and ultimately reload, when an HSRP SNMP query is performed.
The problem only occurs when an SNMP poll is done on HSRP. This does not occur for HSRP groups configured on major interfaces.
A cisco 7206VXR (NPE400) running IOS(tm)7200 Software(C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group HSRP table.
This problem is not limited to 7200.
This symptom is observed when an HSRP Simple Network Management Protocol (SNMP) query is performed. The symptom occurs only when HSRP is configured on a subinterface. The symptom does not occur for an HSRP group that is configured on a major interface.
Turn SNMP off in the device. This is an effective workaround, but removes management capability to the device. This can be done using the following configure command:
Verify SNMP server status by issuing the show snmp command in enable mode. You should see a response of %SNMP agent not enabled .
Issue the snmp-server global command to specify which HSRP MIBS are available.
To prevent access to the affected MIBs, configure:
snmp-server view HSRP internet included
snmp-server view HSRP ciscoHsrpMIB excluded
snmp-server view HSRP ciscoHsrpExtMIB excluded
Additionally, SNMP requests should only be accepted from trusted hosts using suitably obscure community strings.
Apply SNMP community-based access-lists (ACL's) to allow SNMP only from trusted network management workstations using the following configure commands:
access-list 1 remark Permit SNMP read-only access from range of networks
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 220.127.116.11 0.0.0.255
access-list 1 deny any log
access-list 2 remark Permit SNMP read-write access to SPECIFIC NMS servers
access-list 2 permit 10.0.0.2
access-list 2 permit 10.0.0.7
access-list 2 permit 18.104.22.168
access-list 2 deny any
snmp-server community public view HSRP RO 1
snmp-server community private view HSRP RW 2
In this example, the trusted network management stations with SNMP READ access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 22.214.171.124 255.255.255.0. READ-WRITE access is only allowed from trusted hosts 10.0.0.2, 10.0.0.7, and 126.96.36.199.
Alternatively, an interface access-list or Control Plane Policing (CoPP) can be configured to allow SNMP requests only from trusted hosts.
Apply an extended access list (ACL) on each interface to only allow protocol UDP port 161 from trusted network management workstations. This can be done using the following configure commands:
access-list 100 permit udp 10.0.0.0 0.0.0.255 any eq snmp
access-list 100 permit udp 188.8.131.52 0.0.0.255 any eq snmp
access-list 100 deny udp any any eq snmp
access-list 100 permit ip any any
Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 184.108.40.206 255.255.255.0, interface access-lists can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.
This access list must be applied to all interfaces using the following configure commands:
interface < interface type > < module/port >
ip access-group 100 in
The Control Plane Policing (CoPP) feature may be used to only allow protocol UDP port 161 from trusted network management workstations and IP subnetworks.
access-list 140 deny udp 10.0.0.0 0.0.0.255 any eq snmp
access-list 140 deny udp 220.127.116.11 0.0.0.255 any eq snmp
access-list 140 permit udp any any eq snmp
access-list 140 deny ip any any
class-map match-all snmp-class
match access-group 140
police 8000 1500 1500 conform-action drop exceed-action drop
service-policy input control-plane-policy
Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 18.104.22.168 255.255.255.0., CoPP can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.
CoPP is available in IOS release trains 12.2S and 12.3T. Additional information on the configuration and use of the CoPP feature can be found at the Deploying Control Plane Policing White Paper.
Interface ACLs and CoPP will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the router.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
CSCec26539 (registered customers only)
A cisco 7206VXR (NPE400) running IOS(tm)7200 Software (C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group hsrp table.
CSCin18200 (registered customers only)
SNMP Query for HSRP-MIB returns with wrong ifIndex.
CSCed52163 (registered customers only)
Crash or CPUHOG when doing HSRP SNMP query
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.