Revised February 10, 2005
January 24, 2005
7200, c7200 - All
012.003(002.001), 012.002, 12.0(26)S01, 12.3(05)A, 12.2(23.1)S1
A router with an HSRP group configured on a subinterface will stop responding, and ultimately reload, when an HSRP SNMP query is performed.
The problem only occurs when an SNMP poll is done on HSRP. This does not occur for HSRP groups configured on major interfaces.
A cisco 7206VXR (NPE400) running IOS(tm)7200 Software(C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group HSRP table.
This problem is not limited to 7200.
This symptom is observed when an HSRP Simple Network Management Protocol (SNMP) query is performed. The symptom occurs only when HSRP is configured on a subinterface. The symptom does not occur for an HSRP group that is configured on a major interface.
Turn SNMP off in the device. This is an effective workaround, but removes management capability to the device. This can be done using the following configure command:
Verify SNMP server status by issuing the show snmp command in enable mode. You should see a response of %SNMP agent not enabled .
Issue the snmp-server global command to specify which HSRP MIBS are available.
To prevent access to the affected MIBs, configure:
snmp-server view HSRP internet included snmp-server view HSRP ciscoHsrpMIB excluded snmp-server view HSRP ciscoHsrpExtMIB excluded
Additionally, SNMP requests should only be accepted from trusted hosts using suitably obscure community strings.
Apply SNMP community-based access-lists (ACL's) to allow SNMP only from trusted network management workstations using the following configure commands:
access-list 1 remark Permit SNMP read-only access from range of networks access-list 1 permit 10.0.0.0 0.0.0.255 access-list 1 permit 18.104.22.168 0.0.0.255 access-list 1 deny any log access-list 2 remark Permit SNMP read-write access to SPECIFIC NMS servers access-list 2 permit 10.0.0.2 access-list 2 permit 10.0.0.7 access-list 2 permit 22.214.171.124 access-list 2 deny any snmp-server community public view HSRP RO 1 snmp-server community private view HSRP RW 2
In this example, the trusted network management stations with SNMP READ access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 126.96.36.199 255.255.255.0. READ-WRITE access is only allowed from trusted hosts 10.0.0.2, 10.0.0.7, and 188.8.131.52.
Alternatively, an interface access-list or Control Plane Policing (CoPP) can be configured to allow SNMP requests only from trusted hosts.
Apply an extended access list (ACL) on each interface to only allow protocol UDP port 161 from trusted network management workstations. This can be done using the following configure commands:
access-list 100 permit udp 10.0.0.0 0.0.0.255 any eq snmp access-list 100 permit udp 184.108.40.206 0.0.0.255 any eq snmp access-list 100 deny udp any any eq snmp access-list 100 permit ip any any
Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 220.127.116.11 255.255.255.0, interface access-lists can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.
This access list must be applied to all interfaces using the following configure commands:
interface < interface type > < module/port > ip access-group 100 in
The Control Plane Policing (CoPP) feature may be used to only allow protocol UDP port 161 from trusted network management workstations and IP subnetworks.
access-list 140 deny udp 10.0.0.0 0.0.0.255 any eq snmp access-list 140 deny udp 18.104.22.168 0.0.0.255 any eq snmp access-list 140 permit udp any any eq snmp access-list 140 deny ip any any class-map match-all snmp-class match access-group 140 policy-map control-plane-policy class snmp-class police 8000 1500 1500 conform-action drop exceed-action drop control-plane service-policy input control-plane-policy
Where the trusted management stations with SNMP access are hosted on IP subnetwork 10.0.0.0 255.255.255.0 and 22.214.171.124 255.255.255.0., CoPP can not differentiate between trusted hosts with SNMP READ or READ-WRITE access.
CoPP is available in IOS release trains 12.2S and 12.3T. Additional information on the configuration and use of the CoPP feature can be found at the Deploying Control Plane Policing White Paper.
Interface ACLs and CoPP will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the router.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
A cisco 7206VXR (NPE400) running IOS(tm)7200 Software (C7200-JK9O3S-M), Version 12.3(2.1), crashes when querying the Cisco group hsrp table.
SNMP Query for HSRP-MIB returns with wrong ifIndex.
Crash or CPUHOG when doing HSRP SNMP query
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.