ACL to secure SNMP - I need help on this please

gmaccisco1 · ‎07-17-2006

Hi,

I have addedd the following standard ACL to my router to limit SNMP access only to my Ciscoworks LMS server or SNMP Server but I don't know if I need to enforce it with an access group or not? i beleive that i need but I am not sure how?

access-list 90 permit host 10.1.1.139

access-list 90 deny any log

snmp-server community XXXXXXX ro 90

please help me understand the need for the access-group and if I need it, would it be sonething like this:

access-grup 90 in

applied to ether Interface?

this is my Internal gateway router. all of the users have the ether0 address of this router as their default gateway.

Thx,

Masood

tdrais · ‎07-17-2006

You have everything you need. The 90 on the end of the snmp-server line applies it.

You could put a smilar access list on the interfaces but that would serve no purpose since this one is the one that takes affect. In some cases people place snmp access lists on interfaces to prevent IP addresss spoofing since SNMP is UDP based but in your case you are most likely ok with just this.

Richard Burts · ‎07-17-2006

I believe that Masood starts from a valid understanding of an important principle of access lists: after you create an access list you must assign it (creating an access list without assigning it does not affect any traffic). If you want the access list to filter packets on an interface you use the access-group command to assign the access list to the interface.

And Tim is correct that to use an access list to control SNMP access to the router all you need to do is to add the access list number on the command that defines the community string. This is the assignment of the access list. So Masood does not need to take any additional action.

HTH

Rick

HTH

Rick

gmaccisco1 · ‎07-19-2006

Thanks to both of you.