Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17679
Views
18
Helpful
6
Replies

Restriciting SNMP access

srego4
Level 2
Level 2

‎07-10-2003 08:20 AM - edited ‎03-02-2019 08:46 AM

Hello,

I am looking for a way that I can limit (block) all snmp requests to any switch/router except from a few specified hosts.

Can anyone let me know the ways. I guess acls are one way but any other method would be highly appreciated. What does the snmp-server group command do?

Thanks

Labels:
0 Helpful
6 Replies 6

rmushtaq
Level 8
Level 8

‎07-10-2003 08:58 AM

Best practices recommend applying ACLs to community strings and ensuring that the community strings for requests are not identical to community strings used for notifications. Access-lists provide further protection when used in combination with other protective measures. Using different community strings for requests and trap messages reduce the likelihood of further compromises if the community string is discovered, whether by compromising a remote device or by sniffing a trap message from the network without authorization. You can find access-lists examples on CCO. As for the details of the above command, refer to the IOS command reference on CCO for the details.

srego4
Level 2
Level 2
In response to rmushtaq

‎07-11-2003 09:33 AM

Thanks rmushtaq for the reply. You have mentioned "Best practices" so is there was any other way other than ACLs.

for eg. If I use the snmp-server host A.B.C.D command. Will this restrict snmp only from this particular host and no other device? (i.e. the router/switch will not respond to any other snmp queries from any other device) Or is this command only for snmp notifications and to be used only with the snmp-server traps commands?

Thanks in advance.

0 Helpful

rmushtaq
Level 8
Level 8
In response to srego4

‎07-11-2003 11:14 AM

snmp-server host A.B.C.D command will not restrict any host. This is only for sending traps to a specific host a.b.c.d. One simple example could be to apply an extended access list to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations. This can be done using:

access-list 100 permit ip host 1.1.1.1 any

access-list 100 deny udp any any eq snmp

access-list 100 deny udp any any eq snmptrap

access-list 100 permit ip any any

where 1.1.1.1 is the trusted network management station. This access list must be applied to all interfaces using:

interface serial 0 ip

access-group 100 in

This will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. The access-list statement containing "snmptrap" will prevent notification messages from entering the network when it is applied at the network edge.

srego4
Level 2
Level 2
In response to rmushtaq

‎07-11-2003 11:21 AM

Thanks, rmushtaq, for taking the time to give an example as well.

0 Helpful

srego4
Level 2
Level 2
In response to rmushtaq

‎07-21-2003 05:14 PM

One more question regarding this matter..

All my routers are RSM's and our network is mainly Lan extensions. Now for the routers , can i just apply the acl on vlan1 or do I have to apply to all the vlans? What I am trying to find out here is if snmp will use vlan1 (being mgmt) to communicate with the router?

P.S. We arent using vlans in our network (just one big vlan in reality) Only using vlans to identify the interfaces on the routers.

cchenoweth
Level 1
Level 1

‎07-16-2003 04:40 PM

you can also use:

snmp-server community xxxxxxx RW yy

where x is your community string and y is a simple ACL number.

y would look like:

access-list yy permit z.z.z.z

where z is the server you want to allow thru.

you can obviously do the same for a RO string.

Customers Also Viewed These Support Documents