03-31-2020 10:05 AM
We are trying to implement ACL in order to allow SNMP traffic in our Network. We are using the Cisco Prime as an SNMP Server. Could you please assist us with the commands.
This is what i found out
permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq
03-31-2020 10:57 AM - edited 03-31-2020 10:58 AM
Some time Prime need Write Access if you looking to change config.
here is example for read and write SNMP ACL based.
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit host 11.1.1.1
access-list 11 deny any
snmp-server community bbread ro 11
access-list 12 permit 172.16.1.0 0.0.0.255
snmp-server community bbwrite rw 12
other way of doing as per below thread :
https://community.cisco.com/t5/routing/acl-to-allow-snmp-traffic/m-p/1577251
03-31-2020 11:23 AM
hi Balaji,
Thanks for the assistance.
So if my prime Ip is 172.168.12.xxx the conf would be
access-list 11 permit 172.168.12.xxx 0.0.0.255
and what does the hosts represents
access-list 11 permit host 11.1.1.1 access-list 11
deny any snmp-server community bbread ro 11
access-list 12 permit 172.168.12.xxx 0.0.0.255
snmp-server community bbwrite rw 12 I
04-01-2020 12:42 AM - edited 04-01-2020 12:53 AM
Hello
You could also use groups for snmp which is much granular and can even be used to restrict certain parts of the switch/router mib tree to negate malious access.
Example:
ip access-list extended SNMP_ACL
permit ip host 172.168.12.x any
snmp-server group SNMP-GRP v2c access SNMP_ACL
snmp-server user Fred SNMP-GRP v2c
04-02-2020 01:05 AM
Hi Paul,
Thanks for the your Email.
We have recently moved to SNMP v3.
04-02-2020 03:13 AM - edited 04-02-2020 03:18 AM
Hello
You can use snmp groups with ver3 also, However with v3 you have option for authentication and encryption to allow specify snmp views to specific OIDs (create from here) within the SNMP MIB tree.
Below is an example of using snmpv3 with read access to the configuration on the device using a snmp view/group/user with md5/3des authentication and encryption ( assumption your device and NMS supports this)
ip access-list extended SNMP_ACL
permit ip host 172.168.12.x any
snmp-server view CONFIG cisco.5.1.31.2.61 included
snmp-server group SNMP-GRP v3 priv read CONFIG access SNMP_ACL
snmp-server user Fred SNMP_GRP v3 auth md5 snmppassword priv 3des sharedkey123
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide