Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1557
Views
0
Helpful
5
Replies

ACL in order to allow SNMP

rajasekarparimalam44419
Level 1
Level 1

‎03-31-2020 10:05 AM

We are trying to implement ACL in order to allow SNMP traffic in our Network. We are using the Cisco Prime as an SNMP Server. Could you please assist us with the commands.

This is what i found out

permit udp X.X.0.0 0.0.255.255 eq snmp host SERVER_IP
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-31-2020 10:57 AM - edited ‎03-31-2020 10:58 AM

Some time Prime need Write Access if you looking to change config.

 

here is example for read and write SNMP ACL based.

 

access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit host 11.1.1.1
access-list 11 deny any
snmp-server community bbread ro 11
access-list 12 permit 172.16.1.0 0.0.0.255
snmp-server community bbwrite rw 12

 

other way of doing as per below thread :

 

https://community.cisco.com/t5/routing/acl-to-allow-snmp-traffic/m-p/1577251

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rajasekarparimalam44419
Level 1
Level 1
In response to balaji.bandi

‎03-31-2020 11:23 AM

hi Balaji,

 

Thanks for the assistance.

 

So if my prime Ip is 172.168.12.xxx the conf would be 

access-list 11 permit 172.168.12.xxx 0.0.0.255

and what does the hosts represents 

 

access-list 11 permit host 11.1.1.1 access-list 11

deny any snmp-server community bbread ro 11

access-list 12 permit 172.168.12.xxx 0.0.0.255

snmp-server community bbwrite rw 12 I

0 Helpful

paul driver
VIP
VIP
In response to rajasekarparimalam44419

‎04-01-2020 12:42 AM - edited ‎04-01-2020 12:53 AM

Hello

You could also use groups for snmp which is much granular and can even be used to restrict certain parts of the switch/router mib tree to negate malious access.


Example:
ip access-list extended SNMP_ACL
permit ip host 172.168.12.x any

snmp-server group SNMP-GRP v2c access SNMP_ACL
snmp-server user Fred SNMP-GRP v2c


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

rajasekarparimalam44419
Level 1
Level 1
In response to paul driver

‎04-02-2020 01:05 AM

Hi Paul,

 

Thanks for the your Email.

 

We have recently moved to SNMP v3.

0 Helpful

paul driver
VIP
VIP
In response to rajasekarparimalam44419

‎04-02-2020 03:13 AM - edited ‎04-02-2020 03:18 AM

Hello
You can use snmp groups with ver3 also, However with v3 you have option for authentication and encryption to allow specify snmp views to specific OIDs  (create from here) within the SNMP MIB tree.

Below is an example of using snmpv3 with read access to the configuration on the device using a snmp view/group/user with md5/3des authentication and encryption ( assumption your device and NMS supports this)

 

ip access-list extended SNMP_ACL
permit ip host 172.168.12.x any

snmp-server view CONFIG cisco.5.1.31.2.61 included
snmp-server group SNMP-GRP v3 priv read CONFIG access SNMP_ACL
snmp-server user Fred SNMP_GRP v3 auth md5 snmppassword priv 3des sharedkey123


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card