Access list for SNMP confusion.

llukman.halimi · ‎04-26-2017

I am currently learning about SNMP and everything makes sense to me it's just one thing that is confusing to me and that is the access list applied and I know it's an optional configuration and not mandatory.

It's confusing me because the access list is set on the router (agent) and it is designed to protect the NMS from access this is what I am not getting it. The permit host 192.168.10.254 is meant to do that. Now that IP address is it the NMS station or the IP address of the device that has an agent on it. I just don't understand how it's meant to protect the NMS station when the access list is set on the router (agent) basically to allow that NMS access to that router if someone could help that would be wonderful.

I have attached the part of the book that I am confused at. It's lammle's book on CCNA.

Julio E. Moisa · ‎04-26-2017

Hi

The ACL includes the ip addresses of the SNMP servers (trusted devices), so just these servers will be able to monitor the device.

If a SNMP server is not included on the ACL, the server will not be able to extract information from that specific device. It will protect your device from rogue SNMP servers or sniffers.

This link could be useful:

http://www.cathayschool.com/using-access-lists-to-protect-snmp-access-a552.html

Please dont forget to rate the comment if it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

llukman.halimi · ‎04-27-2017

I understand that but the book is talking about protecting the server not the devices it's mentioned in the attachment pic I put on here at the bottom of the page.

How is is protecting the NMS server? Because the book lists the IP address of the NMS server

johnlloyd_13 · ‎04-27-2017

hi,

it's the other way around, i.e. protect the router from rogue NMS polling servers.

the named ACL (Protect_NMS_Station) configured on the router just specified the allowed NMS IP 192.168.10.254 to poll the router via SNMP.

in other words, only server IP 192.168.10.254 is allowed to SNMP poll the router.

llukman.halimi · ‎04-27-2017

I understand that john but why does it say in the book that the ACL protects the NMS from access and not the devices with the agents on them (routers, switches and so on)?

Deepak Kumar · ‎04-29-2017

Hi,

In the easy word, This is your network diagram:

Router-------> Switch--------->SNMP Server (192.168.10.254).

There is many systems are in your office and without SNMP Server security configuration on a router or switch any other clients or server, can download SNMP traps using simple applications. This is a security breach. So you are going to configure security on the router.

What is mean by security:-

Now, you set a condition in ACL in the router to SNMP packets that "If any someone With IP Address 192.168.10.254 will try to download SNMP traps then consider as trusted system and allowed it to download traps. And any other system with another IP address is not allowed to download traps and consider as untrusted system"

Please don't forget to rate the comment if it is useful.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!