Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12854
Views
5
Helpful
2
Replies

SNMP source-interface?

Jason Fraioli
Level 3
Level 3

‎10-23-2008 11:29 AM - edited ‎03-06-2019 02:07 AM

Is there a way to lockdown SNMP traffic so that it only transmits on a "management" VLAN? Obviously I could use access-lists, but I don't want to roll that out to all my switches. Surely there has to be a way to limit this traffic to a VLAN, then I can secure the VLAN at the core.

If this is not possible, what are the best practices for securing SNMP?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎10-23-2008 11:32 AM

The only way I've ever done is is by acl. You should be able to assign a source interface depending on the model of your device:

snmp-server source-interface

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎10-23-2008 02:22 PM

Jason

In my routers the snmp-server source-interface is only for traps and informs. And it only sets the source address of the packet. I do not believe that it sets the outbound interface (and in fact we have several machines where it transmits out interfaces that are not named as the source interface).

And there is an issue to consider about trying to do it by ACL. In IOS an outbound ACL examines traffic that passes through the router and is transmitted out the interface with the outbound ACL but the ACL does not examine traffic that is generated by the router/switch. So even if you configure outbound ACL it will not be able to stop the SNMP traffic.

And I wonder if you would really want to limit it by ACL. If the device generates an SNMP packet and your ACL would drop it, then you have effectively prevented communication between your device and the SNMP server. You might as well not configure SNMP.

If you want to think about securing SNMP then I would suggest that you think about the possibility of using SNMPv3 which is more secure than versions 1 or 2. And you should implement community strings that are non obvious. And you should implement access lists that work in conjunction with the community strings to limit what addresses are able to communicate SNMP to the device.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents