Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10112
Views
0
Helpful
9
Replies

SNMP v3 Access List with 3850 Switch

Jay_F
Level 1
Level 1

‎04-17-2019 06:02 AM

Hi,

Is there such  a thing as being able to use an access list for snmp v3 ? 

I am using SNMPv3 on our 3850 switches and want to restrict snmp traffic to be allowed from 1x IP - our Cisco Prime box. I had used this command:  snmp-server host <ip address> version 3 priv <username> is this the correct way of doing it or should/could I used an ACL to permit just this IP ?

Thanks in advance.

Labels:
0 Helpful
9 Replies 9

Mark Malone
VIP Alumni
VIP Alumni

‎04-17-2019 06:19 AM

Yes like this the X is the ACL number at the end , you will need the hidden snmpv3 user too , doesnt show in running config

snmp-server user XXXXXXXX XSNMPV3RW v3 auth SHA (KEY) priv aes (KEY) access X
snmp-server group XSNMPV3RW v3 priv write v3write access X
0 Helpful

Jay_F
Level 1
Level 1
In response to Mark Malone

‎04-17-2019 06:36 AM

I had used the following commands originally:

snmp-server group <name of snmp group> v3 priv

snmp-server user <username> <snmp group> v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>

 

Then I thought this command would restrict but perhaps i'm wrong then:

snmp-server host <ip address of my prime box> version 3 auth <username>

 

So are you saying I could do away with this command snmp-server host <ip address of my prime box> version 3 auth <username> and perhaps use an ACL? Thanks for your help.

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Jay_F

‎04-17-2019 06:43 AM

Hi

Yes , you dont actually need the snmp server host in snmpv3 host what i provided is all i use , then the ACL contains your host machines

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-17-2019 06:22 AM

Hi,

You can create an access list and apply it this way:

example:

snmp-server group test v3 auth access 10

 

HTH

0 Helpful

Jay_F
Level 1
Level 1
In response to Reza Sharifi

‎04-17-2019 06:42 AM

ive seen this example here:

Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1       
Router(config)#access-list 99 deny any 
Router(config)#snmp-server group COOKRO v1 access 99
Router(config)#snmp-server user TESTRO1 COOKRO v1   
Router(config)#end

 

do I take it that the IP 172.25.1.0 0.0.0.255 is the IP address of my switch (in this example)? and the permit permit host 10.1.1.1 (in this example) is the IP of my Prime box?  also what does this bit do: access-list 99 deny any  ?    

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎04-17-2019 07:16 AM - edited ‎04-17-2019 07:17 AM

@Jay_F hello,

 

i had a simple exemple running on my network;

 

snmp-server user TESTUSER TESTEGROUP v3 encrypted auth md5 TESTPASSWD priv des TESTPASSWD

snmp-server group TESTGROUP v3 priv write TESTPASSWD

snmp-server host 172.20.14.215 version 3 priv TESTUSER access 5

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Jay_F
Level 1
Level 1
In response to Jaderson Pessoa

‎04-17-2019 08:02 AM

i'm not able to assign the access list like you have here:

 

snmp-server host 172.20.14.215 version 3 priv TESTUSER access 5

 

there is no option access ?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Jay_F

‎04-17-2019 08:16 AM

dont see that option either on 3850 running ip service
The snmp config i provided earlier is a working snmpv3 config off our38s

snmp-server host 2.2.2.2 version 3 priv mark ?
auth-framework Allow SNMP CISCO-AUTH-FRAMEWORK-MIB traps
bridge Allow SNMP STP Bridge MIB traps
call-home Allow SNMP CISCO-CALLHOME-MIB traps
config Allow SNMP config traps
config-copy Allow SNMP config-copy traps
config-ctid Allow SNMP config-ctid traps
copy-config Allow SNMP copy-config traps
cpu Enable CPU notifications
cpu_threshold Enables CPU threshold notifications
entity Allow SNMP entity traps
envmon Allow environmental monitor traps
errdisable Allow errordisable notifications
event-manager Allow SNMP Embedded Event Manager traps
flash Allow SNMP FLASH traps
flowmon Allow SNMP flow monitor notifications
fru-ctrl Allow entity FRU control traps
ipsla Allow SNMP Host IP SLA traps
license Allow license traps
mac-notification Allow SNMP MAC Notification Traps
memory Enable MEMORY traps
port-security Allow SNMP port-security traps
power-ethernet Allow SNMP power ethernet traps
rf Enable all SNMP traps defined in CISCO-RF-MIB
snmp Allow SNMP-type notifications
stackwise Allow SNMP stackwise traps
storm-control Allow SNMP storm-control traps
stpx Allow SNMP STPX MIB traps
syslog Allow SNMP syslog traps
tty Allow TCP connection traps
udp-port The notification host's UDP port number (default port 162)
vlan-membership Allow SNMP VLAN membership traps
vlancreate Allow SNMP VLAN created traps
vlandelete Allow SNMP VLAN deleted traps
vrfmib Allow SNMP vrfmib traps
vstack Allow SNMP Smart Install traps
vtp Allow SNMP VTP traps
wireless wireless
<cr>


This guide is handy too
http://ciscorouterswitch.over-blog.com/article-how-to-configure-snmp-v3-on-cisco-asa-and-ios-117417981.html
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to Jay_F

‎04-17-2019 08:31 AM

Sorry,

 

snmp-server user TESTUSER TESTEGROUP v3 encrypted auth md5 TESTPASSWD priv des TESTPASSWD  access 5  << this is here

snmp-server group TESTGROUP v3 priv write TESTPASSWD

snmp-server host 172.20.14.215 version 3 priv TESTUSER

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card