Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2092
Views
0
Helpful
4
Replies

SNMPv3 ACL restriction on WLC

Go to solution
Anton Zvonarev
Level 1
Level 1

‎09-13-2017 04:56 AM - edited ‎07-05-2021 07:38 AM

Hello colleagues, 
WLC 5508 / 2504 8.3.112 

PI 3.2 

SNMPv3 AuthPriv

 

I haven't found any way to restrict the SNMPv3 communication with an ACL that points to NMS/32. 
However, it's possible for SNMPv2c via config snmp community ipaddr ip-address ip-mask name

as stated in 8.3 Configuration guide. 


Is there a way to do that or Trap receiver part does this function on WLCs? 

Thank you in advance. 


Regards, 

Anton Z

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ric Beeching
Level 7
Level 7
In response to Anton Zvonarev

‎09-13-2017 08:07 AM

Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ric Beeching
Level 7
Level 7

‎09-13-2017 06:33 AM

You can use a CPU ACL to restrict SNMP access to a single host but permit everything else afterwards so you don't lose any other connectivity e.g:

 

1) Permit CPI to WLC on SNMP ports

2) Permit WLC to CPI on SNMP ports

3) Deny everything else on SNMP ports

4) Permit ip any any

 

It'd be better to do this on a firewall rather than the WLC and make sure you don't forget the permit ip any any at bottom or you'll lose access to your WLC and your APs will too. The idea is to only restrict the SNMP access at the top and let everything else through.

 

Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?

 

 

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
Anton Zvonarev
Level 1
Level 1
In response to Ric Beeching

‎09-13-2017 06:37 AM

Hey Ric,


Thanks for the reply. 
Yes, it's possible to do it like this or on the firewall but I was looking for a more native solution done on the device itself as it works on switches & routers. 

 

>Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?
I was following the best practice described in ICND2 certification guide. 
Do you think it's not necessary in this case as SNMPv3 provides enough security already?

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to Anton Zvonarev

‎09-13-2017 08:07 AM

Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
Anton Zvonarev
Level 1
Level 1
In response to Ric Beeching

‎09-13-2017 12:22 PM

Thanks for your answers!
I decided to leave it as it. 

 

fyi: the accounts are stored in AD. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card