cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
874
Views
0
Helpful
4
Replies
Beginner

SNMPv3 ACL restriction on WLC

Hello colleagues, 
WLC 5508 / 2504 8.3.112 

PI 3.2 

SNMPv3 AuthPriv

 

I haven't found any way to restrict the SNMPv3 communication with an ACL that points to NMS/32. 
However, it's possible for SNMPv2c via config snmp community ipaddr ip-address ip-mask name

as stated in 8.3 Configuration guide. 


Is there a way to do that or Trap receiver part does this function on WLCs? 

Thank you in advance. 


Regards, 

Anton Z

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: SNMPv3 ACL restriction on WLC

Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!

-----------------------------
Please rate helpful / correct posts

View solution in original post

4 REPLIES 4
Highlighted
Rising star

Re: SNMPv3 ACL restriction on WLC

You can use a CPU ACL to restrict SNMP access to a single host but permit everything else afterwards so you don't lose any other connectivity e.g:

 

1) Permit CPI to WLC on SNMP ports

2) Permit WLC to CPI on SNMP ports

3) Deny everything else on SNMP ports

4) Permit ip any any

 

It'd be better to do this on a firewall rather than the WLC and make sure you don't forget the permit ip any any at bottom or you'll lose access to your WLC and your APs will too. The idea is to only restrict the SNMP access at the top and let everything else through.

 

Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?

 

 

-----------------------------
Please rate helpful / correct posts
Highlighted
Beginner

Re: SNMPv3 ACL restriction on WLC

Hey Ric,


Thanks for the reply. 
Yes, it's possible to do it like this or on the firewall but I was looking for a more native solution done on the device itself as it works on switches & routers. 

 

>Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?
I was following the best practice described in ICND2 certification guide. 
Do you think it's not necessary in this case as SNMPv3 provides enough security already?

Highlighted
Rising star

Re: SNMPv3 ACL restriction on WLC

Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!

-----------------------------
Please rate helpful / correct posts

View solution in original post

Highlighted
Beginner

Re: SNMPv3 ACL restriction on WLC

Thanks for your answers!
I decided to leave it as it. 

 

fyi: the accounts are stored in AD. 

CreatePlease to create content
Content for Community-Ad