09-13-2017 04:56 AM - edited 07-05-2021 07:38 AM
Hello colleagues,
WLC 5508 / 2504 8.3.112
PI 3.2
SNMPv3 AuthPriv
I haven't found any way to restrict the SNMPv3 communication with an ACL that points to NMS/32.
However, it's possible for SNMPv2c via config snmp community ipaddr ip-address ip-mask name
as stated in 8.3 Configuration guide.
Is there a way to do that or Trap receiver part does this function on WLCs?
Thank you in advance.
Regards,
Anton Z
Solved! Go to Solution.
09-13-2017 08:07 AM
Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!
09-13-2017 06:33 AM
You can use a CPU ACL to restrict SNMP access to a single host but permit everything else afterwards so you don't lose any other connectivity e.g:
1) Permit CPI to WLC on SNMP ports
2) Permit WLC to CPI on SNMP ports
3) Deny everything else on SNMP ports
4) Permit ip any any
It'd be better to do this on a firewall rather than the WLC and make sure you don't forget the permit ip any any at bottom or you'll lose access to your WLC and your APs will too. The idea is to only restrict the SNMP access at the top and let everything else through.
Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?
09-13-2017 06:37 AM
Hey Ric,
Thanks for the reply.
Yes, it's possible to do it like this or on the firewall but I was looking for a more native solution done on the device itself as it works on switches & routers.
>Seeing as you are using secure SNMPv3 users, why do you need to restrict the access?
I was following the best practice described in ICND2 certification guide.
Do you think it's not necessary in this case as SNMPv3 provides enough security already?
09-13-2017 08:07 AM
Well I guess it's as secure as wherever you store the credentials. The communication itself is encrypted using the chosen settings e.g. SHA AES 128 so personally I would trust in that and not go through the hassle of a CPU ACL but it's completely up to you of course!
09-13-2017 12:22 PM
Thanks for your answers!
I decided to leave it as it.
fyi: the accounts are stored in AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide