Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SNMP source-interface?

Is there a way to lockdown SNMP traffic so that it only transmits on a "management" VLAN? Obviously I could use access-lists, but I don't want to roll that out to all my switches. Surely there has to be a way to limit this traffic to a VLAN, then I can secure the VLAN at the core.

If this is not possible, what are the best practices for securing SNMP?

2 REPLIES

Re: SNMP source-interface?

The only way I've ever done is is by acl. You should be able to assign a source interface depending on the model of your device:

snmp-server source-interface

--John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Gold

Re: SNMP source-interface?

Jason

In my routers the snmp-server source-interface is only for traps and informs. And it only sets the source address of the packet. I do not believe that it sets the outbound interface (and in fact we have several machines where it transmits out interfaces that are not named as the source interface).

And there is an issue to consider about trying to do it by ACL. In IOS an outbound ACL examines traffic that passes through the router and is transmitted out the interface with the outbound ACL but the ACL does not examine traffic that is generated by the router/switch. So even if you configure outbound ACL it will not be able to stop the SNMP traffic.

And I wonder if you would really want to limit it by ACL. If the device generates an SNMP packet and your ACL would drop it, then you have effectively prevented communication between your device and the SNMP server. You might as well not configure SNMP.

If you want to think about securing SNMP then I would suggest that you think about the possibility of using SNMPv3 which is more secure than versions 1 or 2. And you should implement community strings that are non obvious. And you should implement access lists that work in conjunction with the community strings to limit what addresses are able to communicate SNMP to the device.

HTH

Rick

5464
Views
0
Helpful
2
Replies
CreatePlease to create content