Is there a way to lockdown SNMP traffic so that it only transmits on a "management" VLAN? Obviously I could use access-lists, but I don't want to roll that out to all my switches. Surely there has to be a way to limit this traffic to a VLAN, then I can secure the VLAN at the core.
If this is not possible, what are the best practices for securing SNMP?
In my routers the snmp-server source-interface is only for traps and informs. And it only sets the source address of the packet. I do not believe that it sets the outbound interface (and in fact we have several machines where it transmits out interfaces that are not named as the source interface).
And there is an issue to consider about trying to do it by ACL. In IOS an outbound ACL examines traffic that passes through the router and is transmitted out the interface with the outbound ACL but the ACL does not examine traffic that is generated by the router/switch. So even if you configure outbound ACL it will not be able to stop the SNMP traffic.
And I wonder if you would really want to limit it by ACL. If the device generates an SNMP packet and your ACL would drop it, then you have effectively prevented communication between your device and the SNMP server. You might as well not configure SNMP.
If you want to think about securing SNMP then I would suggest that you think about the possibility of using SNMPv3 which is more secure than versions 1 or 2. And you should implement community strings that are non obvious. And you should implement access lists that work in conjunction with the community strings to limit what addresses are able to communicate SNMP to the device.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...