Re: SNMP question

HMidkiff · ‎10-20-2005

I have SNMP configured on all of my internal routers with read write. Becuase I am behind a firewall I don't think this is a problem. I have 2 routers on the outside that I want to configure SNMP on. I am concerned about the security risks of doing this. I need to use SNMP. Can I configure SNMP so only a specific IP can poll the router for its information?

nhabib · ‎10-20-2005

Yes, you may configure SNMP so only a specific IP address can poll the router.

Let's say your server's ip address is 10.10.10.10 and your community string is public, you would do something like this:

access-list 15 permit 10.10.10.10

snmp-server community public ro 15

HMidkiff · ‎10-20-2005

I tried it with the following config but other hosts could poll snmp information from the router. Any ideas?

access-list 15 permit 10.1.1.100

snmp-server engineID local 8000000903000009E8A8BE81

snmp-server community Public RO 15

snmp-server enable traps snmp

snmp-server enable traps isdn call-information

snmp-server host 10.1.1.100 Public snmp

nhabib · ‎10-20-2005

Assuming those other hosts were using "Public", then it should not be possible. What kind of router is this? What IOS is it running?

HMidkiff · ‎10-20-2005

It is a 2621 running IOS 12.1

nhabib · ‎10-21-2005

This looks like some kind of a bug to me.

sonasoma · ‎10-24-2005

Just remove the snmp config from the router once, write the config,then Reboot the router and reapply it again and check.