Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL to secure SNMP - I need help on this please

Hi,

I have addedd the following standard ACL to my router to limit SNMP access only to my Ciscoworks LMS server or SNMP Server but I don't know if I need to enforce it with an access group or not? i beleive that i need but I am not sure how?

access-list 90 permit host 10.1.1.139

access-list 90 deny any log

snmp-server community XXXXXXX ro 90

please help me understand the need for the access-group and if I need it, would it be sonething like this:

access-grup 90 in

applied to ether Interface?

this is my Internal gateway router. all of the users have the ether0 address of this router as their default gateway.

Thx,

Masood

3 REPLIES
Gold

Re: ACL to secure SNMP - I need help on this please

You have everything you need. The 90 on the end of the snmp-server line applies it.

You could put a smilar access list on the interfaces but that would serve no purpose since this one is the one that takes affect. In some cases people place snmp access lists on interfaces to prevent IP addresss spoofing since SNMP is UDP based but in your case you are most likely ok with just this.

Hall of Fame Super Silver

Re: ACL to secure SNMP - I need help on this please

I believe that Masood starts from a valid understanding of an important principle of access lists: after you create an access list you must assign it (creating an access list without assigning it does not affect any traffic). If you want the access list to filter packets on an interface you use the access-group command to assign the access list to the interface.

And Tim is correct that to use an access list to control SNMP access to the router all you need to do is to add the access list number on the command that defines the community string. This is the assignment of the access list. So Masood does not need to take any additional action.

HTH

Rick

New Member

Re: ACL to secure SNMP - I need help on this please

Thanks to both of you.

124
Views
0
Helpful
3
Replies