Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restriciting SNMP access


I am looking for a way that I can limit (block) all snmp requests to any switch/router except from a few specified hosts.

Can anyone let me know the ways. I guess acls are one way but any other method would be highly appreciated. What does the snmp-server group command do?



Re: Restriciting SNMP access

Best practices recommend applying ACLs to community strings and ensuring that the community strings for requests are not identical to community strings used for notifications. Access-lists provide further protection when used in combination with other protective measures. Using different community strings for requests and trap messages reduce the likelihood of further compromises if the community string is discovered, whether by compromising a remote device or by sniffing a trap message from the network without authorization. You can find access-lists examples on CCO. As for the details of the above command, refer to the IOS command reference on CCO for the details.

New Member

Re: Restriciting SNMP access

Thanks rmushtaq for the reply. You have mentioned "Best practices" so is there was any other way other than ACLs.

for eg. If I use the snmp-server host A.B.C.D command. Will this restrict snmp only from this particular host and no other device? (i.e. the router/switch will not respond to any other snmp queries from any other device) Or is this command only for snmp notifications and to be used only with the snmp-server traps commands?

Thanks in advance.


Re: Restriciting SNMP access

snmp-server host A.B.C.D command will not restrict any host. This is only for sending traps to a specific host a.b.c.d. One simple example could be to apply an extended access list to deny protocol UDP, port 161 and 162, at the interface level such that SNMP access to the device is allowed only from the network management workstations. This can be done using:

access-list 100 permit ip host any

access-list 100 deny udp any any eq snmp

access-list 100 deny udp any any eq snmptrap

access-list 100 permit ip any any

where is the trusted network management station. This access list must be applied to all interfaces using:

interface serial 0 ip

access-group 100 in

This will not prevent spoofed IP packets with the source IP address set to that of the network management station from reaching the switch's management interface. The access-list statement containing "snmptrap" will prevent notification messages from entering the network when it is applied at the network edge.

New Member

Re: Restriciting SNMP access

Thanks, rmushtaq, for taking the time to give an example as well.

New Member

Re: Restriciting SNMP access

One more question regarding this matter..

All my routers are RSM's and our network is mainly Lan extensions. Now for the routers , can i just apply the acl on vlan1 or do I have to apply to all the vlans? What I am trying to find out here is if snmp will use vlan1 (being mgmt) to communicate with the router?

P.S. We arent using vlans in our network (just one big vlan in reality) Only using vlans to identify the interfaces on the routers.

New Member

Re: Restriciting SNMP access

you can also use:

snmp-server community xxxxxxx RW yy

where x is your community string and y is a simple ACL number.

y would look like:

access-list yy permit z.z.z.z

where z is the server you want to allow thru.

you can obviously do the same for a RO string.