How can I secure SNMP on an Internet router?

Can I securely add SNMP communities to an Internet router so I can capture syslog information via a secondary router interface internally? This router in question is an ISP router. If so, should I add deny statements in my ACL for SNMP on the outside/Internet interface?

Thanks !!
NCHADMINAsked:
Who is Participating?
 
JFrederick29Commented:
Actually, don't even use an interface access-list but rather bind it to the SNMP community.

For example:

access-list 1 permit host <syslog server>

snmp-server community ******** RO 1    <--the 1 references access-list 1 which only allows the syslog server access to SNMP poll the router.
0
 
JFrederick29Commented:
I would bind an ACL to the SNMP community string with the ACL only allowing your management servers.  I would only do RO community strings and not read/write unless you have a need for RW access.
0
 
NCHADMINAuthor Commented:
Thanks !! So pretty much deny all acces to the internal interface and allow UDP for the internal syslog server ... For example:

snmp-server community ********** RO

access-list 112 permit udp host (syslog server) host (internal interface)
access-list 112 deny ip any any

interface ethernet 0/0
ip access-group 112 in


That is a shorten ACL I have on the internal interface ...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.