Solved

Secure SNMP with ACL on Cisco Router

Posted on 2014-11-28
9
334 Views
Last Modified: 2014-11-28
I am trying to secure SNMP connections to a specific IP address on a cisco 2821 router but am having issues.  I thought the below config would would secure it but i must be missing something.  Any suggestions?

access-list 12 permit 10.x.x.x
access-list 12 deny any

snmp-server community "public" RO 12

Thanks,
0
Comment
Question by:timkrampe1
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470506
I did not apply that to the interface.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470534
One comment.  You probably used "Public" as an example.  But if you didn't use something other than public.
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470539
Public was just an example.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470543
Excellent.. just checking! ;)
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40470571
Your config should work OK, but in some versions Cisco says that config need to be a little different.
Maybe that's your case.
Go to page 4
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470834
Following that guide didn't work either.  If i add the above ACL to an interface could it block all traffic except port 161?
0
 
LVL 28

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40470856
Yes, you can add ACL to interface, but you need to allow traffic to other destinations and forbid just access to router from that network, block all traffic except port 161 will kill traffic completely.
I think some variation on next extended ACL can be used
- permit access to router from host address //host(s) that need to access router - maintenance, network monitoring etc
- deny access to router from rest of network
- permit any any //to allow fraffic to other destinations
0
 
LVL 1

Author Closing Comment

by:timkrampe1
ID: 40470981
Setting the ACL on the interface did the trick.  Thanks.

Basic config is:

access-list 100 deny   udp any any eq 161

access-list 100 permit ip any any

int xx
ip access-group 100 in
ip access-group 100 out
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40471315
I don't think that you need to apply ACL in both directions, of course that depend on network design, but I guess ip access group 100 in should be enough. That will save a few CPU cycles, that router might need someday.  :)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP Server 14 103
Expanding Subnet Mask 20 198
Cisco router is restricting wireless bandwidth download and upload speed 38 42
Access-List 15 25
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question