Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Secure SNMP with ACL on Cisco Router

Posted on 2014-11-28
9
Medium Priority
?
341 Views
Last Modified: 2014-11-28
I am trying to secure SNMP connections to a specific IP address on a cisco 2821 router but am having issues.  I thought the below config would would secure it but i must be missing something.  Any suggestions?

access-list 12 permit 10.x.x.x
access-list 12 deny any

snmp-server community "public" RO 12

Thanks,
0
Comment
Question by:timkrampe1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470506
I did not apply that to the interface.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470534
One comment.  You probably used "Public" as an example.  But if you didn't use something other than public.
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470539
Public was just an example.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470543
Excellent.. just checking! ;)
0
 
LVL 31

Expert Comment

by:Predrag
ID: 40470571
Your config should work OK, but in some versions Cisco says that config need to be a little different.
Maybe that's your case.
Go to page 4
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470834
Following that guide didn't work either.  If i add the above ACL to an interface could it block all traffic except port 161?
0
 
LVL 31

Accepted Solution

by:
Predrag earned 2000 total points
ID: 40470856
Yes, you can add ACL to interface, but you need to allow traffic to other destinations and forbid just access to router from that network, block all traffic except port 161 will kill traffic completely.
I think some variation on next extended ACL can be used
- permit access to router from host address //host(s) that need to access router - maintenance, network monitoring etc
- deny access to router from rest of network
- permit any any //to allow fraffic to other destinations
0
 
LVL 1

Author Closing Comment

by:timkrampe1
ID: 40470981
Setting the ACL on the interface did the trick.  Thanks.

Basic config is:

access-list 100 deny   udp any any eq 161

access-list 100 permit ip any any

int xx
ip access-group 100 in
ip access-group 100 out
0
 
LVL 31

Expert Comment

by:Predrag
ID: 40471315
I don't think that you need to apply ACL in both directions, of course that depend on network design, but I guess ip access group 100 in should be enough. That will save a few CPU cycles, that router might need someday.  :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question