Solved

Secure SNMP with ACL on Cisco Router

Posted on 2014-11-28
9
336 Views
Last Modified: 2014-11-28
I am trying to secure SNMP connections to a specific IP address on a cisco 2821 router but am having issues.  I thought the below config would would secure it but i must be missing something.  Any suggestions?

access-list 12 permit 10.x.x.x
access-list 12 deny any

snmp-server community "public" RO 12

Thanks,
0
Comment
Question by:timkrampe1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470506
I did not apply that to the interface.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470534
One comment.  You probably used "Public" as an example.  But if you didn't use something other than public.
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470539
Public was just an example.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 25

Expert Comment

by:Ken Boone
ID: 40470543
Excellent.. just checking! ;)
0
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40470571
Your config should work OK, but in some versions Cisco says that config need to be a little different.
Maybe that's your case.
Go to page 4
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470834
Following that guide didn't work either.  If i add the above ACL to an interface could it block all traffic except port 161?
0
 
LVL 29

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40470856
Yes, you can add ACL to interface, but you need to allow traffic to other destinations and forbid just access to router from that network, block all traffic except port 161 will kill traffic completely.
I think some variation on next extended ACL can be used
- permit access to router from host address //host(s) that need to access router - maintenance, network monitoring etc
- deny access to router from rest of network
- permit any any //to allow fraffic to other destinations
0
 
LVL 1

Author Closing Comment

by:timkrampe1
ID: 40470981
Setting the ACL on the interface did the trick.  Thanks.

Basic config is:

access-list 100 deny   udp any any eq 161

access-list 100 permit ip any any

int xx
ip access-group 100 in
ip access-group 100 out
0
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40471315
I don't think that you need to apply ACL in both directions, of course that depend on network design, but I guess ip access group 100 in should be enough. That will save a few CPU cycles, that router might need someday.  :)
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question