Secure SNMP with ACL on Cisco Router

I am trying to secure SNMP connections to a specific IP address on a cisco 2821 router but am having issues.  I thought the below config would would secure it but i must be missing something.  Any suggestions?

access-list 12 permit 10.x.x.x
access-list 12 deny any

snmp-server community "public" RO 12

Thanks,
LVL 1
timkrampe1Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Predrag JovicConnect With a Mentor Network EngineerCommented:
Yes, you can add ACL to interface, but you need to allow traffic to other destinations and forbid just access to router from that network, block all traffic except port 161 will kill traffic completely.
I think some variation on next extended ACL can be used
- permit access to router from host address //host(s) that need to access router - maintenance, network monitoring etc
- deny access to router from rest of network
- permit any any //to allow fraffic to other destinations
0
 
timkrampe1Author Commented:
I did not apply that to the interface.
0
 
Ken BooneNetwork ConsultantCommented:
One comment.  You probably used "Public" as an example.  But if you didn't use something other than public.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
timkrampe1Author Commented:
Public was just an example.
0
 
Ken BooneNetwork ConsultantCommented:
Excellent.. just checking! ;)
0
 
Predrag JovicNetwork EngineerCommented:
Your config should work OK, but in some versions Cisco says that config need to be a little different.
Maybe that's your case.
Go to page 4
0
 
timkrampe1Author Commented:
Following that guide didn't work either.  If i add the above ACL to an interface could it block all traffic except port 161?
0
 
timkrampe1Author Commented:
Setting the ACL on the interface did the trick.  Thanks.

Basic config is:

access-list 100 deny   udp any any eq 161

access-list 100 permit ip any any

int xx
ip access-group 100 in
ip access-group 100 out
0
 
Predrag JovicNetwork EngineerCommented:
I don't think that you need to apply ACL in both directions, of course that depend on network design, but I guess ip access group 100 in should be enough. That will save a few CPU cycles, that router might need someday.  :)
0
All Courses

From novice to tech pro — start learning today.