Using Access Lists to Protect SNMP Access

Problem

You want to provide extra security to SNMP using access lists.

Solution

You can use the following commands to restrict which IP source addresses are allowed to access SNMP functions on the router. This is the legacy method:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1       
Router(config)#access-list 99 deny any 
Router(config)#snmp-server community ORARO ro 99
Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255            
Router(config)#snmp-server community ORARW rw 98
Router(config)#end
Router#

Here is a newer method to do the same thing using SNMP server groups:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1       
Router(config)#access-list 99 deny any 
Router(config)#snmp-server group COOKRO v1 access 99
Router(config)#snmp-server user TESTRO1 COOKRO v1   
Router(config)#end
Router#

Beginning with IOS Version 12.3(2)T, support for standard named access lists was added:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip access-list standard SNMPACL        
Router2(config-std-nacl)#permit 172.25.1.0 0.0.0.255            
Router2(config-std-nacl)#permit host 10.1.1.1 
Router2(config-std-nacl)#deny any Router2(config-std-nacl)# ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial