You want to ensure that only authorized devices can use SNMP and TFTP to send or receive configuration information.

You can use thesnmp-server tftp-server-list configuration command to restrict which TFTP servers the router can use in response to an SNMP trigger to upload or download configuration information:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log        
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw 
Router(config)#end
Router#

Begin with IOS Version 12.3(2)T; support for standard named access lists was added:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip access-list standard TFTPACL        
Router2(config-std-nacl)#permit 172.25.1.1
Router2(config-std-nacl)#deny any log        
Router2(config-std-nacl)#exit
Router2(config)#snmp-server tftp-server-list TFTPACL
Router2(config)#snmp-server community ORARW rw 
Router2(config)#end
Router2#

By default, the router will send or receive configuration information to any TFTP server. But this can be dangerous because the SNMP request that triggers these transfers cannot be 100 percent protected. Recipe 17.6 showed how you can restrict SNMP access to a specified list of devices. But because SNMP uses UDP, it is not difficult for a malicious user to ...