Access List for SNMP

[rainman]

Can someone help me write an SNMP access-list to restrict access only from trusted management stations? I have basically 3 management stations that need to be able to access the router(s).

Also, once the access-list is created, I know that it needs to be applied to an interface. Does it need to be applied to every interface, or just the interface the SNMP traffic would be coming in on.


Thanks in advance,

Rainman

 

[ecki007]

Hi,

the snmp-server community <snmp-name> RO 30 statement allows &quot;read only&quot; access to the hosts and ranges in access-list 30, if they use the community-name &quot;snmp-name&quot;.
access-list 30 permit 10.10.10.10
This is for a host
access-list 30 permit 10.10.10.0 0.0.0.255
This is for a Range
access-list 30 deny any
Not really needed

You don't need to apply the access-list to an interface, only to the snmp-server statement.

 

[rainman]

Thanks for the info, however I'd like to add to my original question:

You suggested that I may want to do up a range on the ACL such as:

access-list 30 permit 10.10.10.0 0.0.0.255
This is for a Range

What if I had multiple management stations on different networks (ex., 192.168.0.X, 172.16.0.X, 10.0.0.X) ... How would I go about allowing those addresses only and blocking the rest.


Thanks again - Rainman

 

[ecki007]

As i wrote in my last post, you can use hosts or ranges.
access-list 30 permit 192.168.0.X
access-list 30 permit 172.16.0.X
access-list 30 permit 10.0.0.X
access-list 30 deny any
I assume, your management stations are not in private ip-ranges as in the example above. If they are, you have to use the external NATed ip's in your access-list.

Ecki