You want to provide extra security to SNMP using access lists.
You can use the following commands to restrict which IP source addresses are allowed to access SNMP functions on the router. This is the legacy method:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router(config)#access-list 99 permit host 10.1.1.1 Router(config)#access-list 99 deny any Router(config)#snmp-server community ORARO ro 99 Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255 Router(config)#snmp-server community ORARW rw 98 Router(config)#end Router#
Here is a newer method to do the same thing using SNMP server groups:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router(config)#access-list 99 permit host 10.1.1.1 Router(config)#access-list 99 deny any Router(config)#snmp-server group COOKRO v1 access 99 Router(config)#snmp-server user TESTRO1 COOKRO v1 Router(config)#end Router#
By default, when you enable inbound SNMP services, the router will permit all IP addresses to access the SNMP agent on the standard well-known UDP port number (161). We highly recommend using SNMP ACLs to restrict SNMP access to a few trusted hosts or subnets. This will help to protect sensitive data.
You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don't come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also would stop SNMP packets that just happened to be passing through on their way to some other destination device.
Despite the different syntax, both of the examples shown in this recipe work the same way. First, you define a standard access list. Then you apply this access list to your SNMP community string. You can assign each SNMP community a separate and unique access list to restrict access. This can be useful when there are several different people or NMS systems that need to access information on different groups of routers. You can also assign an access list to a read-write community string to block SNMP Set commands from unauthorized IP source addresses.
SNMP access lists alone are not an effective way of protecting read-write access to your routers. Because SNMP is a UDP protocol, a rogue device with access to your network can spoof the IP source address so that it matches the IP address of your management server. This means that somebody who knows your community string and the IP address of your management server can submit potentially dangerous SNMP Set commands to your router. SNMP sends packets in clear-text, so this information is relatively easy to discover with a protocol analyzer on a well-chosen network segment.
|
The following command shows the status of a particular access list:
Router#show access-list 99
Standard IP access list 99
permit 10.1.1.1 (1745 matches)
permit 172.25.1.0, wildcard bits 0.0.0.255 (477 matches)
deny any (7 matches)
Router#
Note that the router has denied seven requests. This means that the router received and discarded seven SNMP requests because source addresses were not allowed. Although the router automatically appends an implicit deny all to the end of every access list, we recommend that you explicitly include a deny all statement at the end of each access list to let you keep track of denied packets like this. It is an easy way to tell how often your routers receive SNMP requests from bad source addresses.
The show snmp group command shows you which access lists are assigned to which SNMP community strings:
Router>show snmp group groupname: ORARO security model:v1 readview :v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active access-list: 99 groupname: ORARW security model:v1 readview :v1default writeview: v1default notifyview: <no notifyview specified> row status: active access-list: 98 Router>
In this example, the SNMP community string ORARO is protected by access list 99 and SNMP community string ORARW with access list 98. Note that the show snmp group command is only available in 12.0(3)T and above.
We discuss how to use the new SNMP syntax for read-write access in Recipe 17.7 and Recipe 17.21.
Recipe 17.1; Recipe 17.6; Recipe 17.7; Recipe 17.21; Chapter 19
|
|
|
| Top |