Previous section   Next section

Recipe 17.5 Using Access Lists to Protect SNMP Access

17.5.1 Problem

You want to provide extra security to SNMP using access lists.

17.5.2 Solution

You can use the following commands to restrict which IP source addresses are allowed to access SNMP functions on the router. This is the legacy method:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1       
Router(config)#access-list 99 deny any 
Router(config)#snmp-server community ORARO ro 99
Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255            
Router(config)#snmp-server community ORARW rw 98
Router(config)#end
Router#

Here is a newer method to do the same thing using SNMP server groups:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1       
Router(config)#access-list 99 deny any 
Router(config)#snmp-server group COOKRO v1 access 99
Router(config)#snmp-server user TESTRO1 COOKRO v1   
Router(config)#end                                  
Router#

17.5.3 Discussion

By default, when you enable inbound SNMP services, the router will permit all IP addresses to access the SNMP agent on the standard well-known UDP port number (161). We highly recommend using SNMP ACLs to restrict SNMP access to a few trusted hosts or subnets. This will help to protect sensitive data.

You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don't come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also would stop SNMP packets that just happened to be passing through on their way to some other destination device.

Despite the different syntax, both of the examples shown in this recipe work the same way. First, you define a standard access list. Then you apply this access list to your SNMP community string. You can assign each SNMP community a separate and unique access list to restrict access. This can be useful when there are several different people or NMS systems that need to access information on different groups of routers. You can also assign an access list to a read-write community string to block SNMP Set commands from unauthorized IP source addresses.

SNMP access lists alone are not an effective way of protecting read-write access to your routers. Because SNMP is a UDP protocol, a rogue device with access to your network can spoof the IP source address so that it matches the IP address of your management server. This means that somebody who knows your community string and the IP address of your management server can submit potentially dangerous SNMP Set commands to your router. SNMP sends packets in clear-text, so this information is relatively easy to discover with a protocol analyzer on a well-chosen network segment.

Applying a nonexistent access list to your SNMP configuration commands implicitly allows all IP source addresses to access your router's SNMP services. Always ensure that the access list exists before applying it to an SNMP community string.

The following command shows the status of a particular access list:

Router#show access-list 99
Standard IP access list 99
    permit 10.1.1.1 (1745 matches)
    permit 172.25.1.0, wildcard bits 0.0.0.255 (477 matches)
    deny   any (7 matches)
Router#

Note that the router has denied seven requests. This means that the router received and discarded seven SNMP requests because source addresses were not allowed. Although the router automatically appends an implicit deny all to the end of every access list, we recommend that you explicitly include a deny all statement at the end of each access list to let you keep track of denied packets like this. It is an easy way to tell how often your routers receive SNMP requests from bad source addresses.

The show snmp group command shows you which access lists are assigned to which SNMP community strings:

Router>show snmp group
groupname: ORARO                        security model:v1 
readview :v1default                     writeview: <no writeview specified> 
notifyview: <no notifyview specified>
row status: active      access-list: 99
   
groupname: ORARW                        security model:v1 
readview :v1default                     writeview: v1default                
notifyview: <no notifyview specified>
row status: active      access-list: 98
   
Router>

In this example, the SNMP community string ORARO is protected by access list 99 and SNMP community string ORARW with access list 98. Note that the show snmp group command is only available in 12.0(3)T and above.

We discuss how to use the new SNMP syntax for read-write access in Recipe 17.7 and Recipe 17.21.

17.5.4 See Also

Recipe 17.1; Recipe 17.6; Recipe 17.7; Recipe 17.21; Chapter 19


  Previous section   Next section
Top