|
|
| monkeyboy 2003-04-25, 8:21 am |
| Has anyone got a link/explan for configuring a permit access-list for snmp within ios?
When you create the list do you have to apply it to an interface or does it apply to all snmp by default?
Many thanks
BTW: thanks anchor/yankee for replies to EIGRP post - sorry I didn't reply was on my hols  we're setting up a MAN using licenced radio to 90 sites initially with the potential of many more..Was just wondering about ospf-vs-eigrp-vs-isis type thing.. | |
| anchor40 2003-04-25, 8:44 am |
| Sounds like a fun project!
Since you're using the ACL to permit/deny certain traffic (SNMP), it must be applied to an interface to take effect.
ACLs used to define "interesting traffic" get used in processes (VPN tunnel activation, DDR, route maps, etc).
 | |
| monkeyboy 2003-04-25, 9:24 am |
| It's a bit of a pain to have to apply it to all interfaces just for secure snmp..
Anchor - wouldn't there be issues applying acls to all interfaces on core networking devices - latency etc
MS | |
| anchor40 2003-04-25, 11:25 am |
| Therein lies the "wicked googly" of network design - trade-off between the delay from added processing and security.
However, check into the Turbo ACL feature for 12.0 and higher IOS (global config access-list compiled) that is avaliable. It compiles the ACL and creates a consistent response time. The compilation makes a cross-reference table to reduce the time it takes to find a match. Cisco claims that if there are more than 3 statements, the benefit is attained.
Mainline release notice for 12.0(9):
http://www.cisco.com/en/US/products...0080091f60.html | |
|
| quote:
Originally posted by monkeyboy
It's a bit of a pain to have to apply it to all interfaces just for secure snmp..
Anchor - wouldn't there be issues applying acls to all interfaces on core networking devices - latency etc
MS
Hi Monkeyboy,
I'm no security whizz, but wouldn't a decent community name overcome both of these?? Be awre though there are issues here, the following link explains, and also answers your original question.
http://makeashorterlink.com/?L13823754
Where did you go on holiday? | |
|
| Dear monkeyboy,
Here is configuration that i used before just to block the SMNP Traffic on my serial interface, and i hope this may help...
==============================
====
interface Serial0
ip unnumbered Ethernet0
ip access-group noSNMPnoTelnet in
no ip directed-broadcast
keepalive 20
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
ip access-list extended noSNMPnoTelnet
deny tcp any any eq 161
deny udp any any eq snmp
deny tcp any any eq 162
deny udp any any eq snmptrap
deny tcp any any eq 1993
deny udp any any eq 1993
deny tcp any any eq telnet
deny udp any any eq 23
permit ip any any
==============================
====
Regards..
Tamer Bayomy | |
| monkeyboy 2003-04-28, 3:27 am |
| Thanks for the responses, yeah, I just thought that there was a way to lock down- but use snmp globally without applying acls to all interfaces but alas no..
We are going to be using cisco works & HP Network node manager for management (overkill probably - but hey I didn't spec it out & will like the skills gained from using them )
Mat - we would be changing the default community strings as well.. Went to Abersoch in Wales for our family holiday - usually go abroad but the boss seems to get stressed in the heat - keep it simple yes..
MS | |
| anchor40 2003-04-29, 8:21 am |
| Monkeyboy,
I did a little digging, and you CAN apply access lists to SNMP strings.
access-list 50 permit 1.2.3.0 0.0.0.240
snmp-server community [name] ro 50
It can only be a standard access-list from 1-99, but you can restrice by source host or range of hosts (like above).
HTH... | |
| monkeyboy 2003-04-30, 8:39 am |
| Nice one Anchor - I just had another dig myself and was about to post the same thing.. uncanny
Muchos muchacho..
MS |
|
|
|