SNMP access list confusion?

I am currently learning about SNMP and everything makes sense to me it's just one thing that is confusing to me and that is the access list applied and I know it's an optional configuration and not mandatory.
It's confusing me because the access list is set on the router (agent) and it is designed to protect the NMS from access this is what I am not getting it. The permit host 192.168.10.254 is meant to do that. Now that IP address is it the NMS station or the IP address of the device that has an agent on it.
I just don't understand how it's meant to protect the NMS station when the access list is set on the router (agent) basically to allow that NMS access to that router if someone could help that would be wonderful.
I have attached the part of the book that I am confused at. It's lammle's book on CCNA.

snmp confustion.jpg

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

WastedHat

I think Todd covers SNMP poorly, I also got very confused after learning it from Odom in more detail. Here's a quote from Odoms book:

"Use the snmp-server community communitystring RO [ipv6 acl-name]
[acl-name] command in global configuration mode to enable the SNMP
agent (if not already started), set the read-only community string, and restrict
incoming SNMP messages based on the optional referenced IPv4 or IPv6 ACL"

So the ACL is for inbound traffic to the agent. It could also have a side effect of protecting the NMS but Todd doesn't say how or why, only "make sure you understand it is", and its not obvious to me either, hopefully someone else can help us lol. Also note, on the exam topics:

5.1 Configure and verify device-monitoring protocols

5.1.a SNMPv2
5.1.b SNMPv3

Todds book only has a 4 lines discribing SNMPv3, no config details. It's a good book but it falls short on this topic. Make sure you know how to configure SNMPv2 and v3 before the exam. Learn about the engine ID too (isnt in Odom or Toods books, I learned it from Boson/Cisco's site). Good luck

Llukman1

Sadly this forum isn't that ******* helpful...thanks for yours though.

MitM

Well, the only thing I can add is, in my opinion, it is to protect the device (switch, router, etc).

WastedHat

Llukman1 wrote: »

Sadly this forum isn't that ******* helpful...thanks for yours though.

It's free help, can't expect too much. Reddit is a bit more active if you're looking for more responses.

rob42

Llukman1 wrote: »

Sadly this forum isn't that ******* helpful...thanks for yours though.

This is VERY disrespectful to the many very helpful and knowledgeable people on this forum. If you don't like it here, you're free to go elsewhere.

Llukman1

I don't really care if it's disrespectful it's true...don't like facts then you are welcomed to leave this post.

shochan

OHHH, that is a great way to get help ANYWHERE, piss everyone off...move on dude, go do your own research and quit asking for help here.

Llukman1

lol anymore of you coming because I really don't care how many of you are getting offended.

PCTechLinc

Maybe you'll have better luck asking Mr. Lammle himself.

montee

That is a pretty bad example of a configuration for SNMP. At any rate, the book should not state the ACL protects the NMS, because that is not what this particular ACL is doing.

router(config)#snmp-server community <string> ro <access_list_reference>

The above configuration line defines the community string (basically, just a password) and this is a v2 configuration, showing read-only, and you have the option to use a standard ACL with a number, or define the ACL with a name. But, the ACL is used to restrict SNMP UDP traffic to the router/switch itself (specifically, the SNMP agent running on the device). The ACL does not restrict traffic to the NMS. If your organization has defined a management subnet/network say, the network is 172.16.2.0/24 and your NMS station lives in that network, and it has the IP of 172.16.2.10, then your ACL would be something like this:

router(config)#access-list 20 permit 172.16.2.10

In your SNMP configuration, you would put:
snmp-server community myString ro 20

20 refers to ACL 20... and you don't have to use a numbered ACL if you want to use a named one you can... it's up to you.

But, the main point is, that ACL does not "protect" the NMS. It just restricts what hosts can send SNMP GET GETNEXT etc.. commands to the SNMP agent on the device.

And a couple of security points... it is best not to use rw (read/write) unless the NMS is actually going to send SNMP SET commands to make changes to the router/switch etc.. Always use ro, and configure the device via the CLI peferably using TACACS or RADIUS or something that does accounting for audit purposes.