SNMP Config - and the ACL

DANMOH009

When entering a SNMP config line:

e.g. snmp-server community "examplestring" ro 10.

the 10 references a ACL - does this ACL then need to be applied to an interface that the requesting SNMP device is going to come in on? or is it just to identify the sequesters IP?

Cant really find a good explanation of this anywhere.

Thanks

Dan

networker050184

No the ACL does not need to be applied to an interface.

Vask3n

If you were to apply the ACL to the interface, you would end up performing a filter on all your packets (or the ones of the type specified in the ACL). That is one way to use ACLs.

ACLs can also be used to identify traffic that should be handled a certain way. For example, you can use ACLs to determine which traffic should get encrypted and go through a VPN tunnel (and in doing so, which traffic should not be sent through the tunnel.

The actual ACLs look the same- they are both permitting/denying traffic and have the same syntax. But if you apply one to an interface, you are filtering traffic, whereas if you use one in a command like snmp-server, you are identifying something (and consequently maybe blocking traffic as a result, it can still have the effect of blocking traffic.)

If you check out the context-sensitive help for the snmp-server command it tells you what the ACL is used for:

R1(config)#snmp-server community mystring ro ?
<1-99> Std IP accesslist allowing access with this community string

DANMOH009

Cheers guys,

I suppose that the request can come in from any interface then.

DirtySouth

That is correct. The SNMP get request can come into the device from any interface.