SNMP Config - and the ACL

DANMOH009DANMOH009 Member Posts: 241
When entering a SNMP config line:

e.g. snmp-server community "examplestring" ro 10.

the 10 references a ACL - does this ACL then need to be applied to an interface that the requesting SNMP device is going to come in on? or is it just to identify the sequesters IP?

Cant really find a good explanation of this anywhere.

Thanks

Dan

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    No the ACL does not need to be applied to an interface.
    An expert is a man who has made all the mistakes which can be made.
  • Vask3nVask3n Member Posts: 517
    If you were to apply the ACL to the interface, you would end up performing a filter on all your packets (or the ones of the type specified in the ACL). That is one way to use ACLs.

    ACLs can also be used to identify traffic that should be handled a certain way. For example, you can use ACLs to determine which traffic should get encrypted and go through a VPN tunnel (and in doing so, which traffic should not be sent through the tunnel.

    The actual ACLs look the same- they are both permitting/denying traffic and have the same syntax. But if you apply one to an interface, you are filtering traffic, whereas if you use one in a command like snmp-server, you are identifying something (and consequently maybe blocking traffic as a result, it can still have the effect of blocking traffic.)

    If you check out the context-sensitive help for the snmp-server command it tells you what the ACL is used for:

    R1(config)#snmp-server community mystring ro ?
    <1-99> Std IP accesslist allowing access with this community string
    Working on MS-ISA at Western Governor's University
  • DANMOH009DANMOH009 Member Posts: 241
    Cheers guys,

    I suppose that the request can come in from any interface then.
  • DirtySouthDirtySouth Member Posts: 314 ■□□□□□□□□□
    That is correct. The SNMP get request can come into the device from any interface.
Sign In or Register to comment.