SNMP access list confusion?

Llukman1Llukman1 Member Posts: 21 ■□□□□□□□□□
I am currently learning about SNMP and everything makes sense to me it's just one thing that is confusing to me and that is the access list applied and I know it's an optional configuration and not mandatory.
It's confusing me because the access list is set on the router (agent) and it is designed to protect the NMS from access this is what I am not getting it. The permit host 192.168.10.254 is meant to do that. Now that IP address is it the NMS station or the IP address of the device that has an agent on it.
I just don't understand how it's meant to protect the NMS station when the access list is set on the router (agent) basically to allow that NMS access to that router if someone could help that would be wonderful.

I have attached the part of the book that I am confused at. It's lammle's book on CCNA.

Comments

  • WastedHatWastedHat Member Posts: 132 ■■■□□□□□□□
    I think Todd covers SNMP poorly, I also got very confused after learning it from Odom in more detail. Here's a quote from Odoms book:

    "Use the snmp-server community communitystring RO [ipv6 acl-name]
    [acl-name
    ] command in global configuration mode to enable the SNMP
    agent (if not already started), set the read-only community string, and restrict
    incoming SNMP messages based on the optional referenced IPv4 or IPv6 ACL
    "

    So the ACL is for inbound traffic to the agent. It could also have a side effect of protecting the NMS but Todd doesn't say how or why, only "make sure you understand it is", and its not obvious to me either, hopefully someone else can help us lol. Also note, on the exam topics:

    5.1 Configure and verify device-monitoring protocols

    • 5.1.a SNMPv2
    • 5.1.b SNMPv3


    Todds book only has a 4 lines discribing SNMPv3, no config details. It's a good book but it falls short on this topic. Make sure you know how to configure SNMPv2 and v3 before the exam. Learn about the engine ID too (isnt in Odom or Toods books, I learned it from Boson/Cisco's site). Good luck :)
  • Llukman1Llukman1 Member Posts: 21 ■□□□□□□□□□
    Sadly this forum isn't that ******* helpful...thanks for yours though.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Well, the only thing I can add is, in my opinion, it is to protect the device (switch, router, etc).
  • WastedHatWastedHat Member Posts: 132 ■■■□□□□□□□
    Llukman1 wrote: »
    Sadly this forum isn't that ******* helpful...thanks for yours though.

    It's free help, can't expect too much. Reddit is a bit more active if you're looking for more responses.
  • rob42rob42 Member Posts: 423
    Llukman1 wrote: »
    Sadly this forum isn't that ******* helpful...thanks for yours though.


    This is VERY disrespectful to the many very helpful and knowledgeable people on this forum. If you don't like it here, you're free to go elsewhere.
    No longer an active member
  • Llukman1Llukman1 Member Posts: 21 ■□□□□□□□□□
    I don't really care if it's disrespectful it's true...don't like facts then you are welcomed to leave this post.
  • shochanshochan Member Posts: 1,004 ■■■■■■■■□□
    OHHH, that is a great way to get help ANYWHERE, piss everyone off...move on dude, go do your own research and quit asking for help here.
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • Llukman1Llukman1 Member Posts: 21 ■□□□□□□□□□
    lol anymore of you coming because I really don't care how many of you are getting offended.
  • PCTechLincPCTechLinc Member Posts: 646 ■■■■■■□□□□
    Maybe you'll have better luck asking Mr. Lammle himself.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • monteemontee Registered Users Posts: 2 ■□□□□□□□□□
    That is a pretty bad example of a configuration for SNMP. At any rate, the book should not state the ACL protects the NMS, because that is not what this particular ACL is doing.

    router(config)#snmp-server community <string> ro <access_list_reference>

    The above configuration line defines the community string (basically, just a password) and this is a v2 configuration, showing read-only, and you have the option to use a standard ACL with a number, or define the ACL with a name. But, the ACL is used to restrict SNMP UDP traffic to the router/switch itself (specifically, the SNMP agent running on the device). The ACL does not restrict traffic to the NMS. If your organization has defined a management subnet/network say, the network is 172.16.2.0/24 and your NMS station lives in that network, and it has the IP of 172.16.2.10, then your ACL would be something like this:

    router(config)#access-list 20 permit 172.16.2.10

    In your SNMP configuration, you would put:
    snmp-server community myString ro 20

    20 refers to ACL 20... and you don't have to use a numbered ACL if you want to use a named one you can... it's up to you.

    But, the main point is, that ACL does not "protect" the NMS. It just restricts what hosts can send SNMP GET GETNEXT etc.. commands to the SNMP agent on the device.

    And a couple of security points... it is best not to use rw (read/write) unless the NMS is actually going to send SNMP SET commands to make changes to the router/switch etc.. Always use ro, and configure the device via the CLI peferably using TACACS or RADIUS or something that does accounting for audit purposes.
Sign In or Register to comment.