+ Reply to Thread
Results 1 to 11 of 11
  1. Junior Member
    Join Date
    Jul 2016
    Posts
    21
    #1

    Default SNMP access list confusion?

    I am currently learning about SNMP and everything makes sense to me it's just one thing that is confusing to me and that is the access list applied and I know it's an optional configuration and not mandatory.
    It's confusing me because the access list is set on the router (agent) and it is designed to protect the NMS from access this is what I am not getting it. The permit host 192.168.10.254 is meant to do that. Now that IP address is it the NMS station or the IP address of the device that has an agent on it.
    I just don't understand how it's meant to protect the NMS station when the access list is set on the router (agent) basically to allow that NMS access to that router if someone could help that would be wonderful.

    I have attached the part of the book that I am confused at. It's lammle's book on CCNA.
    snmp confustion.jpg
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2016
    Location
    UK
    Posts
    130

    Certifications
    CCNA: R&S
    #2
    I think Todd covers SNMP poorly, I also got very confused after learning it from Odom in more detail. Here's a quote from Odoms book:

    "Use the snmp-server community communitystring RO [ipv6 acl-name]
    [acl-name
    ] command in global configuration mode to enable the SNMP
    agent (if not already started), set the read-only community string, and restrict
    incoming SNMP messages based on the optional referenced IPv4 or IPv6 ACL
    "

    So the ACL is for inbound traffic to the agent. It could also have a side effect of protecting the NMS but Todd doesn't say how or why, only "make sure you understand it is", and its not obvious to me either, hopefully someone else can help us lol. Also note, on the exam topics:

    5.1 Configure and verify device-monitoring protocols

    • 5.1.a SNMPv2
    • 5.1.b SNMPv3


    Todds book only has a 4 lines discribing SNMPv3, no config details. It's a good book but it falls short on this topic. Make sure you know how to configure SNMPv2 and v3 before the exam. Learn about the engine ID too (isnt in Odom or Toods books, I learned it from Boson/Cisco's site). Good luck
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Jul 2016
    Posts
    21
    #3
    Sadly this forum isn't that ******* helpful...thanks for yours though.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Oct 2016
    Location
    NJ
    Posts
    345

    Certifications
    CCNP R&S, CCNA(Security/Data Center), PCNSE 7, MCITP: Exchange 2010
    #4
    Well, the only thing I can add is, in my opinion, it is to protect the device (switch, router, etc).
    Last edited by MitM; 04-28-2017 at 01:53 AM.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    May 2016
    Location
    UK
    Posts
    130

    Certifications
    CCNA: R&S
    #5
    Quote Originally Posted by Llukman1 View Post
    Sadly this forum isn't that ******* helpful...thanks for yours though.
    It's free help, can't expect too much. Reddit is a bit more active if you're looking for more responses.
    Reply With Quote Quote  

  7. No longer active.
    Join Date
    Jul 2016
    Posts
    413
    #6
    Quote Originally Posted by Llukman1 View Post
    Sadly this forum isn't that ******* helpful...thanks for yours though.

    This is VERY disrespectful to the many very helpful and knowledgeable people on this forum. If you don't like it here, you're free to go elsewhere.
    No longer an active member
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Jul 2016
    Posts
    21
    #7
    I don't really care if it's disrespectful it's true...don't like facts then you are welcomed to leave this post.
    Reply With Quote Quote  

  9. Senior Member shochan's Avatar
    Join Date
    Sep 2016
    Location
    AR
    Posts
    437

    Certifications
    A+, Network+, i-Net+, Server+, Security+, MCP 70-210, Novell CNA 5.0
    #8
    OHHH, that is a great way to get help ANYWHERE, piss everyone off...move on dude, go do your own research and quit asking for help here.
    2017 -> Chillaxing & (reading C|EH - Matt Walker)
    2018 -> CCNA CyberOps (July Cohort)
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Jul 2016
    Posts
    21
    #9
    lol anymore of you coming because I really don't care how many of you are getting offended.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jan 2016
    Location
    King City, CA
    Posts
    380

    Certifications
    A+, Network+, Security+ce, Server+, Project+, MCSA Server 2008, CCENT, CCNA R&S, CEHv8, CHFIv8, CCNA Security
    #10
    Maybe you'll have better luck asking Mr. Lammle himself.
    Reply With Quote Quote  

  12. Junior Member Registered Member
    Join Date
    Apr 2017
    Posts
    2
    #11
    That is a pretty bad example of a configuration for SNMP. At any rate, the book should not state the ACL protects the NMS, because that is not what this particular ACL is doing.

    router(config)#snmp-server community <string> ro <access_list_reference>

    The above configuration line defines the community string (basically, just a password) and this is a v2 configuration, showing read-only, and you have the option to use a standard ACL with a number, or define the ACL with a name. But, the ACL is used to restrict SNMP UDP traffic to the router/switch itself (specifically, the SNMP agent running on the device). The ACL does not restrict traffic to the NMS. If your organization has defined a management subnet/network say, the network is 172.16.2.0/24 and your NMS station lives in that network, and it has the IP of 172.16.2.10, then your ACL would be something like this:

    router(config)#access-list 20 permit 172.16.2.10

    In your SNMP configuration, you would put:
    snmp-server community myString ro 20

    20 refers to ACL 20... and you don't have to use a numbered ACL if you want to use a named one you can... it's up to you.

    But, the main point is, that ACL does not "protect" the NMS. It just restricts what hosts can send SNMP GET GETNEXT etc.. commands to the SNMP agent on the device.

    And a couple of security points... it is best not to use rw (read/write) unless the NMS is actually going to send SNMP SET commands to make changes to the router/switch etc.. Always use ro, and configure the device via the CLI peferably using TACACS or RADIUS or something that does accounting for audit purposes.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks