1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Rationale:

SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone.

Solution

Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.

hostname(config)#access-list <<em>snmp_acl_number</em>> permit <<em>snmp_access-list</em>>
hostname(config)#access-list deny any log

Default Value:

SNMP does not use an access list.

See Also

https://workbench.cisecurity.org/benchmarks/12741