Information
This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.
If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).
Solution
Configure authorized SNMP community string and restrict access to authorized management systems.
hostname(config)#snmp-server community <<em>community_string</em>> ro {<em>snmp_access-list_number |
<span>snmp_access-list_name</span></em><span>}</span>
Impact:
To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization.