1.5.6 Create an 'access-list' for use with SNMP

Information

You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone.

Solution

Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.

hostname(config)#access-list <<em>snmp_acl_number</em>> permit <<em>snmp_access-list</em>>
hostname(config)#access-list deny any log

See Also

https://workbench.cisecurity.org/benchmarks/17130

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17(3), 800-53|SI-7, CSCv7|11.7

Plugin: Cisco

Control ID: a3a68fca8231f582660f87c5c63edbc6f81d21b5e0a440de68890eb58e9fbf6f