SNMP Server Community ACL

I have some doubts about task requirements regarding SNMP and the RW and RO community ACL's. Basically how I see it, is if no ACL is configured for the community then any SNMP server that has that community would be able to communicate either RO, or RW. Now when we add an ACL to a community permitting or denying certain management for say... RW access, only that station would be allowed/denied. I dont believe we have to add an ACL on the RO for management stations. I'm referring to WB 2 Lab 7 Task 7.1.

My configuration:

 

snmp-server community CISCORW RW 4
snmp-server community CISCORO RO
snmp-server system-shutdown
snmp-server host 191.1.7.100 CISCOTRAP
snmp-server host 191.1.77.100 CISCOTRAP

access-list 4 permit 192.1.7.100

 

Solution:

 

access-list 25 permit 191.1.7.100
access-list 25 permit 191.1.77.100
access-list 50 permit 191.1.7.100
!
snmp-server community CISCORO RO 25
snmp-server community CISCORW RW 50
snmp-server system-shutdown
snmp-server host 191.1.7.100 CISCOTRAP
snmp-server host 191.1.77.100 CISCOTRAP
snmp-server enable traps

 

Why are they adding an ACL to the RO community. I dont think this would be required as both stations would be allowed anyways.

Comments

  • If you don`t add the ACL 25 any IP that has the RO community would be able to read the MIBs on that device. In this case the task is explicitly asking to only allow 191.1.7.100 and 191.1.77.100. Therefore, you need the ACL, as there will be an implicit deny at the end of the ACL that will deny all other IPs from reading MIBs using that RO community.

    Hope this clears out for you.

    Good luck with your studies!

  • I think you meant Lab 6.

    It's all about the wording. In this specific case, you would proably be OK with only using an ACL on RW.

    Using an ACL is quite valid too, since it says "R3 will be managed by two separate network management servers" - so you know that it's only managed by those two systems.

    Don't worry too much about it here - just make sure you pay attention to the wording.

    Of course, in the real world, you would almost always use an ACL.

  • Yes, Lab 6. Sorry. Ok, thanks guys. Just wanted to clear that up.

  • In this case the task is explicitly asking to only allow 191.1.7.100 and 191.1.77.100. 

    I'm not sure about that - here's the task wording:




    Configure R3 to be managed via SNMP. R3 will be managed by two
    separate network management servers.

    The first network management server’s IP address is 191.X.7.100 and
    second network management server’s IP address is 191.X.77.100.

    The network management servers will be expecting SNMP traps to use
    community string CISCOTRAP.

    The network management servers will be expecting the RO community
    string to be CISCORO and the RW community string to be CISCORW.

    Only allow the first network management server to access the RW
    community string.




    Allow R3 to be reloaded via SNMP.

    My reading of that is that an ACL is only required for the RW string. The task does not explicitly state that you need an ACL for RO. You could imply that, but it's not explicitly stated. 

    But no need to get hung up on it though - it should be clear in the exam, and you can check with the proctor if you need.




Sign In or Register to comment.