1.5.5 Set the ACL for each 'snmp-server community'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.

Rationale:

If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).

Impact:

To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization.

Solution

Configure authorized SNMP community string and restrict access to authorized management systems.

hostname(config)#snmp-server community <<em>community_string</em>> ro {<em>snmp_access-list_number |
<span>snmp_access-list_name</span></em><span>}</span>

Default Value:

No ACL is set for SNMP

See Also

https://workbench.cisecurity.org/files/3801