Details

You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Rationale:

SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone.

Solution

Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.

hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>
hostname(config)#access-list deny any log

Default Value:

SNMP does not use an access list.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3160https://workbench.cisecurity.org/files/3160

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-7(15)
• CSCv6|11.7
• CSCv7|11.7

Source

• Tenable.com/audits