Please help. I need to create a snmp community with access to only one subnet and deny others?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

Please check if this is correct:-

Can I apply the following policy to the snmp community :-

entry iprule1 {
if {
source-address 10.1.2.0/24 ;
}
then {
 permit ;
}
}

entry iprule2 {
if {
}
then {
deny;
}
}

Or is there a simpler way?????

Photo of ashish sharma

ashish sharma

  • 276 Points 250 badge 2x thumb
  • undecided

Posted 3 years ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,304 Points 10k badge 2x thumb
Hi Ashish,

You should be able to apply that to SNMP as an access profile. See the following GTAC Knowledge article for more information:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-SNMP-access

-Brandon
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Ashish as Brandon mentions you use access profiles to restrict SNMP, Telnet and or SSH.  The file is the same as you list above but you use the create access profile command so that the switch knows to use this file for traffic to the switch. 

An access list affects traffic through the switch.

another suggestion you could make is adding the L4 port as well as a counter.


Thanks
P
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,034 Points 5k badge 2x thumb
It will work but you don't need iprule2 "the deny rule".  ACLs and access profiles look the same but access profiles have an implicit deny at the end, unlike normal ACLs.

--Stephen
(Edited)