SNMPv2c Secured with ACLs

#CCNA candidates can struggle with SNMP configuration for a couple of reasons. First, in real life, you configure SNMP on each device and then ignore the configuration. Because of that, when you do have to configure it, most of us copy the config from another device, or from a template, so you might even configure SNMP on a new device without even remembering what the commands do.

This lab gives you a chance to practice SNMP and exercise your memory of the commands. It also adds a twist: restricting SNMP rights to only a small range of IPv4 addresses.

Requirements

For this lab, configure SNMP on both routers in the figure. Additionally, configure the routers so that the router ignores SNMP packets from hosts except those sent from hosts in subnet 172.16.1.0/24.

Note that the lab begins with all the interfaces shown in Figure 1 connected and IP addresses configured, with EIGRP used to learn routes. Specifically, use the following requirements for both routers:

• Use SNMP version 2c
• Use an SNMP read only password of ‘readonly’
• Use an SNMP write password of ‘readwrite’
• Limit all community access to the 172.16.1.0/24 network using ACL 1
• Use an SNMP Location of ‘Cincinnati’
• Use an SNMP Contact of ‘Chris’

Figure 1: Two Routers with IP Addresses

Initial Configuration

Examples 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config

Example 2: R2 Config

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab using them.

If you do try this on real gear, the trick is to test the ability to retrieve SNMP data using the SNMP GET protocol message. To do that, try searching for tools online like snmpget and snmpwalk. These tools let you send SNMP GET messages without a full-fledged NMS installed. In particular, if you text in a lab with a Linux host or VM available, snmpwalk -v 2c -c string ip-address. Begin with a ping of the router IP address, to make sure connectivity exists. If that works, and you configure SNMP correctly on the router, then your SNMP test will hopefully work.

To test whether the ACL restricts the traffic or not, you can either change the address of the host from which you test, or change your ACL. For instance, find the IP address used on the host from which you are testing. Then change your ACL on R1 to specifically deny traffic from that host’s IP address. Then re-try your SNMP tests, and the requests should now fail.

Do this Lab with Cisco’s CML (Formerly VIRL)

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.

Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.

This lab’s CML file!

This lab’s VIRL file!

Network Device Info

The CML/VIRL file uses the exact same ports and topology as the original lab exercise.

Host Device Info

This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1