Network OS Administration Guide

Supporting Network OS 6.0.1a

Part Number: 53-1003768-04

Managing SNMP access rights using ACLs

Access lists (ACLs) enable you to permit or deny SNMP access by IP address.

SNMP server groups enable you to specify read, write, and notify permissions for the following entities:
  • Community, under SNMPv1 and SNMPv2c
  • User, under SNMPv3

For SNMP packets that pass community/user validation, access lists (ACLs) offer an additional permit/deny level, filtered by IP addresses that you specify.

If SNMP ACLs are applied, the validation order is as follows:
  1. SNMP-server validation (community/user string). If not validated, the SNMP packet is dropped.
  2. Server-ACL validation
    • If there is a deny match—including an explicit or implicit deny any rule—the packet is dropped.
      Unless you include an explicit permit any rule, an implicit deny any rule is automatically applied for IP addresses not explicitly permitted.
    • If there is a permit match—including a permit any rule—validation continues.
  3. Server-group validation, the concluding step of the validation flow