How to monitor the external devices

Unanswered Question
Aug 12th, 2009
User Badges:

In our environment, we have a SNMP server and a log server with private IP address. There are two Layer3 switches only with pulic IP address. We would like to monitor and log them through two internal servers. I have two following options.One is I will PAT two internal servers, and then access two L3 switches with public IP address; another is that I will Nat two external devices as private IP address, and then access them with private IP address.


Could you please give me some suggestions which one is better?


Thanks a lot!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 08/12/2009 - 10:52
User Badges:
  • Purple, 4500 points or more

Actually, either one should work.


I have external devices that I monitor. I believe it's going to matter more on which direction your traffic is coming from. Are you sending information from the switches? If so, you'll need to static nat the traffic back into your private range, whereas if you're pulling information, you can set up PAT for the two servers if they're not already allowed outside of the network.


HTH,

John

HWangLoyalty_2 Wed, 08/12/2009 - 11:15
User Badges:

Thanks for your support!

I think we need pull info from two L3 switches to our snmp and log server.Bue how to cconfigure them in the L3 switch?

for example

logging x.x.x.x

snmp-server host x.x.x.x


which IP address should we use? I think it is PAT one (public IP address). If it is, I think any Pated workstation shared with the same IP address could get two external devices.It is not acceptable from the security perspective.please let me know if i am mistaken.


Thanks again.

John Blakley Wed, 08/12/2009 - 11:21
User Badges:
  • Purple, 4500 points or more

You'll need to configure your switch with an snmp community string (something not easy to guess) and I would recommend setting it to read-only like:


snmp community Th15i5MyC0mmun1tyStR1ng!!@ RO


That alone should allow you to pull information from it as long as your snmp management station logs in with the same community name above.


Which ip address is up to you. You're snmp server will go out a public address, and if you're wanting to allow only this address into your switch, then you'll need to figure out which one you want to use and allow only that address in your acl on the switch. I would look into snmpv3 since you're, I'm assuming, pulling information over the internet and not through a vpn tunnel.


Here's a link for SNMPv3:


http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html


HTH,

John

HWangLoyalty_2 Wed, 08/12/2009 - 12:22
User Badges:

Thanks for your support!

I think I have to use static Nat with out internal servers for secuirty reason to access two L3 switches.BTW, we use snmpv2 to pull info over the internet.

mjkantowski Fri, 08/14/2009 - 12:44
User Badges:

Make sure you also configure an SNMP access-list so that you can limit the SNMP exposure. I would do this in addition to any interface ACLs you may or may not be using.


snmp-server community RO 54


access-list 54 permit

Actions

This Discussion