08-12-2009 10:36 AM - edited 03-06-2019 07:13 AM
In our environment, we have a SNMP server and a log server with private IP address. There are two Layer3 switches only with pulic IP address. We would like to monitor and log them through two internal servers. I have two following options.One is I will PAT two internal servers, and then access two L3 switches with public IP address; another is that I will Nat two external devices as private IP address, and then access them with private IP address.
Could you please give me some suggestions which one is better?
Thanks a lot!
08-12-2009 10:52 AM
Actually, either one should work.
I have external devices that I monitor. I believe it's going to matter more on which direction your traffic is coming from. Are you sending information from the switches? If so, you'll need to static nat the traffic back into your private range, whereas if you're pulling information, you can set up PAT for the two servers if they're not already allowed outside of the network.
HTH,
John
08-12-2009 11:15 AM
Thanks for your support!
I think we need pull info from two L3 switches to our snmp and log server.Bue how to cconfigure them in the L3 switch?
for example
logging x.x.x.x
snmp-server host x.x.x.x
which IP address should we use? I think it is PAT one (public IP address). If it is, I think any Pated workstation shared with the same IP address could get two external devices.It is not acceptable from the security perspective.please let me know if i am mistaken.
Thanks again.
08-12-2009 11:21 AM
You'll need to configure your switch with an snmp community string (something not easy to guess) and I would recommend setting it to read-only like:
snmp community Th15i5MyC0mmun1tyStR1ng!!@ RO
That alone should allow you to pull information from it as long as your snmp management station logs in with the same community name above.
Which ip address is up to you. You're snmp server will go out a public address, and if you're wanting to allow only this address into your switch, then you'll need to figure out which one you want to use and allow only that address in your acl on the switch. I would look into snmpv3 since you're, I'm assuming, pulling information over the internet and not through a vpn tunnel.
Here's a link for SNMPv3:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
HTH,
John
08-12-2009 12:22 PM
Thanks for your support!
I think I have to use static Nat with out internal servers for secuirty reason to access two L3 switches.BTW, we use snmpv2 to pull info over the internet.
08-14-2009 12:44 PM
Make sure you also configure an SNMP access-list so that you can limit the SNMP exposure. I would do this in addition to any interface ACLs you may or may not be using.
snmp-server community
access-list 54 permit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: