If you do want to enable SNMP access from your management station I would recommend creating an ACL to only allow SNMP access from your known management servers. Then follow the basic security rules - only enable management functions you need and don't use well known community strings.
Don't forget; the Ethernet-Mgmt interface cannot be configured with a default gateway... If you use the Ethernet-Mgmt interface for remote management of the CSS, your server (HPOpenview or CiscoWorks) needs to be on the same local subnet. To get around this problem, we decided to manage the CSS in-band, with the back-end firewall configured with rules to protect un-authorized access and to allow TACACS, SNMP, NTP, TFTP, FTP & TELNET.
A CAVEAT: The tacacs capabilities have a vulnerability; With TACACS enabled, you can still telnet to the CSS if you don't have a valid TACACS user account by using the local username & password configured on the CSS. In our case, the CSS first tries the TACACS server, which denies the request, but then allows the telnet to proceed by validating via the locally configured username/password.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...