[unisog] Cisco switch monitoring without SNMP

John Kristoff jtk at depaul.edu
Mon Oct 16 17:34:47 GMT 2006


On Mon, 16 Oct 2006 12:38:47 -0400
"Micheal Cottingham" <micheal.cottingham at sv.vccs.edu> wrote:

> My understanding is that the higher-ups don't want to use SNMP. That's
> about all I know. I'd love to use SNMP, but I can't. I did find the

Hi Michael,

Frankly, I'm curious how your higher ups expect you to successfully run
a network without being able to manage it.  Clearly they've never done
so themselves.  :-)

Presumably this is a result of some packet paranoia and the concern
about SNMPv1's weak authentication scheme.  Legitimate concern.  The
most basic way people mitigate this threat is to strictly prohibit
which source IP addresses (the SNMP manager stations) can reach the
gear with SNMP.  This does not prevent successful spoofed attacks,
but if the community string is not easily guessed and relatively well
safeguarded things should be fine.

If that still isn't a good enough solution you can try to build an
out-of-band management network, where only physical links connected
to some central NOC are allowed to get SNMP to your gear.  You can
do additional authentication mechanisms and even crypto there, but
I'm guessing this is overkill for your environment.

Sometimes, and this is a really annoying approach to have to take, but
hiring a consultant to come tell you what to do makes higher ups feel
all warm and fuzzy inside.  If you bring in the right people, they'll
get you to a reasonable enough compromise with the only drawback that
your spirit is weakened as you witness the higher ups trust some
outsider's ability over your's.

Sounds like an unfortunate situation to be in.  You may want to point
out to your higher ups that your colleagues (use me and this post as an
example if you want) think the no SNMP requirement is a silly idea.  Is
SNMP perfect?  Far from it.  Is it being used successfully by large and
numerous networks around the world without too much effort?  You bet.
Good luck with getting whatever it is you're trying to troubleshoot
resolved.

John


More information about the unisog mailing list