[unisog] Cisco switch monitoring without SNMP

Tim Eden t.eden at unsw.edu.au
Tue Oct 17 00:25:08 GMT 2006


There are various ways to secure SNMP access to Cisco routers. First of 
all, hopefully your switch management interfaces are already on tightly 
secured VLANs which block access from anywhere bar your management 
gateway. If not, move them to such a VLAN and ensure the ACLs/firewall 
rules surrounding this VLAN allow only the necessary traffic. Secondly, 
as people already mentioned you can configure read-only SNMP strings 
which also have ACLs tied to them. e.g.:

snmp-server community <snmp_string> RO 1
access-list 1 permit 10.10.10.10

Thus permitting only the one host read-only SNMP access to the switch, 
with the one host being the box that you want to monitor the switches 
with. If the devices are fairly new you could also use SNMP v3 which 
supports MD5 and SHA-1 authentication.

Combining SNMP with something like Cacti - http://www.cacti.net, should 
give you a much better insight into the performance of your network and 
hopefully improved ability to troubleshoot your particular problem. 
Cacti is open source, runs on windows and comes with templates "out of 
the box" to monitor interface utilisation, error rates on interfaces 
etc. Sounds like just the thing you need.

Cheers,

Tim


Paul FM wrote:
> I think, if you want to to this (safely) you will have to convince the higher 
> ups to allow some SNMP read-only access to the switches (note - cisco 
> switches can be configured to only allow specified addresses to get access to 
> the snmp connection, and there are access levels you can assign to it as well).
>
> The only other options are to look at net flows or sys-log logging (which may 
> not provide the information you are looking for).  I think even RMON works 
> through SNMP.
>
>
> Micheal Cottingham wrote:
>   
>> My understanding is that the higher-ups don't want to use SNMP. That's
>> about all I know. I'd love to use SNMP, but I can't. I did find the
>> Cisco Networking Assistant from Cisco, but it requires the HTTP
>> interface to be on, which is a big no-no in my book. It is rather nice
>> though. The problem with expect scripts is we run a Windows-only
>> environment, which unfortunately limits what we can do with that. I
>> appreciate the suggestions.
>>
>> Micheal
>>
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> http://lists.dshield.org/mailman/listinfo/unisog
>>     
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.dshield.org/pipermail/unisog/attachments/20061017/49c9c360/attachment.htm 


More information about the unisog mailing list