[unisog] Cisco switch monitoring without SNMP
t.eden at unsw.edu.au
Tue Oct 17 00:25:08 GMT 2006
There are various ways to secure SNMP access to Cisco routers. First of
all, hopefully your switch management interfaces are already on tightly
secured VLANs which block access from anywhere bar your management
gateway. If not, move them to such a VLAN and ensure the ACLs/firewall
rules surrounding this VLAN allow only the necessary traffic. Secondly,
as people already mentioned you can configure read-only SNMP strings
which also have ACLs tied to them. e.g.:
snmp-server community <snmp_string> RO 1
access-list 1 permit 10.10.10.10
Thus permitting only the one host read-only SNMP access to the switch,
with the one host being the box that you want to monitor the switches
with. If the devices are fairly new you could also use SNMP v3 which
supports MD5 and SHA-1 authentication.
Combining SNMP with something like Cacti - http://www.cacti.net, should
give you a much better insight into the performance of your network and
hopefully improved ability to troubleshoot your particular problem.
Cacti is open source, runs on windows and comes with templates "out of
the box" to monitor interface utilisation, error rates on interfaces
etc. Sounds like just the thing you need.
Paul FM wrote:
> I think, if you want to to this (safely) you will have to convince the higher
> ups to allow some SNMP read-only access to the switches (note - cisco
> switches can be configured to only allow specified addresses to get access to
> the snmp connection, and there are access levels you can assign to it as well).
> The only other options are to look at net flows or sys-log logging (which may
> not provide the information you are looking for). I think even RMON works
> through SNMP.
> Micheal Cottingham wrote:
>> My understanding is that the higher-ups don't want to use SNMP. That's
>> about all I know. I'd love to use SNMP, but I can't. I did find the
>> Cisco Networking Assistant from Cisco, but it requires the HTTP
>> interface to be on, which is a big no-no in my book. It is rather nice
>> though. The problem with expect scripts is we run a Windows-only
>> environment, which unfortunately limits what we can do with that. I
>> appreciate the suggestions.
>> unisog mailing list
>> unisog at lists.dshield.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog