NMS's usually have IP ranges that "should" be set, If a network manager knows ones network/s then one "should" restrict the discovery to one's networks and sub-net's. ARP table, NIS and router discovery can also be controlled. I must admit that when I recived my first NMS ( Spectrum ) I let it run wild! ... Not good. It seems to me that the need for network managers is pushing companys to hire green people, and we have growing pains that cascade problems out. Then there are the "bad people" that are attempting to crack the "ice". Knowing that there will allways be people who are motivated by "breaking down walls" , we must find ways to minimize their actions. How does one prevent the probes from chewing-up the router's CPU time? - or - preventing the probes from getting that far? Oh well ..... I love it! .. ACK!! |}
Mat Miller wrote : |-> |-> How does one prevent the probes from chewing-up the router's CPU time? |-> - or - preventing the probes from getting that far? |-> If the probes are using a substantial amount of CPU inside the network, it may be cheaper (CPU-wise) to deny SNMP inbound on border routers...Bye Bye problem, Hello access-list log to automate email from ;) |-> Oh well ..... I love it! .. ACK!! |-> |-> |} |-> Cheers, Lyndon Levesley Xara Networks -- Penis Envy is a total Phallusy.
If the probes are using a substantial amount of CPU inside the network, it may be cheaper (CPU-wise) to deny SNMP inbound on border routers...Bye Bye problem, Hello access-list log to automate email from ;)
Yup, thats exactly the right thing to do, my network drops all SNMP packets at all transit and access points, mmm Ascend GRF :-) Regards, Neil. -- Neil J. McRae - Alive and Kicking. D O M I N O neil@DOMINO.ORG NetBSD/sparc - 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">Computer!</A>
That is funny, one of our Ascend GRF units ignores SNMP completely (even to itself). (Not desired behavior). -Deepak. On Fri, 11 Apr 1997, Neil J. McRae wrote:
If the probes are using a substantial amount of CPU inside the network, it may be cheaper (CPU-wise) to deny SNMP inbound on border routers...Bye Bye problem, Hello access-list log to automate email from ;)
Yup, thats exactly the right thing to do, my network drops all SNMP packets at all transit and access points, mmm Ascend GRF :-)
Regards, Neil. -- Neil J. McRae - Alive and Kicking. D O M I N O neil@DOMINO.ORG NetBSD/sparc - 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">Computer!</A>
Deepak Jain wrote:
That is funny, one of our Ascend GRF units ignores SNMP completely (even to itself). (Not desired behavior).
The GRF has a highly tweakable TCP/IP stack. For example, by default the router will only respond to 10 ICMP packets/second (but that number can be changed in grinchd.conf, I think). The router can be passing packets normally, and if someone is ping flooding an interface on the router, your own (or your customer's) ping to the router can fail miserably. This is not really a router problem. There are some very good Netstar engineers in Minneapolis (if they haven't all frozen to death). Seek one of them out. -peter
participants (5)
-
Deepak Jain -
Lyndon Levesley -
mmiller@cbis.com -
Neil J. McRae -
Peter