SNMP, Static NAT and management systems including servers midwear and applications
Hi All: I have been asked to extend the capabilities of my current monitoring and management system to another division of the company. All IP space is rfc1918 with no public routed space in the mix. Needless to say, and rightfully so, the network folks won't allow me to directly attach my management network to theirs. I use SNMP for system level monitoring for all servers via agents on the servers (WIN and NIX). Static NAT will be put into place but it breaks my SNMP gets used by the noc to validate CPU, disk util ect.. In a quick test NAT on my own network was set up and I can receive traps and parse them fine even with the NAT as the current trap receiver and visualization can handle incoming traps and NAT. I can see system IP and peer IP fulfilling the two sides. I know I can create an simple ALG via a Apache server with Perl to execute the SNMP get on the foreign network. Noc folks can see data and import it into the ticket (no blind escalations). My question is how have others handled SNMP and static NATs without a ground up re-architecture. I don't want to bring in new protocols and change my systems as they are today due to the heavy integration with provisioning, work flow and process flows. They have worked well to date besides the huge sunk $ investment in software and integration. I have been looking for a complex ALG but there doesn't seem to be much out there and I would rather not manipulate the payload, but map it correctly. Any suggestions? -Bob
Hi Bobby, Can your monitoring system use other ports (per host) for SNMP? In that case you could user port forwarding (and up to 60,000 hosts this should be fine), with static NAT this would be a good option I guess. With kind regards, Mark Scholten
-----Original Message----- From: Bobby Mac [mailto:bobbyjim@gmail.com] Sent: Wednesday, March 03, 2010 2:37 AM To: nanog@nanog.org Subject: SNMP, Static NAT and management systems including servers midwear and applications
Hi All:
I have been asked to extend the capabilities of my current monitoring and management system to another division of the company. All IP space is rfc1918 with no public routed space in the mix. Needless to say, and rightfully so, the network folks won't allow me to directly attach my management network to theirs.
I use SNMP for system level monitoring for all servers via agents on the servers (WIN and NIX). Static NAT will be put into place but it breaks my SNMP gets used by the noc to validate CPU, disk util ect.. In a quick test NAT on my own network was set up and I can receive traps and parse them fine even with the NAT as the current trap receiver and visualization can handle incoming traps and NAT. I can see system IP and peer IP fulfilling the two sides. I know I can create an simple ALG via a Apache server with Perl to execute the SNMP get on the foreign network. Noc folks can see data and import it into the ticket (no blind escalations).
My question is how have others handled SNMP and static NATs without a ground up re-architecture. I don't want to bring in new protocols and change my systems as they are today due to the heavy integration with provisioning, work flow and process flows. They have worked well to date besides the huge sunk $ investment in software and integration.
I have been looking for a complex ALG but there doesn't seem to be much out there and I would rather not manipulate the payload, but map it correctly. Any suggestions?
-Bob
participants (2)
-
Bobby Mac
-
Mark Scholten