> The downside is you must have routing in your network to support this
> address range. As you see from my example, we mask it down to a single
> address space and all routers are configured to support this subnet for
> routing purposes.
Specifically do you mean that all devices between the agents (Cisco devices)
configured for sending traps via loopback must be will to forward SNMP
messages from the address you give to the loopback interface to the
IP address of the manger (i.e NetView server)?
===> SNMP traps originate from the address of the loopback interface and
flow to the destination address of the SNMP trap receiver (such as NetView).
I do not believe the intermediary devices have any involvement other than
they are obviously routing the data per the subnet they need to go to.
That said, do most folks use a private non-routable address for this
loopback interface? If so, then I imagine you have to make sure
you're anti-spoofing rules allow this particular range to pass from
the agents to the NetView server?
===> It can be a private address but it cannot be non-routable (how would
netview get the data then?)
Are there any increases security exposure in this practice?
===> I don't believe so. Its probably more secure because the address ranges
involved are isolated to single hosts - meaning nobody could plug in a
device in that subnet (since no range exists for them to pick an address).
--
Todd H.
http://www.toddh.net/
|