Here is something you may not have thought of.
If you use SNMP for discovery, and thus discover devices with multiple
interfaces, and your network is like mine.... where folks have more freedom
than I'd like about choosing IP addresses.... You run into issues where Netmon
will poll inappropriate addresses with ICMP. Many times when folks build backup
networks or "stand-alone" networks they choose common, already-registered
addresses (in our case, we have some bone-heads who use 100.100 and 90.90 since
these are "non-routable" networks that we should "never see a packet from". Or
the SP2 complex which uses 1.1, 2.2. 3.3 and 4.4 networks (thank you IBM).
Problem is, with ICMP polling, NetView tries to ping those addresses and if
your routes are set up in any sort of normal fashion, this traffic heads right
out the internet and creates ICMP traffic on your internet connection which
*IS* a security concern. At a minimum, you create unnecessary chaff for your
firewall/intrusion detection systems. You can always unmanage the interfaces
but that is a lot of work, and well, doesn't it defeat the purpose of NetView
to disable management of an interface that doesn't responsd to pings?
Using SNMP polling means that I send the request to a multi-homed device on an
interface I can reach, and ONLY to that interface. It might be a little more
bigger traffic, but it sure is a clearer picture of the network. I recommend
SNMP polling in *ALL* cases where possible.
-----Original Message-----
From: Leslie Clark [mailto:lclark@us.ibm.com]
Sent: Wednesday, April 30, 2003 8:44 PM
To: nv-l@lists.tivoli.com
Subject: RE: [nv-l] NV 7.1.x SNMP polling
Here's my two cents' worth on this subject. SNMP for status polling costs
more than ICMP in terms of bandwidth and in terms of CPU on the devices
being polled. It also may interfere with Netview's HSRP handling, since
HSRP interfaces do not appear in the interface table. It was originally
intended to provide a way to get status for unnumbered interfaces, which
cannot be pinged by definition. Therefore I take the approach of using it
selectively where it is needed: for unnumbered, of course, and also to get
accurate status of interfaces for which there is no routing - for example,
the second interfaces on servers that would otherwise appear red in the map
even though they are up. Netview will enable it automatically where needed
for unnumbered. I then enable it in the seedfile for nodes where it is
needed to make nodes green where they should be green.
If you enable it on a broad scale, watch it for a while and make sure the
devices respond in a timely fashion and also that netmon keeps up with your
chosen polling period.
Cordially,
Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit
"JR Miller"
<jmiller5@columbu To:
<nv-l@lists.tivoli.com>
s.rr.com> cc:
Subject: RE: [nv-l] NV 7.1.x
SNMP polling
04/28/2003 11:18
PM
Excellent!
Thanks for the info,
-JR Miller
-----Original Message-----
From: Gareth Holl [mailto:gholl@us.ibm.com]
Sent: Monday, April 28, 2003 22:55
To: JR Miller
Cc: nv-l@lists.tivoli.com
Subject: Re: [nv-l] NV 7.1.x SNMP polling
Yes, NetView can poll using SNMP and ICMP, but not the same device.
The typical configuration might be to poll your Routers using SNMP
and all other devices using ICMP. No redbooks covering new features.
Look through each of the Release Notes for 7.1 and then each of the
maintenance releases. You should find all the Release Notes on the
7.1.3 CD.
Gareth Holl
Staff Software Engineer
gholl@us.ibm.com
IBM Software Group - Tivoli Brand
Research Triangle Park, North Carolina.
"JR Miller"
<jmiller5@columbus.rr.com> To:
<nv-l@lists.tivoli.com>
cc:
04/28/2003 08:46 PM Subject: [nv-l] NV
7.1.x SNMP polling
Quick question, I have limited experience with newer NV versions.
Can NV 7.1.x poll devices using SNMP as well as ICMP? Has anyone
experienced any issues doing this, good or bad? This would involve
an AIX version, if that matters. Are there any Redbooks that cover
the new versions and features of NV?
Thanks for the input.
Jeffrey R. Miller
Open Systems Engineer
Bank One Corporation
1111 Polaris Parkway
Columbus, OH 43240
[IMAGE]
[IMAGE]
#### OVcert.bmp has been removed from this note on April 28, 2003 by
Gareth Holl
#### IV.bmp has been removed from this note on April 28, 2003 by
Gareth Holl
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|