| To: | <nv-l@lists.tivoli.com> |
|---|---|
| Subject: | [nv-l] Monitoring VPN based networks? |
| From: | "Karl Prinelle" <Karl.Prinelle@elyzium.co.uk> |
| Date: | Sat, 5 Jul 2003 11:58:30 +0100 |
| Delivered-to: | mailing list nv-l@lists.tivoli.com |
| Delivery-date: | Sat, 05 Jul 2003 12:00:35 +0100 |
| Envelope-to: | nv-l-archive@lists.skills-1st.co.uk |
| Importance: | Normal |
| List-help: | <mailto:nv-l-help@lists.tivoli.com> |
| List-post: | <mailto:nv-l@lists.tivoli.com> |
| List-subscribe: | <mailto:nv-l-subscribe@lists.tivoli.com> |
| List-unsubscribe: | <mailto:nv-l-unsubscribe@lists.tivoli.com> |
| Mailing-list: | contact nv-l-help@lists.tivoli.com; run by ezmlm |
|
Hi
list,
NV 7.1.3+fp1 Linux
7.2
I've setup netview
to monitor a set of sites connected by VPN tunnels. Each (well, most
anyway) site has multiple routes to the other sites through the VPN's.
There are no traffic filters on the VPN's, SNMP is running on the FW's
(accessible only from the trusted side!).
Netview has
discovered all the VPN terminators (NetScreen), but it is only discovering the
physical interfaces - the trusted and untrusted interfaces on the devices -
not the VPN connections & routes. The result is that each site appears
as it's own network with no connections to the other networks since the network
"ends" with the untrusted internet facing interface.
I've checked the
archives, but I can only find info about not monitoring dynamic VPN connections
on cisco concentrators, nothing on wanting to monitor them! However, the
implication I got from that was that the VPN interfaces must have been appearing
on those devices for netview to see them - either the cisco update the
interfaces table when a connection is made (sounds most likely), or there is
"another way"....
Ok, now for the
questions...
I think the above
topology problem is because in the interfaces table the VPN "logical" interfaces
don't appear - only the physical interfaces. Is this right, or is there a
way for Netview to see the VPN interfaces (I've had problems with other devices
only writing ifOperStatus to the private MIB & that couldn't be sorted so
I'm thinking this is the same kind of thing)? The VPN connections are
present in the private MIB, but I don't think that's much use for netview based
on the doc's.
NetScreen firewalls
- has anyone used these and managed to have netview draw the topology (in other
words solved the above problem another way) - maybe there is a config option in
the FW that will write the VPN interfaces to the interfaces table??? (living in
hope on that one...)
I'm assuming that
since the networks aren't connected, then the RFI will be affected since there
is no route to track the events back through? If I manually draw the
appropriate connections between the routers, will this information be use by the
Netview RFI algorithm?
Any suggestions much
appreciated.
Thanks
K
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [nv-l] How do you clear an unreachable status?, JAMES Robin |
|---|---|
| Next by Date: | Re: [nv-l] How do you clear an unreachable status?, Stephen Hochstetler |
| Previous by Thread: | [nv-l] How do you clear an unreachable status?, JAMES Robin |
| Next by Thread: | [nv-l] location file, Bhayeti |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Archive operated by Skills 1st Ltd
See also: The NetView Web