Chapter 12 SNMP

SNMPv1/v2 Proxy Support Over Firewalls

12.8 SNMPv1/v2 Proxy Support Over Firewalls

Firewalls, often used for isolating security risks inside networks or from outside, have traditionally prevented SNMP and other NMS monitoring and control applications from accessing NEs beyond a firewall.

An application-level proxy is available at each firewall to transport SNMP protocol data units (PDU) between the NMS and NEs. This proxy, integrated into the firewall NE SNMP agent, exchanges requests and responses between the NMS and NEs and forwards NE autonomous messages to the NMS. The usefulness of the proxy feature is that network operations centers (NOCs) can fetch performance monitoring data such as remote monitoring (RMON) statistics across the entire network with little provisioning at the NOC and no additional provisioning at the NEs.

The firewall proxy interoperates with common NMS such as HP-OpenView. It is intended to be used with many NEs through a single NE gateway in a gateway network element (GNE)-end network element (ENE) topology. Up to 64 SNMP requests (such as get, getnext, or getbulk) are supported at any time behind single or multiple firewalls.

For security reasons, the SNMP proxy feature must be turned on at all receiving and transmitting NEs to be enabled. For instructions to do this, refer to the Cisco ONS 15310-MA SDH Procedure Guide. The feature does not interoperate with earlier releases.

12.9 SNMPv3 Proxy Configuration

The GNE can act as a proxy for the ENEs and forward SNMP requests to other SNMP entities (ENEs) irrespective of the types of objects that are accessed. For this, you need to configure two sets of users, one between the GNE and NMS, and the other between the GNE and ENE. In addition to forwarding requests from the NMS to the ENE, the GNE also forwards responses and traps from the ENE to the NMS.

The proxy forwarder application is defined in RFC 3413. Each entry in the Proxy Forwarder Table consists of the following parameters:

Proxy Type—Defines the type of message that may be forwarded based on the translation parameters defined by this entry. If the Proxy Type is read or write, the proxy entry is used for forwarding SNMP requests and their response between the NMS and the ENE. If the Proxy Type is trap, the entry is used for forwarding SNMP traps from the ENE to the NMS.

Context Engine ID/Context Name—Specifies the ENE to which the incoming requests should be forwarded or the ENE whose traps should be forwarded to the NMS by the GNE.

TargetParamsIn—Points to the Target Params Table that specifies the GNE user who proxies on behalf of an ENE user. When the proxy type is read or write, TargetParamsIn specifies the GNE user who receives requests from an NMS, and forwards requests to the ENE. When the proxy type is trap, TargetParamsIn specifies the GNE user who receives notifications from the ENE and forwards them to the NMS. TargetParamsIn and the contextEngineID or the contextName columns are used to determine the row in the Proxy Forwarder Table that could be used for forwarding the received message.

Single Target Out—Refers to the Target Address Table. After you select a row in the Proxy Forwarder Table for forwarding, this object is used to get the target address and the target parameters that are used for forwarding the request. This object is used for requests with proxy types read or write, which only requires one target.

 

 

Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2

 

 

 

 

 

 

78-19417-01

 

 

12-13

 

 

 

 

 

Page 257
Image 257
Cisco Systems 15310-MA manual SNMPv1/v2 Proxy Support Over Firewalls, SNMPv3 Proxy Configuration, 12-13

15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.