Should I segregate snmp traffic?

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
Currently using zabbix to monitor about 200 devices. Works great and all but the snmp traffic is on same vlan as data. Should I consider using a separate vlan for snmp traffic or just leave it as is? I don't use any sort of multicast auto-discover script, each host is setup as unicast. We dont have any specific out-of-band policies to adhere to either.

Comments

  • HeeroHeero Member Posts: 486
    If you are doing SNMPv3 authPriv, you don't really have to worry about it. If not, I would strongly suggest you separate the traffic and lock devices down with ACLs because while the community string provides authentication, the packets are still transmitted clear text and snmp data can be extracted if intercepted.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    I would think you wouldn't want any type of monitoring traffic with all your users traffic...just in case.
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    If you currently have an OOB management/monitoring network (physical or VRFs), then of course throw it on there. Otherwise, three scenarios each have a different answer:

    1. You are only sending traps from the devices to your server: I wouldn't typically worry about it on a small network.

    2. You are using RO communities to read information from the device: lock down the ACLs and configure CoPP.

    3. You are using RW communities to configure the devices: Don't! SNMPv3 or script the configuration changes to use ssh via something like expect if you are configuring in-band.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    powmia wrote: »
    If you currently have an OOB management/monitoring network (physical or VRFs), then of course throw it on there. Otherwise, three scenarios each have a different answer:

    1. You are only sending traps from the devices to your server: I wouldn't typically worry about it on a small network.

    2. You are using RO communities to read information from the device: lock down the ACLs and configure CoPP.

    3. You are using RW communities to configure the devices: Don't! SNMPv3 or script the configuration changes to use ssh via something like expect if you are configuring in-band.

    Correct, devices are sending traps to an RO community. I'll probably just separate it to be on the safe side.
Sign In or Register to comment.