Network Device Best Practices for Mapping in Solarwinds

I've been auditing the monitoring of the myriad Cisco Switches, routers, DCI,OVTs etc. in my estate. It's a bit of a mess. I notice many of the devices have multiple IPs which is fine (routers etc.) but I also notice many of them respond to SNMP on multiple IPs. This seems to do two things that I would deem negative:

There appears to be multiple nodes with different IPs that represent the same logical router/switch
The auto-generated topology maps show the same node multiple times

I'm wondering if this is simply poor practice and I need to talk to the network admins and get them to define:

A consistent naming convention for switches and routers
Enable CDP/LLDP on L2 interfaces that connect switches and routers
Define management networks and IPs
- polling networks
- disable CLI,SNMP on any other IPs

Find more posts tagged with

Accepted answers

All comments

netizenden

This relates to implementing a 'management network' - a specific network space where all infrastructure would have an interface / virtual interface connected. Each device is then configured to only listen to and respond to SNMP (and SSH / HTTPS as needed) on that network interface. This is typically a 'project' for a several weeks/months depending on size of network, available staff, locations, etc., though it could be faster if you have automated config management in place and can (safely) push out those needed config changes.

Also recommend it as a good time to implement SNMPv3 as a minimum level of security, since SNMP is otherwise sent in clear-text on the network.

And it's not 'scope creep' to consider it an opportunity to implement 2-factor authentication for administrative access if it hasn't been done already (Cisco Duo, RSA SecureID, Azure AD, etc.). And of course that brings up what is currently used for identity / directory services (identity provider or IDP). It can be a good time to consider your identity and access management strategy (IAM) as well.

Layers of security are compared to layers of an onion - so as you can see - the layers are in contact with each other constantly.

Chainmail is great armor (in the LOTR), but only as strong as the weakest link.