css11050 - Network Management

makkers · ‎01-20-2003

I have 4 * css11050 switches within our infrastructure. Currently ( for security policy reasons) we dont not remote management or visability of these boxes and need to address.

What is the recommended software management tool and can it bolted into Ciscoworks LMS as we have this in production.

Thanks

drussell · ‎01-20-2003

If you do want to enable SNMP access from your management station I would recommend creating an ACL to only allow SNMP access from your known management servers. Then follow the basic security rules - only enable management functions you need and don't use well known community strings.

vkasacavage · ‎01-20-2003

Ciscoworks 2k can manage these boxes, I do not know to what extent (ie, what features you will have access to), but Ciscoworks 2k is listed as a management platform for the CSS11050

dcayer · ‎02-07-2003

Don't forget; the Ethernet-Mgmt interface cannot be configured with a default gateway... If you use the Ethernet-Mgmt interface for remote management of the CSS, your server (HPOpenview or CiscoWorks) needs to be on the same local subnet. To get around this problem, we decided to manage the CSS in-band, with the back-end firewall configured with rules to protect un-authorized access and to allow TACACS, SNMP, NTP, TFTP, FTP & TELNET.

A CAVEAT: The tacacs capabilities have a vulnerability; With TACACS enabled, you can still telnet to the CSS if you don't have a valid TACACS user account by using the local username & password configured on the CSS. In our case, the CSS first tries the TACACS server, which denies the request, but then allows the telnet to proceed by validating via the locally configured username/password.