I have a question regarding logging, SNMP Traps, etc. where it is conerning an Edge Router that services public internet link for offices. Overall design -
- HO with main Internet pipe for head quarters as well as some branch offices
- Branch Offices that receive internet service from HO all have MPLS connections
- Branch Offices that have their own ISP at their location terminating on edge routers (IPSEC Tunnels) and some with ASA's
The main discussion I am having with my colleagues is the edge routers/devices with no IPSEC tunnel back to HO where the edge device terminates the ISP connection for that office.
Our current configuration for those scenarios, the edge devices have no internal IP address on them, only public IP's and point to point routing from edge device to LAN device (other Cisco L2/L3 Switch). There are no loopback interfaces configured or utilized for management and not logically part of the LAN.
My question is what is the best scenario on how to get Syslogs, SNMP Traps sent from the edge device to HO NMS on the LAN? Some of my colleagues argue that they do not wish to put an inside IP address (private 10.x.x.x) on the edge device because it bridges the outside world into our LAN now. My question is then, how do we get our logs to our LAN so that our NMS systems can house them, alert on them, monitor them? I guess a better question is - what is Best Practice? There are many ways to skin a cat, but that doesn't make them all the preferrable way to do it.
Are there design docs that show this and possibly configuration documents? I have looked high and low and found many things, but nothing addressing this outright that I could find. It was mostly conceptual and I am having a hard time selling this or backing my architectual thoughts with facts.
Cheers!
