Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
1
Replies

Edge Routers & Logging back into the LAN

Go to solution
cwarner_klove
Level 1
Level 1

‎06-06-2012 12:32 PM - edited ‎03-03-2019 06:37 AM

I have a question regarding logging, SNMP Traps, etc. where it is conerning an Edge Router that services public internet link for offices.  Overall design -

  • HO with main Internet pipe for head quarters as well as some branch offices
  • Branch Offices that receive internet service from HO all have MPLS connections
  • Branch Offices that have their own ISP at their location terminating on edge routers (IPSEC Tunnels) and some with ASA's

The main discussion I am having with my colleagues is the edge routers/devices with no IPSEC tunnel back to HO where the edge device terminates the ISP connection for that office.

Our current configuration for those scenarios, the edge devices have no internal IP address on them, only public IP's and point to point routing from edge device to LAN device (other Cisco L2/L3 Switch).  There are no loopback interfaces configured or utilized for management and not logically part of the LAN.

My question is what is the best scenario on how to get Syslogs, SNMP Traps sent from the edge device to HO NMS on the LAN?  Some of my colleagues argue that they do not wish to put an inside IP address (private 10.x.x.x) on the edge device because it bridges the outside world into our LAN now.  My question is then, how do we get our logs to our LAN so that our NMS systems can house them, alert on them, monitor them?  I guess a better question is - what is Best Practice?  There are many ways to skin a cat, but that doesn't make them all the preferrable way to do it.

Are there design docs that show this and possibly configuration documents?  I have looked high and low and found many things, but nothing addressing this outright that I could find.  It was mostly conceptual and I am having a hard time selling this or backing my architectual thoughts with facts.

Cheers!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
smitesh kharecha
Level 5
Level 5

‎06-06-2012 09:38 PM

Hi Chad,

If you can configure GRE tunnel between your HQ and all remooute sides, then you can access them. Also, as far as best practises goes, people prefer having management IP ( generally on Loopback interface) to access all remote devices. GRE tunnel make sense if you want to set up Syslog/SNMP traps etc type of setup, where you don't want to expose your internal network to the outside world.

Note: If you need security on tunnels, then you need to go for IPSEC over GRE setup.

PS: Please rate if helpful.

HTH,

Smitesh

View solution in original post

0 Helpful
1 Reply 1

Go to solution
smitesh kharecha
Level 5
Level 5

‎06-06-2012 09:38 PM

Hi Chad,

If you can configure GRE tunnel between your HQ and all remooute sides, then you can access them. Also, as far as best practises goes, people prefer having management IP ( generally on Loopback interface) to access all remote devices. GRE tunnel make sense if you want to set up Syslog/SNMP traps etc type of setup, where you don't want to expose your internal network to the outside world.

Note: If you need security on tunnels, then you need to go for IPSEC over GRE setup.

PS: Please rate if helpful.

HTH,

Smitesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents