cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Smart Net Total Care Community!

Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.

125
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

Customized Automatic Collection

Require automatic collection, not 3rd party or import.  Security requires that management on the switches be accessed only via an SSH through a jump host.  Is there any way to write a script to customize the collection?

1 REPLY 1
Beginner

Hi,

Hi,

With increasing concerns and focus on network security by most network operators, such restrictions on accessing networks are becoming the norm.  The current abilities of the CSPC collector solution don't quite meet the demands of such operators; in fact I represent one such operator ;-)

Such security aspects can be categorised into two areas:

  1. Security/confidentially of the information collected
  2. Network access security

For the first one, Information Security, assurance of this can be managed using the following:

  • Ensure that the collection profile is only collecting data for aspects that you want/need to upload to Cisco
  • If required use the 'data privacy feature' which will replace hostnames and IP addresses with dummy data.  See the following app note data-privacy-feature-application-note.

Now in the case of the second one, Network Security, this directly relates to the issue you have in that 'security' require separation between the collector and the network.

There are workarounds to the current constraints that the collector; can only poll/communicate with the devices itself directly (it needs to be a trusted entity within the network, it won't accept data via 3rd party collection; and for automatic upload it needs to have connectivity to the internet (albeit via an optional proxy).

WRT accessing the devices, accessing them via SSH isn't (IMO) preferable over RO rights using SNMPv3.

So if we have the collector in the trusted zone of the network, how do we maintain separation between the network and the internet, if uploading via a proxy is not deemed acceptable by security teams?

Well one way is to upload via intermediate device in a demarcation zone (DMZ) and then from there to Cisco.  To do this you configure the collection upload job to 'file system', so the inventory archive is created on the local machine.  This can be transferred (via SCP using shared keys) to the first host in the DMZ (there may be a 2nd transfer to another 'internet facing' DMZ host).  Then the archive can be uploaded to Cisco; to do this take a look at the entitlement package that you will have for the collector - if you are familiar with PKI & x.509 certificates then this should be straightforward to figure out how, as I'll not be posting up the details here.  ;-)

Rgds,

Graham

CreatePlease to create content
Right-rail
Navigation
Be sure to bookmark these support pages and use them in the future to find all the self-help information.
Helpful Links