Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Management interface on virtual systems

Hi,

We have just enabled SNMP access to virtual systems on VSX hosts using direct SNMP access:

set snmp mode vs
set snmp vs-direct-access on


We have confirmed that this is working with both SNMP v2 and v3 using the internal interface of the virtual systems that is used for data traffic.

We are now planning to create a separate management interface for each vs, so that the SNMP traffic is separated and routed correctly. Would you recommend using the same VLAN for this interface as the management interface of the VSX hosts or do you see any advantage of using a separate monitoring VLAN on the virtual systems?

Thanks for your help!

Harry

3 Replies
Highlighted
Silver

Re: Management interface on virtual systems

I would personally keep out of the VSX Cluster Management Interface VLAN, I like to keep that just for the actual VSX Management Traffic

SNMPv3 is already encrypted (we always use the option to encrypt anyway) so not sure from a Security perspective too much benefit there and are you really generating enough traffic with SNMP that going to impact regular network traffic.

If you already have a separate Management Network that already using for monitoring/management of other Network Devices etc then would suggest that wouldn't hurt to add an Interface in the VS to that VLAN as already done the majority of the work.

Obviously need to ensure that the SNMP connection wouldn't be reachable by multiple interfaces though of course that would be normal network design practice anyway.

Highlighted
Nickel

Re: Management interface on virtual systems

Thank you very much for the feedback!

We have a separate management network, but I agree that it is worth considering if a new VLAN only for the SNMP traffic is actually valuable.

Best regards,

Harry

Highlighted

Re: Management interface on virtual systems

Don't forget to also add access to the VS's for the V3 user:
set snmp usm user <v3-user> vsid 1-5
Regards, Maarten