0

I'm Working in a mid-sized telco, and I'm in charge of network monitoring solutions. We have a custom monitoring system, that is using mostly SNMP to communicate with devices. The problem is that every once in a while, we need to add additional polling servers, and everytime we have to update 10k+ ACL's on each SNMP enabled device to add the new IP addresses. They cannot be predicted in advance, because servers are situated in different data centers, with different L3 connectivity.

This is hard work for our operations, and they're not happy with it.

My question: Is there any SNMP or UDP proxy that we can just install on one host, and forward every SNMP request to the devices through it?

Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
Jacket
  • 131
  • 10

3 Answers3

2

I don't think you want an SNMP proxy as much as you want an SNMP NAT gateway.

A proxy requires parsing the results of each query, which by-nature is slower than merely performing NAT on the queries. AFAICT, you only care about reducing the number of source-addresses for snmp ACL updates on your routers / switches / firewalls.

Simple solution: deploy a special Cisco router or linux server as a NAT gateway for your SNMP queries. You should restrict the source addresses to be NAT'd as well as the protocol (161/udp). Your best option for routing snmp queries through this device is to build a GRE tunnel to it and ensure that all SNMP queries get routed from the snmp pollers through the tunnels to the NAT gateway.

Keep in mind that no matter which way you go, centralizing snmp queries through a NAT gateway or proxy will slow down your pollers a bit due to the incrementally longer round-trip times for each SNMP get / get-next operation.

Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
  • Thanks, Do you know if this is possible via some iptables rules on the polling hosts? Because these hosts do other things, but we want only the SNMP requests to be routed through this router? How can this be done? – Jacket Jul 31 '12 at 11:11
  • There is no simple, host-level NAT configuration, because even if you NAT to a single subnet across several geographically-distributed pollers the queries must somehow get back to the poller (which is impossible if you hide the IP source-address with an essentially bogus NAT entry) – Mike Pennington Jul 31 '12 at 13:48
  • re: "centralizing snmp queries through a NAT gateway or proxy will slow down your pollers", the fact that @Jacket already has some IP's in the ACLs means he can have a couple of NAT devices to split the load across. that should help somewhat. – longneck Jul 31 '12 at 16:50
  • I agree with Mike's post. NAT/Forwarding is done on kernel level and it's more common, bug-less and optimized too. Proxy will work on higher level and require more CPU resources. ex: HAproxy – GioMac Jul 31 '12 at 16:45
2

put all of your pollers in a dedicated subnet, or a couple of dedicated subnets. make sure you have room for growth. updated your ACL's to allow polling from any host in those subnets. if you leave enough room, this will be the last ACL update you'll ever need.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • +1 I agree with this approach as long as he's willing to physically relocate his pollers. That is not implied in his question though – Mike Pennington Jul 31 '12 at 16:59
  • changing or dedicating subnets doesn't require a physical move; it could be as simple as a small network configuration change. for example, in my infrastructure all this would take is adding a new vlan to a couple of switches and an entry in a routing table. – longneck Jul 31 '12 at 19:00
  • I have trouble believing the OP is so naive that he's asking the question when it's as simple as changing vlans... remember, he is talking multiple pollers and multiple data centers – Mike Pennington Jul 31 '12 at 19:32
  • it's not a question of naivete. it's likely this started out as one server, then two, then another server in another data center. with that type of piecemeal, organic growth, a dedicated subnet is not the obvious answer. simple, but not obvious. sometimes it's the simplest stuff that gets overlooked! – longneck Jul 31 '12 at 19:39
0

The larger shops I've seen have often gone in the direction of setting up a single common polling infrastructure. A set of dedicated pollers pulls the data and then makes it available for various consumer apps. This scales a lot better and ends up leading to a lot less traffic and reduction in control plane usage on monitored devices. This sounds like what you're after.

There's actually an SNMP proxy MIB out there that's built into Net-SNMP. You may be able to set up a couple of machines in such a way, although it will likely require some customization. There are also commercial packages like this that may provide additional value in terms of protocol translation, support, etc.

rnxrx
  • 8,143
  • 3
  • 22
  • 31