[45716] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (jerry scharf)
Wed Feb 13 11:38:58 2002
Date: Wed, 13 Feb 2002 08:38:03 -0800
From: jerry scharf <scharf@vix.com>
Reply-To: jerry scharf <scharf@vix.com>
To: nanog@merit.edu
Message-ID: <189980000.1013618283@conure.laguna.vix.com>
In-Reply-To: <gu9bsetv0k2.fsf@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
C'mon guys. Exchange point rate anti-spoof filtering is not necessary to
solve this problem.
This is why there are switches (using vlans if you choose) and router
interfaces. Unless you are taking an OC3's worth of management traffic, you
create a net just for your management traffic, put in on an interface and
hang your entire site's snmp gear off of that. If you want it to be
private, GRE and 1918 addresses are your friends, and filter to allow only
traffic from those nets. None of this is new or hard.
Also, most everyone now supports snmpv3 security, so you can do that as
well. (I just do it the old way I know how, so I haven't played much with
this.)
jerry
