Wednesday 14 March 2012

Network Operations vpn

Network Operations
Remote devices need to be managed via a VPN from the central site when operating on a centralized IT model. VPN devices
support numerous configuration options to determine the tunnel endpoint and, depending on the method chosen, these
options may impact the manageability of the network. To be the most effective in managing remote devices, you must use
static cryptographic maps at the site where your management applications are located. You should not use dynamic
cryptographic maps at the headend. Dynamic cryptographic maps accept only incoming IKE requests, and they cannot
initiate them, so it is not always guaranteed that a tunnel exists between the remote device and the headend site. Static
cryptographic map configuration includes the static IP addresses of the remote peers. Thus remote sites must use static IP
addresses to support remote management.
Some management services, Trivial File Transfer Protocol (TFTP) for example, utilize the nearest interface as the source
address of the generated packets. For this reason, you should be careful when setting up the cryptographic ACLs to ensure
that the traffic will pass through the tunnel to the headend. You should enable read-only Simple Network Management
Protocol (SNMP) access on VPN devices to trap the information available via an IPSec Management Information Base (MIB),
if supported. You should allow only SNMP access on secure interfaces. An IPSec MIB can track tunnel statistical information
and tunnel status via a tunnel history table and tunnel failure table. The history table archives attribute and statistics
information about the tunnel; the failure table archives tunnel failure reasons along with the time that failure occurred. This
information is crucial when monitoring and troubleshooting devices in any size network. Consider utilizing the MIBs in
addition to the command-line interface (CLI) for troubleshooting and proactive monitoring in large deployments. Most
configuration tools today assume green-field environments. For this reason, you should deploy these tools first, even in the
prototype stage, to ease the configuration burden when going into production.
Posted by at

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)