Our network topology - where does cacti fit in?

[jamesagnew]

Hello

Here's a simplified diagram of our network topology. We want to use cacti to monitor traffic on each and every switch port across the network (7 x Catalyst 2950s).

As you can see, there are 5 distinct networks behind the gateway firewalls (Cisco PIX). We'd like to have just one cacti installation and login to enable us to monitor the switches and firewalls.

Would you mind giving me some advise about the best way to proceed? I'm not trying to fish for quick answers without doing any work, but I would very much appreciate some feedback as to how best to proceed to avoid making pointless mistakes or re-inventing the wheel.

The five networks are separate and need to remain that way. There are a couple of routes between some of the networks for smtp and dns but nothing much else, although we could create new routes if required but they would have to be very defined due to security restrictions on some of the networks.

Thanks for your help.

James

[Wimmo]

Hello,

if you have from the cacti machine ip connection to all switches, you can create one template and put it on all switches.
Use ACL on the ciscos to secure access for the data, allow only the cacti machine to use snmp.
Or you can create a seperate management vlan but that would cause a whole bunch of config work.
Start with one switch and test it, then go on to the rest.

With an IP connection, that should run fine. You will have to open the Firewall for snmp traffic.

Regards, Wimmo

[jamesagnew]

Hi Wimmo

Do you think that the cacti server should be behind one of the firewall interfaces, or would it be better to have it entirely outside the firewall and just create the ACL (with IP source address control) to the different switches?

Thanks for your help

[ttyR2]

If there's no reason to access the Cacti interface from the outside, I'd leave it behind your firewalls. I'd just be more secure (not that there are any exploits for Cacti).