I read document of these tools and find they work with
Cisco products. But, how about Juniper M160 or M320,
Unishpere's BRAS products? Where can I find Juniper's
OID on its tempreture, chassis, CPU, bandwidth ? Does
They use standart MIB2 and a little of Cisco specific MIB's. As I already
said, it is a good tool to view and monitor traffic, utilisation, errors,
and use additional tiool to deep monitor vendor specific parameters. We use
'snmpstat' to monitor routers, switches, ports and interfaces (and bgp) and
cricket to watch few additional parameters (to configure alerts, we use
aliases and mhonarc mail archives with auto expiration - for alerts,
warnings, reports and audits, and for 'root' and 'oracle' e-mail.
anyone have a running configuration for M160 or
Unishpere's BRAS products?
CCR can work with anything which (1) allow telnet or ssh, and (2) can 'write
net' config (in any syntax).
You can use encrypted password file (using passphrase) if you want. Using
SNMP was rejected, because it is absolutely device-specific, impossible in
many cases, and we never saw it as a security problem, because all devices
are restricted to allow ssh or telnet from 2 or 3 servers only, because
passwords are encrypted, and because automated config reading and web access
aree much more important vs very abstract possibility of hacking (in
reality, problem can come from insiders, not from hackers, so no extra
accounst are allowed on monitoring server).
You can get configuratuion (initialize tftp transfer) using some snmp
(WRITE) variable and pre-configured tftp parameters, but it works on a very
few Cisco devices only.
As I said, CCR uses 3 methods:
- password file encrypted by public key
- password file encrypted by 3des passphrase;
- explicit password.
In all cases, problem is with root user only - root can alway decrypt
password or interseipt web session. User, who have permission to edit CCR
config and know passphrase, can (in theory) see passwords as well. Other
users can not, even if they know passphrase - they can only initiate config
reading.
Network admins do not know enable passwords, if they do not need it - they
use passphrase
To have automated config reading, any of first 2 methods can be used
(passphrase must be written into special file, if method 2 is used,
root-only readable). For manual reading, any methgod can be used, without
any file with passphrase.
In reality, it is not serious security problem because all devices can be
accessed from a very few servers only, and because we can use 'ssh' instead
of 'telnet' (CCR can be configured or select ssh/telnet automatically). You
can, in turn, play with security level , but it (again) does not work on
generic case (any cisco device) and is very tricky.
For Juniper or other device - you can try to program 'expect' script, or use
'snmp' initiated transfer - all other things will work.
