1
00:00:00,240 --> 00:00:07,890
Things that may affect your network reach ability or access control lists or ACLJ and firewall rules

2
00:00:09,010 --> 00:00:12,130
in many networks that aren't actively being managed.

3
00:00:12,220 --> 00:00:20,190
You'll find that security engineers have blocked protocols such as S&amp;P and ICMP those two protocols

4
00:00:20,190 --> 00:00:21,270
are very important.

5
00:00:21,270 --> 00:00:28,140
Network management protocols but for security reasons they may have been blocked in various points in

6
00:00:28,140 --> 00:00:31,550
the network by security conscious engineers.

7
00:00:31,650 --> 00:00:37,770
So it's important that when you starting to audit the network in preparation to a in a mass rollout

8
00:00:38,550 --> 00:00:44,110
that you pay special attention to where traffic is allowed and where it's denied.

9
00:00:44,220 --> 00:00:52,020
Now from a best practice point of view it's ideal to deploy a management villain which is separate to

10
00:00:52,020 --> 00:00:54,330
the veal and used for user traffic.

11
00:00:55,430 --> 00:01:02,240
So a separate network or separate TV Land is created and network management traffic is permitted on

12
00:01:02,240 --> 00:01:10,680
that VLAN so ACLJ and firewall rules on network devices would allow network management protocols on

13
00:01:10,690 --> 00:01:17,030
that VLAN and allow an in a mess to access the loop back of a route as an example.

14
00:01:17,030 --> 00:01:23,540
Just be aware that if you limit access to network devices from only specific IP addresses so as an example

15
00:01:23,540 --> 00:01:28,910
you only allow the IP address of the network management system to access the riders loop back interface

16
00:01:29,300 --> 00:01:37,280
using as an MP when you change things in your network such as expanding the network management applications

17
00:01:37,940 --> 00:01:44,020
you may need to go back and adjust your access lists or adjust your firewall rules.

18
00:01:44,270 --> 00:01:50,930
So it may be simpler to permit a subnet access to your network devices rather than locking it down to

19
00:01:50,930 --> 00:01:55,700
an individual IP address in the same way when discussing security.

20
00:01:55,940 --> 00:01:59,230
You need to pay attention to different security zones.

21
00:01:59,240 --> 00:02:06,410
A customer may have an outside interface on a firewall an inside interface and a DMZ interface on their

22
00:02:06,410 --> 00:02:07,770
firewall.

23
00:02:07,790 --> 00:02:13,600
These security zones can impact your network management systems so you need to understand how you're

24
00:02:13,610 --> 00:02:21,620
going to deploy the enemies and how security rules and firewall zones are going to affect overall reach

25
00:02:21,620 --> 00:02:25,370
ability and the management strategy that you deploy.

26
00:02:25,430 --> 00:02:31,190
Now last but not least you need to think about overlapping and non readable addresses in your network

27
00:02:32,150 --> 00:02:38,270
overlapping and unreadable addresses can be a real headache when deploying network management systems.

28
00:02:38,270 --> 00:02:44,030
You should audit your network and understand which addresses are reachable and from within the network

29
00:02:44,540 --> 00:02:51,530
and take that into account as you start documenting the systems and decide where to rollout your network

30
00:02:51,530 --> 00:02:53,330
management system.

31
00:02:53,330 --> 00:02:59,090
In many cases if you have overlapping address space and you have devices on each of those overlapping

32
00:02:59,090 --> 00:03:07,370
subnets that you need to monitor you'll need to create a separate polling engine for NPM for each duplicate

33
00:03:07,370 --> 00:03:08,960
address space zone.