Feed on

Firewall SNMP hate

Cisco, your SNMP implementation on PIX and ASA annoy me. On every version from 6.x to 8.x, once you nameif an interface it removes any trace of what the physical interface is from IF-MIB. There’s no way to relate logical to physical, to know that ‘outside’ is ‘Ethernet0/0’. This is annoying because the datacenter sees X interfaces numbered 1-X, not ‘outside’ and ‘inside’, and they’ll document cabling as such.

Unless of course, you’re familiar enough with the hardware to know on a 5510 running 7.x ifIndex.1 is always ‘Ethernet0/0’, on 8.x ifIndex.1 is always ‘Null0’. Then you know if it’s a 5520, your interface names change to GigabitEthernet0/xx. Then you know if it’s a 5505, you’re pretty much screwed. And of course you know to make sure whenever there’s a new model firewall or firmware update you go back and update your code to make sure they didn’t sneak something else in you. blah.

Leave a Reply