Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan...

connect • communicate • collaborate

DRAFT ON NETWORK MANAGEMENT ARCHITECTURE

Esad Saitovic, Ivan Ivanovic AMRES

Network monitoring workshop for GN3/NA3/T4

Belgrade

October 20-21, 2009


Network managementimplementation - goals

Define network topology

Isolate management network (possibility for implementing out-of-band management)

Approaches for non-isolated part of management network

Implementing NMS

Define management protocols and their usage

SNMP v2c & v3

What to monitor?


Out-of-band environment

Create separate network with links to each monitored device

Management access ports

Network devices

– Out-of-band management port

– Console port (via terminal server)

– Dedicated Ethernet interface

Servers

– Vendor specific out-of-band management port

– Dedicated Ethernet interface

UPS, printers, A/C etc…

– Dedicated management interface

Management servers should have an interface in out-of-band network.


Out-of-band environment

Access to vendor specific out-of-band management port

Ethernet access

Terminal server

Access to console port

ServersNetwork devices

Access to devices using dedicated out-of-band management port

Management servers

NMS

OOBMswitch

Configurationmanagement

server


Management access to devices

Host connected only to out-of-band network

Access from user/administrator network (VLAN) through L3 device

Access from public network via VPN connection which assumes one interface of VPN server inside of out-of-band network


Management access to devices


Ethernet access

Terminal server

Servers

NMS Configurationmanagement

server

Router with VPN support

Administrator-remote location-

PublicNetwork

VPN

LAN

Administrator



Network devices

Management servers

OOBMswitch

Host

Access to management network


Access to devices in non-isolated network

Common situation in campuses is lack of redundant links which could be used only for management purposes

Possible solution

VLAN for management purposes

Network devices with interface (logical, physical) in management VLAN

Server management interface in management VLAN


Access to devices in non-isolated network


Ethernet access

Terminal server

Servers

NMS Configurationmanagement

server

Router with VPN support

Administrator-remote location-

PublicNetwork

VPN

LAN

Administrator



Network devices

Management servers

OOBMswitch

Router

NAT

Management VLAN

Host

Access to management network


NMS server access to devices

In out-of-band network

Dedicated interface inside of out-of-band network is used to access devices

Access to NMS servers should be done through this interface (ssh, web access)

VLAN environment

Dedicated interface in management VLAN

Access to management VLAN through NAT (static NAT)


SNMP Protocol V3 vs. V2c

SNMP V2c is more often used than V3, why?

Administrators do not have experience in configuration of SNMP V3 protocol.

V2c is much more easy to configure (snmpd, snmptrapd) .

A lot of devices use V2c as default mode of work.

Network device must support data encryption in order to use stronger SNMP V3 security model.

SNMP V3 with enabled encryption can be processor demanding.

V2c in read-only mode is considered as safe solution?!


SNMP Protocol V3 vs. V2c

SNMP V3 user-based security models


SNMP Protocol V3 - Guidelines

SNMP V3 security in Read-Only and Read/Write mode

Select best security model (SNMPv3 provides three important services: authentication, privacy and access control).

Define security model for Read-Only mode.

Define security model for Read/Write mode.

Restrict MIB tree information on the remote device for the particular user.

Restirct SNMP traffic trough the network (ACL, Firewall….)


Commonly used SNMP variables

Network Devices CPU Load

– Example: cpmCPUTotalTable (.1.3.6.1.4.1.9.9.109.1.1.1.1)

Available memory

– I/O memory

– CPU memory

– Example: ciscoMemoryPoolTable (.1.3.6.1.4.1.9.9.48.1.1)

Interface

– Traffic throughput (bytes/sec, packets/sec)

– Interface Status (L2 Up/Down, L3 Up/Down)

– Example: ifXTable (.1.3.6.1.2.1.31.1.1)



ServersCPU Load

– Linux Example: systemStats (.1.3.6.1.4.1.2021.11)

– Windows Example: hrProcessorTable (.1.3.6.1.2.1.25.3.3.1)

Memory status

– RAM memory

– Storage memory

– Example: hrStorageTable (.1.3.6.1.2.1.25.2.3)

Interface

– Traffic throughput (bytes/sec, packets/sec)

– Interface status (L2 Up/Down, L3 Up/Down)

– Example: ifXTable (.1.3.6.1.2.1.31.1.1)



Servers

Number of established TCP connections

– Example: tcpCurrEstab (.1.3.6.1.2.1.6.9)

List of running process

– Example: hrSWRunTable (.1.3.6.1.2.1.25.4.2)

Number of currently logged system users

– Example: hrSystemNumUsers (.1.3.6.1.2.1.25.1.5)



UPSUPS Status

– Example: upsBasicOutputStatus (.1.3.6.1.4.1.318.1.1.1.4.1.1)

UPS Battery Capacity

– Example: upsAdvBattertyCapacity (.1.3.6.1.4.1.318.1.1.1.2.2.1)

UPS Battery remaining runtime

– Example: upsAdvBattertyRuntimeRemaining (.1.3.6.1.4.1.318.1.1.1.2.2.3)

UPS Battery temperature

– Example: upsAdvBatteryTemperature (.1.3.6.1.4.1.318.1.1.1.2.2.2)

UPS Output load

– Example: upsAdvOutputLoad (.1.3.6.1.4.1.318.1.1.1.4.2.3)



Other Network Devices

Air Conditioner (Temperature, Humidity, Compressor status….)

Sensors Appliance (Noise, Temperature, Humidity, Vibration, Motion, Smoke, Leak…)

Printer (Cartridge status, Paper status, Number of printed pages….)


DRAFT ON NETWORK MANAGEMENT ARCHITECTURE

Esad Saitovic, Ivan Ivanovic AMRES

Network monitoring workshop for GN3/NA3/T4

Belgrade

October 20-21, 2009

Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan...

Documents

Transcript of Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan...