DRAFT ON NETWORK MANAGEMENT ARCHITECTURE
Download
Report
Transcript DRAFT ON NETWORK MANAGEMENT ARCHITECTURE
DRAFT ON NETWORK MANAGEMENT
ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009
connect • communicate • collaborate
Network management
implementation - goals
Define network topology
Isolate management network (possibility for implementing out-ofband management)
Approaches for non-isolated part of management network
Implementing NMS
Define management protocols and their usage
SNMP v2c & v3
What to monitor?
connect • communicate • collaborate
Out-of-band environment
Create separate network with links to each monitored device
Management access ports
Network devices
– Out-of-band management port
– Console port (via terminal server)
– Dedicated Ethernet interface
Servers
– Vendor specific out-of-band management port
– Dedicated Ethernet interface
UPS, printers, A/C etc…
– Dedicated management interface
Management servers should have an interface in out-of-band network.
connect • communicate • collaborate
Out-of-band environment
Access to devices using dedicated
out-of-band management port
Access to vendor specific
out-of-band management port
Terminal server
Network devices
Access to console
port
OOBM
switch
NMS
Ethernet access
Servers
Configuration
management
server
Management servers
connect • communicate • collaborate
Management access to devices
Host connected only to out-of-band network
Access from user/administrator network (VLAN) through L3 device
Access from public network via VPN connection which assumes one
interface of VPN server inside of out-of-band network
connect • communicate • collaborate
Management access to devices
Access to management network
Router with
VPN support
VPN
Public
Network
Administrator
-remote location-
Host
LAN
Access to devices using dedicated
out-of-band management port
Administrator
Terminal server
Network devices
Access to console port
NMS
Configuration
management
server
Management servers
OOBM
switch
Access to vendor specific
out-of-band management port
Ethernet access
Servers
connect • communicate • collaborate
Access to devices in non-isolated
network
Common situation in campuses is lack of redundant links which could
be used only for management purposes
Possible solution
VLAN for management purposes
Network devices with interface (logical, physical) in management
VLAN
Server management interface in management VLAN
connect • communicate • collaborate
Access to devices in non-isolated
network
Access to management network
Router with
VPN support
VPN
Public
Network
Administrator
-remote location-
Host
LAN
Access to devices using dedicated
out-of-band management port
Administrator
Terminal server
Access to console port
Network devices
OOBM
switch
Access to vendor specific
out-of-band management port
Ethernet access
Router
NAT
NMS
Configuration
management
server
Management VLAN
Servers
Management servers
connect • communicate • collaborate
NMS server access to devices
In out-of-band network
Dedicated interface inside of out-of-band network is used to access
devices
Access to NMS servers should be done through this interface (ssh,
web access)
VLAN environment
Dedicated interface in management VLAN
Access to management VLAN through NAT (static NAT)
connect • communicate • collaborate
SNMP Protocol V3 vs. V2c
SNMP V2c is more often used than V3, why?
Administrators do not have experience in configuration of SNMP V3
protocol.
V2c is much more easy to configure (snmpd, snmptrapd) .
A lot of devices use V2c as default mode of work.
Network device must support data encryption in order to use stronger
SNMP V3 security model.
SNMP V3 with enabled encryption can be processor demanding.
V2c in read-only mode is considered as safe solution?!
connect • communicate • collaborate
SNMP Protocol V3 vs. V2c
SNMP V3 user-based security models
AuthPriv (Authentication is based on MD5 or SHA algorithm and DES or AES is
used for data encryption)
AuthNoPriv ( Authentication is based on MD5 or SHA algorithm, but SNMP data is
sent in plain text)
NoAuthNoPriv (User name is used like community string in V2c and SNMP data is
sent in plain text)
connect • communicate • collaborate
SNMP Protocol V3 - Guidelines
SNMP V3 security in Read-Only and Read/Write mode
Select best security model (SNMPv3 provides three
important services: authentication, privacy and access
control).
Define security model for Read-Only mode.
Define security model for Read/Write mode.
Restrict MIB tree information on the remote device for the
particular user.
Restirct SNMP traffic trough the network (ACL, Firewall….)
connect • communicate • collaborate
Commonly used SNMP variables
Network Devices
CPU Load
– Example: cpmCPUTotalTable (.1.3.6.1.4.1.9.9.109.1.1.1.1)
Available memory
– I/O memory
– CPU memory
– Example: ciscoMemoryPoolTable (.1.3.6.1.4.1.9.9.48.1.1)
Interface
– Traffic throughput (bytes/sec, packets/sec)
– Interface Status (L2 Up/Down, L3 Up/Down)
– Example: ifXTable (.1.3.6.1.2.1.31.1.1)
connect • communicate • collaborate
Commonly used SNMP variables
Servers
CPU Load
– Linux Example: systemStats (.1.3.6.1.4.1.2021.11)
– Windows Example: hrProcessorTable (.1.3.6.1.2.1.25.3.3.1)
Memory status
– RAM memory
– Storage memory
– Example: hrStorageTable (.1.3.6.1.2.1.25.2.3)
Interface
– Traffic throughput (bytes/sec, packets/sec)
– Interface status (L2 Up/Down, L3 Up/Down)
– Example: ifXTable (.1.3.6.1.2.1.31.1.1)
connect • communicate • collaborate
Commonly used SNMP variables
Servers
Number of established TCP connections
– Example: tcpCurrEstab (.1.3.6.1.2.1.6.9)
List of running process
– Example: hrSWRunTable (.1.3.6.1.2.1.25.4.2)
Number of currently logged system users
– Example: hrSystemNumUsers (.1.3.6.1.2.1.25.1.5)
connect • communicate • collaborate
Commonly used SNMP variables
UPS
UPS Status
– Example: upsBasicOutputStatus (.1.3.6.1.4.1.318.1.1.1.4.1.1)
UPS Battery Capacity
– Example: upsAdvBattertyCapacity (.1.3.6.1.4.1.318.1.1.1.2.2.1)
UPS Battery remaining runtime
– Example: upsAdvBattertyRuntimeRemaining
(.1.3.6.1.4.1.318.1.1.1.2.2.3)
UPS Battery temperature
– Example: upsAdvBatteryTemperature (.1.3.6.1.4.1.318.1.1.1.2.2.2)
UPS Output load
– Example: upsAdvOutputLoad (.1.3.6.1.4.1.318.1.1.1.4.2.3)
connect • communicate • collaborate
Commonly used SNMP variables
Other Network Devices
Air Conditioner (Temperature, Humidity, Compressor status….)
Sensors Appliance (Noise, Temperature, Humidity, Vibration, Motion,
Smoke, Leak…)
Printer (Cartridge status, Paper status, Number of printed pages….)
connect • communicate • collaborate
DRAFT ON NETWORK MANAGEMENT
ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009
connect • communicate • collaborate