Challenges of Managing Large Networks Network critical to running of business Complexity of network – requiring automated management tools Large number of devices, increased probability of device failure Likelihood of devices from different manufacturers Physical distribution of network assets – requiring management of assets across the network itself

OSI Key Areas of Network Management Fault Management Correcting a work-stopping fault and resuming normal service with the minimum of delay Steps: Determine location of fault Isolate rest of network from failure Reconfigure network to operate efficiently without failed components Rectify fault, reconnect components, reconfigure network again

OSI Key Areas of Network Management Accounting Management Charging cost of providing network to departments or cost centres based on usage statistics Reasons User(s) may overburden network at expense of other users User(s) making inefficient use of network can be targetted by network manager to change procedures are improve performance Network manager can plan for network growth if user activity is known

OSI Key Areas of Network Management Configuration and Name Management Deciding how a device is to be used, choosing appropriate software and settings for the device Concerned with Initialising a network Gracefully shutting down all or part of a network Maintaining, adding, updating relationships between components Status of components during network operation

OSI Key Areas of Network Management Performance Management Identifying deteriorating response or throughput of the network and introducing additional equipment / transmission-capacity to alleviate the problem Performance issues What is the level of capacity utilisation? Is there excessive traffic? Has throughput reduced unacceptably? Are there bottlenecks? Is response time increasing?

OSI Key Areas of Network Management Security Management Monitoring and controlling access to computer networks Concerned with generation, distributing and storing encryption keys, passwords and other access control information Requires use of security logs and audit records

Sub-area of Configuration and Name Management Layer Management Most of the protocols associated with the TCP/IP suite have associated operational parameters, e.g. IP’s TTL parameter and TCP’s retransmission timer As a network expands, such parameters may need to be changed while the network is still operational

Network Management Techniques Connection Monitoring Ping a number of critical IP addresses at intervals Inefficient, and not very informative, should only be used if no alternative Traffic Monitoring Analyse traffic on a network and generate reports MS Network Monitor / Fluke Network Analyzer Works on a single segment at a time More sophisticated tools use SNMP/CIMP to remotely monitor other segments Connection monitoring – MSBPN example; inefficient, primitive, better than nothing Critical IP addresses: Routers, switches, servers… Enhancement: use traceroute, that’ll identify where failures occur, or when alternative paths are being used (could cause longer latency) Extra enhancement: do short file transfers at regular intervals, give you an idea of throughput Traffic monitor – detect failing / overloaded / poorly configured equipment

SNMP (Simple Network Management Protocol) Released by US Department of Defense and TCP/IP developers in 1988 Most widely used and well-known in network software management tools Uses a technique called MIB collection to retrieve network information - i.e polls each device on a network in sequence, asking for status, records that information centrally Devices on the network don’t need to be smart enough to report problems as they occur SNMP’s polling contributes significantly to network traffic Simple Network Management Protocol

CMIP (Common Management Information Protocol) Developed by the ISO, pre-dating SNMP Not implemented as much as SNMP, especially since SNMP became a part of TCP/IP Uses a technique called MIB reporting to gather network information - the central monitoring station waits for devices to report their current status to it May be useful if keeping non-essential network traffic to a minimum is critical Common Management Information Protocol

TMN (Telecommunications Management Network) Developed by ITU-T Specifies management architectures for telecommunications networks (e.g. ISDN, B-ISDN, ATM) Provides a richer framework of architectural concepts than SNMPv3 Underlying protocols may be provided by SNMP or CMIP

Network Monitors / Network Analysers A network monitor uses SNMP or CMIP to keep track of statistical information about a network A network analyser does the same but provides a more sophisticated level of service - for example some network analysers can not only detect and identify problems, they can fix them as well A network analyser may be dedicated hardware, but can just be a specialised software package that runs on a typical PC using a typical network card

Network Troubleshooting Problems will happen on networks Approach the problem logically and methodically Two useful approaches to network troubleshooting: The Process of Elimination Divide and Conquer These approaches apply in areas other than just networking Process of elimination: A limited number of possible causes to a problem. List all the possible causes, check each one and if it’s definitely not the cause of the problem, then eliminate it. May not result in a resolution, e.g. if two factors are combining to cause the problem. Divide and Conquer if the problem domain is very big with many possible causes. Try to eliminate whole groups of causes in one go. See handout for more fully described examples that relate to networking

Network Troubleshooting S/W Tools Ping – network layer connectivity Traceroute – identifying network layer point of failure Telnet – application layer connectivity Netstat – protocol statistics / TCP/IP connections ARP – show / change ARP cache IPConfig – show IP / MAC settings These are basic tools available on any WinNT/2000/95/98 machine, similar tools available on UNIX, lots of other more sophisticated tools available.

Simple Network Management Protocol Application-layer protocol Facilitates the exchange of management information between network devices Part of the TCP/IP protocol suite.

SNMP Basic Components Network Management System (NMS) Managed elements Executes applications that monitor and control managed devices May be a dedicated device Could have more than one NMS on a network Managed elements Devices: switch, router, workstation, printer… Software Elements: protocol… Collect and store management-related information Managed Elements – software elements, hardware elements (devices) Example of Managed Software Element – protocol Management related information, e.g. for IP: read variable such as no. of packets dropped due to TTL parameter expirations, write variable such as actual TTL timeout value. Communicates with NMS – via SNMP commands (seen soon)

SNMP Basic Components… Agents Network management software that resides in a managed device Has local knowledge of management information Translates the information into SNMP form Communicates with Network Management System Master Agent Parses and formats protocol messages Subagent Models objects of interest within a subsystem Interfaces to the subsystem for monitoring and management operations Agent software small compared to NMS software, so NMS may be a dedicated device Master and subagents can merge, just called an agent then

SNMP Standards SNMPv1 original standard defined by RFCs 1155, 1157, 1212 and 1213 Widely used SNMPv2 core defined by RFCs 2578-2580, 2819; 1907, 2572 Not widely adopted due to serious disagreements about security framework Fragmented into v2c, v2p and v2u SNMPv3 current standard defined by RFCs 3411-3418 Standardised as of 2004 Implementations often support v1, v2c and v3 SNMP covered by some current standard documents; some draft standards – lots of draft standards to cover MIB structure for specific protocols or devices SNMPv1 and v2 can live together on the same network, as described in RFC 1908

SNMPv3 Framework Structure of Management Information (SMI) SNMP Internet Standard Management Framework (SNMP Framework) Structure of Management Information (SMI) SNMP Security and Administration Management Information Bases (MIBs) Simple Network Management Protocol (SNMP)

SNMP SMI SMI defines rules for describing management information using ASN.1 SMI specifies: ASN.1 data types SMI-specific data types MIB table Information modules (added in SNMPv2) ASN.1 data types: INTEGER, BITSTRING, OCTETSTRING, Display String, NULL, OBJECT IDENTIFIER, SEQUENCE, SEQUENCE OF, CHOICE SMI-specific data types (subtypes): IpAddress – OCTETSTRING of length 4 PhyAddress – (mac address) Counter32, Gauge32, Integer32, TimeTicks – plus more in SNMPv2 MIB table: highly structured table, grouping instances of a tabular object, indexed to allow retrieval or modification of an entire row Information Modules: a group of related definitions

SNMP Data Representation In order to allow communication between very different devices, SNMP uses an platform-independent format Data types of each managed object defined using a subset of ASN.1 Before communication, values are converted into standard syntax using ASN.1 Basic Encoding Rules (BER) Values gathered locally converted from native syntax to standard abstract syntax before transmission back to NMS

SNMP MIB Management Information Base Database of information, organised hierarchically Accessed via SNMP protocol Contains managed objects, each identified by an object identifier Managed object: Some characteristic of a managed device Comprised of one or more object instances May be scalar or tabular MIB – Management Information Base, database of management-related information Object instance – basically a variable Scalar managed object – single object instance Tabular managed object – table of object instances (e.g. entries in routing table)

SNMP MIB Tree Example ASN.1’s OBJECT IDENTIFIER used to identify a managed object within the context of and internationally defined object naming tree – part of this tree shown above Lots of standard objects defined under 1.3.6.1.2.1 Objects specific to Cisco equipment under 1.3.6.1.4.1.9

SNMP MIB Tree Example… atInput is a scalar managed object (I.e. single object instance) containing an integer value that indicates the total number of AppleTalk packets that have been received on a router interface atInput can be identified in two ways: 1.3.6.1.4.1.9.3.3.1 iso.identified-organization.dod.internet.private.enterprise.cisco.temporary variables.AppleTalk.atInput

SNMP Security SNMPv1 lacks authentication capabilities A password (community string) is required between NMS and agent, but this is not encrypted for transmission SNMPv2 security fragmented into: v2p – party-based security v2u – user-based security v2c – back to community strings SNMPv3 allows a number of different security methods to be incorporated into its architecture, including: user-based security as defined in SNMPv2u a new view-based access control model

SNMPv3 Message Format Message Header Scoped PDU Message header has fields: Version Number - 3 for SNMPv3 Message Identifier - matches responses to requests Maximum Message Size - that sender can receive Message Flags - controls processing of message Message Security Model - identifying which security model was used for message Message Security Parameters - appropriate to chosen security model Scoped PDU has fields: Context Engine ID – identifies application to process PDU Context Name – object identifier specifying context of PDU PDU – variable formats, see next slide SNMP context describes a set of management information accessible by a particular entity. PDU is ‘scoped’, i.e. applied within the scope of the context. Basically security stuff. v2c Message format: Version Number---Specifies the version of SNMP that is being used. Community Name---Defines an access environment for a group of NMSs. NMSs within the community are said to exist within the same administrative domain. Community names serve as a weak form of authentication because devices that do not know the proper community name are precluded from SNMP operations. PDU

SNMPv2 PDU Formats Get, GetNext, Inform, Response, Set, Trap: GetBulk: Detail of fields in handout Non Repeaters: The number of non-repeating, regular objects at the start of the variable list in the request Max Repetitions: The number of iterations in the table to be read for the repeating objects that follow the non-repeating objects

SNMP Protocol Operations Get – Retrieve the value of a scalar SNMP variable GetNext – Retrieve the next value in a tabular SNMP variable Set – Change the value of an SNMP variable Trap – Used by agent to report an event to an NMS GetBulk (added in SNMPv2) – Retrieve whole table in one operation Inform (added in SNMPv2 – Used by one NMS to report an event to another NMS GetNext – used by NMS to retrieve the value of the next object instance in a table or list within an agent Get and Set also used by NMS Trap used by agent; Trap operation changed for SNMPv2 GetBulk allows NMS to retrieve multiple rows in a table from agent Inform allows one NMS to send trap information to another NMS and get a response

Remote Monitoring RMON is an enhancement to SNMP Allows SNMP to look at entire network, not just individual devices RMON probe collects data from a network segment and relays it back to management console RMON creates new categories of data, i.e. new branches added to MIB tree A number of enhancements to SNMP, most important is RMON May have more than one management console, for redundancy in case of failure RMON doesn’t replace SNMP, still need SNMP Revision to RMON called RMON2

RMON Management console must have RMON functionality, can collect information from both RMON probes and plain SNMP agents

RMON Categories of Data Ethernet Statistics Group – statistics gathered for each segment History Control Group – records sample from the Ethernet Statistics Group of a specified period of time Alarm Group – alerts network admin based on counters exceeding specified thresholds Host Group – counters for each host on segment Host TOPN Group – reports, e.g. top 10 hosts that generate broadcast Only some of the categories listed on the slide, some more in the handout Ethernet Statistics Group – e.g counters for bytes, packets, errors & frame size History Control Group – rolling log that covers a limited period, e.g. sample every 30 minutes, maintain last 25 samples (50 hours total). Alarm Group – Management console can alert admin by sending mails flagging dangerous conditions on the network, preventive troubleshooting