Presentation on theme: "Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan Ivanovic AMRES Network monitoring workshop for GN3/NA3/T4."— Presentation transcript:
connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan Ivanovic AMRES Network monitoring workshop for GN3/NA3/T4 Belgrade October 20-21, 2009
connect communicate collaborate Network management implementation - goals Define network topology Isolate management network (possibility for implementing out-of- band management) Approaches for non-isolated part of management network Implementing NMS Define management protocols and their usage SNMP v2c & v3 What to monitor?
connect communicate collaborate Out-of-band environment Create separate network with links to each monitored device Management access ports Network devices – Out-of-band management port – Console port (via terminal server) – Dedicated Ethernet interface Servers – Vendor specific out-of-band management port – Dedicated Ethernet interface UPS, printers, A/C etc… – Dedicated management interface Management servers should have an interface in out-of-band network.
connect communicate collaborate Management access to devices Host connected only to out-of-band network Access from user/administrator network (VLAN) through L3 device Access from public network via VPN connection which assumes one interface of VPN server inside of out-of-band network
connect communicate collaborate Management access to devices
connect communicate collaborate Access to devices in non-isolated network Common situation in campuses is lack of redundant links which could be used only for management purposes Possible solution VLAN for management purposes Network devices with interface (logical, physical) in management VLAN Server management interface in management VLAN
connect communicate collaborate Access to devices in non-isolated network
connect communicate collaborate NMS server access to devices In out-of-band network Dedicated interface inside of out-of-band network is used to access devices Access to NMS servers should be done through this interface (ssh, web access) VLAN environment Dedicated interface in management VLAN Access to management VLAN through NAT (static NAT)
connect communicate collaborate SNMP Protocol V3 vs. V2c SNMP V2c is more often used than V3, why? Administrators do not have experience in configuration of SNMP V3 protocol. V2c is much more easy to configure (snmpd, snmptrapd). A lot of devices use V2c as default mode of work. Network device must support data encryption in order to use stronger SNMP V3 security model. SNMP V3 with enabled encryption can be processor demanding. V2c in read-only mode is considered as safe solution?!
connect communicate collaborate SNMP Protocol V3 vs. V2c SNMP V3 user-based security models AuthPriv (Authentication is based on MD5 or SHA algorithm and DES or AES is used for data encryption) AuthNoPriv ( Authentication is based on MD5 or SHA algorithm, but SNMP data is sent in plain text) NoAuthNoPriv (User name is used like community string in V2c and SNMP data is sent in plain text)
connect communicate collaborate SNMP Protocol V3 - Guidelines SNMP V3 security in Read-Only and Read/Write mode Select best security model (SNMPv3 provides three important services: authentication, privacy and access control). Define security model for Read-Only mode. Define security model for Read/Write mode. Restrict MIB tree information on the remote device for the particular user. Restirct SNMP traffic trough the network (ACL, Firewall….)
connect communicate collaborate Commonly used SNMP variables Network Devices CPU Load – Example: cpmCPUTotalTable (.18.104.22.168.22.214.171.124.126.96.36.199.1) Available memory – I/O memory – CPU memory – Example: ciscoMemoryPoolTable (.188.8.131.52.184.108.40.206.48.1.1) Interface – Traffic throughput (bytes/sec, packets/sec) – Interface Status (L2 Up/Down, L3 Up/Down) – Example: ifXTable (.220.127.116.11.18.104.22.168.1)
connect communicate collaborate Commonly used SNMP variables Servers CPU Load – Linux Example: systemStats (.22.214.171.124.4.1.2021.11) – Windows Example: hrProcessorTable (.126.96.36.199.188.8.131.52.3.1) Memory status – RAM memory – Storage memory – Example: hrStorageTable (.184.108.40.206.220.127.116.11.3) Interface – Traffic throughput (bytes/sec, packets/sec) – Interface status (L2 Up/Down, L3 Up/Down) – Example: ifXTable (.18.104.22.168.22.214.171.124.1)
connect communicate collaborate Commonly used SNMP variables Servers Number of established TCP connections – Example: tcpCurrEstab (.126.96.36.199.188.8.131.52) List of running process – Example: hrSWRunTable (.184.108.40.206.220.127.116.11.2) Number of currently logged system users – Example: hrSystemNumUsers (.18.104.22.168.22.214.171.124.5)