Embed Size (px)
Citation preview
AANTS:Web-Based Tools for Cooperative Campus Network Administration
Charles Thomas
Dave PlonkaAANTS Administration Team
Division of Info. Tech. (DoIT)
Network Services
University of Wisconsin - Madison
Past Campus Network:
• ATM LANE environment with 5 or 6 routers.
• Multiple switch brands, many models.• Centrally-managed configurations for
50-75 devices.
Past Campus Network:
• Campus departments administered their own LANs and had their own IT staff.
• Gear purchase, configuration, deployment, and maintenance was handled on a department-by-department basis.
• This led to a hodgepodge of operating procedures and network designs, some incompatible with each other.
Campus XXI Century Network Upgrade
• Use Cisco equipment as a standard to minimize cross-vendor incompatibilities.
• Increase the backbone speed to 10 Gb/s.• Offer 1 Gb/s departmental connections. • Move to a centrally-purchased and
centrally-managed network model.
Present Campus Network
• Nearly 900 Cisco network devices, many models.
• A few Juniper and NetScreen devices.• 41,000+ managed ports.• The number of managed buildings,
devices, and ports is growing every day.
The Challenge
• Campus LAN admins (Authorized Agents) need to administer the switches and ports which carry their LANs.
• The gear is centrally owned/managed, therefore we cannot allow them direct access (e.g. ssh or telnet) to the switches themselves.
• Need to maintain good relations with AAs and not deprive them of their sense of autonomy (political/practical).
The Goal
• Give our Authorized Agents comparable (and in many cases improved) network management capabilities.
• Maintain appropriate levels of security, authorization and access control.– Protect centrally-managed gear.– Protect AAs from each other.
AANTS: Authorized Agent Network Tool Suite
• Loosely-coupled set of web-based utilities for network administration.
• Tools are team-developed in-house, optimized toward local networking practices, driven by user need.
• Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks.
Foundation Technologies:
• NetCMS - Network Device Configuration Management System for tracking router/switch configurations.
• WiscNIC - RIPE whois database of network information.
• Oracle/MySQL - Device config database.• Cisconf - Cisco tftp config tool.• GNU Make - Project management.• FlowScan and MRTG (Multi-Router Traffic
Grapher).
LookingGlass
• Run command-line operations on devices and view results.
• View ethernet switch logs.
NetStats
• Graph router interface and switch port statistics.
• Several summary graphs displaying different types of traffic statistics at the campus network border.
• Searchable interface to traffic statistics.
NetWatch
• Locate a host given a MAC or IP address.
• Discover which devices are connected to a specific switch.
EdgeConf• Configure device ports.• Perform multiple port changes as one
transaction.• Label ports with user information• Work with port subsets.• Examine switch port configurations and
other switch information.• Users can only change devices/ports for
which they are authorized.
VlanFinder• Discovers all currently active VLANs.• User selects one or more VLANs.• Display devices and ports on which the VLANs are
active.• Display VLAN attributes:
– Configuration of routed VLAN interfaces
– Any trunk allowed VLANs
– VLAN Spanning Tree Protocol priorities
• Device names and ports will be hot-linked (where applicable) to EdgeConf.
VlanFinder• Used to identify devices/ports which could
potentially be affected by work on a specific VLAN.
• Used to map the current configuration of a VLAN prior to reconfiguration.
• Used to verify the real-world result of network configuration changes (“Did my change do what I wanted?”).
MailByDevice• Select one or more network devices.• Find all VLANs on each device.• Get all technical and administrative contacts
for each VLAN from the WiscNIC database.• User can compose an email message.• Message will be mailed to all users.• Used to alert users when certain devices are
going to be affected by NS actions.
CodePusher• Push commands, operating code, or configuration
code to selected network devices.– Run command-line directives (e.g. ‘show int’).– Upgrade system software.– Modify device configurations.– Manage ACLs.
• Parallelized for maximum efficiency.• Can specify a delayed device restart date/time.• Parses results into log files which can be viewed
from the web browser .• Performs error-checking.• Reports results via email.
Live Demos
Summary
• AANTS tools allow our customers to manage their network over the web, regardless of the user’s platform of choice.
• AANTS tool development is driven by user input and real-world needs.
• AANTS is built on a foundation of freely-available software.
• Local networking practices guide AANTS’ growth as a customized system.
Summary (cont.)• Day-to-day management tasks are handled more
quickly and easily for network services staff.• Improved Security Management
– Maintain common Access-Control-Lists across network gear.
– Locate and isolate compromised and abusive machines.
– Visually identify bouts of abusive traffic.
– Block traffic involving abusive intra- or extra-campus hosts
Summary (cont.)• These tools help us maintain good relations with
campus LAN admins by empowering them rather than moving responsibility away from them.
• This cooperative policy makes use of available campus IT talent to help network services staff manage the network.
Q&A
