Draft on Network Management Architecture

7/23/2019 Draft on Network Management Architecture

http://slidepdf.com/reader/full/draft-on-network-management-architecture 1/18

connect • communicate • collaborate

DRAFT ON NETWORK MANAGEMENT

ARCHITECTURE

Esad Saitovic, Ivan Ivanovic AMRES

Network monitoring workshop for GN3/NA3/T4

Belgrade

October 20-21, 2009




Network management

implementation - goals

Define network topology

Isolate management network (possibility for implementing out-of-band management)

Approaches for non-isolated part of management network

Implementing NMS

Define management protocols and their usage

SNMP v2c & v3

What to monitor?




Out-of-band environment

Create separate network with links to each monitored device

Management access ports

Network devices

– Out-of-band management port

– Console port (via terminal server)

– Dedicated Ethernet interface

Servers

– Vendor specific out-of-band management port

– Dedicated Ethernet interface

UPS, printers, A/C etc!

– Dedicated management interface

Management servers should have an interface in out-of-band network.




Out-of-band environment

Access to vendor specific

out-of-band management port

Ethernet access

Terminal server

Access to console

portServersNetwork devices

Access to devices using dedicated


Management servers

NMS

OOBM

switch

Configuration

management

server




Management access to devices

Host connected only to out-of-band network

Access from user/administrator network (VLAN) through L3 device

Access from public network via VPN connection which assumes one

interface of VPN server inside of out-of-band network




Management access to devices



Ethernet access

Terminal server

Servers

NMS Configuration

management

server

Router withVPN support

Administrator

-remote location-

Public

Network

VPN

LAN

Administrator

Access to console port



Network devices

Management servers

OOBM

switch

Host

Access to management network




Access to devices in non-isolated

network

Common situation in campuses is lack of redundant links which could be

used only for management purposes

Possible solution

VLAN for management purposes

Network devices with interface (logical, physical) in management

VLANServer management interface in management VLAN




Access to devices in non-isolated

network



Ethernet access

Terminal server

Servers

NMS Configurat ion

managementserver

Router with

VPN support

Administrator -remote location-

Public

Network

VPN

LAN

Administrator

Access to console port



Network devices

Management servers

OOBMswitch

Router

NAT

Management VLAN

Host

Access to management network




NMS server access to devices

In out-of-band network

Dedicated interface inside of out-of-band network is used to accessdevices

Access to NMS servers should be done through this interface (ssh,

web access)

VLAN environmentDedicated interface in management VLAN

Access to management VLAN through NAT (static NAT)




SNMP Protocol V3 vs. V2c

SNMP V2c is more often used than V3, why?

Administrators do not have experience in configuration of SNMP V3

protocol.

V2c is much more easy to configure (snmpd, snmptrapd) .

A lot of devices use V2c as default mode of work.

Network device must support data encryption in order to use strongerSNMP V3 security model.

SNMP V3 with enabled encryption can be processor demanding.

V2c in read-only mode is considered as safe solution?!




SNMP Protocol V3 vs. V2c

SNMP V3 user-based security models

AuthPriv (Authentication is based on MD5 or SHA algorithm and DES or AES isused for data encryption)

AuthNoPriv ( Authentication is based on MD5 or SHA algorithm, but SNMP data issent in plain text)

NoAuthNoPriv (User name is used like community string in V2c and SNMP data is

sent in plain text)




SNMP Protocol V3 - Guidelines

SNMP V3 security in Read-Only and Read/Write mode

Select best security model (SNMPv3 provides threeimportant services: authentication, privacy and access

control).

Define security model for Read-Only mode.Define security model for Read/Write mode.

Restrict MIB tree information on the remote device for the

particular user.

Restirct SNMP traffic trough the network (ACL, Firewall!.)




Commonly used SNMP variables

Network DevicesCPU Load

– Example: cpmCPUTotalTable (.1.3.6.1.4.1.9.9.109.1.1.1.1)

Available memory

–

I/O memory

– CPU memory

–

Example: ciscoMemoryPoolTable (.1.3.6.1.4.1.9.9.48.1.1)

Interface

–

Traffic throughput (bytes/sec, packets/sec)

– Interface Status (L2 Up/Down, L3 Up/Down)

– Example: ifXTable (.1.3.6.1.2.1.31.1.1)





Servers

CPU Load

– Linux Example: systemStats (.1.3.6.1.4.1.2021.11)

– Windows Example: hrProcessorTable (.1.3.6.1.2.1.25.3.3.1)

Memory status

– RAM memory

–

Storage memory

– Example: hrStorageTable (.1.3.6.1.2.1.25.2.3)

Interface

– Traffic throughput (bytes/sec, packets/sec)

– Interface status (L2 Up/Down, L3 Up/Down)

–

Example: ifXTable (.1.3.6.1.2.1.31.1.1)





Servers

Number of established TCP connections

– Example: tcpCurrEstab (.1.3.6.1.2.1.6.9)

List of running process

–

Example: hrSWRunTable (.1.3.6.1.2.1.25.4.2)

Number of currently logged system users

– Example: hrSystemNumUsers (.1.3.6.1.2.1.25.1.5)





UPS UPS Status

– Example: upsBasicOutputStatus (.1.3.6.1.4.1.318.1.1.1.4.1.1)

UPS Battery Capacity

– Example: upsAdvBattertyCapacity (.1.3.6.1.4.1.318.1.1.1.2.2.1)

UPS Battery remaining runtime

–

Example: upsAdvBattertyRuntimeRemaining (.

1.3.6.1.4.1.318.1.1.1.2.2.3)

UPS Battery temperature

– Example: upsAdvBatteryTemperature (.1.3.6.1.4.1.318.1.1.1.2.2.2)

UPS Output load

–

Example: upsAdvOutputLoad (.1.3.6.1.4.1.318.1.1.1.4.2.3)





Other Network Devices

Air Conditioner (Temperature, Humidity, Compressor status!.)

Sensors Appliance (Noise, Temperature, Humidity, Vibration, Motion,

Smoke, Leak!)

Printer (Cartridge status, Paper status, Number of printed pages!.)




DRAFT ON NETWORK MANAGEMENT

ARCHITECTURE

Esad Saitovic, Ivan Ivanovic AMRES

Network monitoring workshop for GN3/NA3/T4

Belgrade

October 20-21, 2009

Documents

Draft on Network Management Architecture