DRAFT ON NETWORK MANAGEMENT

ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009

connect communicate collaborate

Network management
implementation - goals
Define network topology
Isolate management network (possibility for implementing out-ofband management)
Approaches for non-isolated part of management network
Implementing NMS
Define management protocols and their usage
SNMP v2c & v3
What to monitor?

connect communicate collaborate

Out-of-band environment
Create separate network with links to each monitored device
Management access ports
Network devices
Out-of-band management port
Console port (via terminal server)
Dedicated Ethernet interface
Servers
Vendor specific out-of-band management port
Dedicated Ethernet interface
UPS, printers, A/C etc
Dedicated management interface
Management servers should have an interface in out-of-band network.

connect communicate collaborate

Out-of-band environment
Access to devices using dedicated
out-of-band management port

Access to vendor specific

out-of-band management port

Terminal server

Network devices

Access to console
port

OOBM
switch

NMS

Ethernet access
Servers

Configuration
management
server

Management servers

connect communicate collaborate

Management access to devices

Host connected only to out-of-band network
Access from user/administrator network (VLAN) through L3 device
Access from public network via VPN connection which assumes one
interface of VPN server inside of out-of-band network

connect communicate collaborate

Management access to devices

Access to management network

Router with
VPN support

VPN
Public
Network
Administrator
-remote location-

Host

LAN

Access to devices using dedicated

out-of-band management port

Administrator
Terminal server

Network devices

Access to console port

NMS

Configuration
management
server

Management servers

OOBM
switch

Access to vendor specific

out-of-band management port

Ethernet access
Servers

connect communicate collaborate

Access to devices in non-isolated

network
Common situation in campuses is lack of redundant links which could be
used only for management purposes
Possible solution
VLAN for management purposes
Network devices with interface (logical, physical) in management
VLAN
Server management interface in management VLAN

connect communicate collaborate

Access to devices in non-isolated

network
Access to management network

Router with
VPN support

VPN
Public
Network
Administrator
-remote location-

Host

LAN

Access to devices using dedicated

out-of-band management port

Administrator
Terminal server

Access to console port

Network devices

OOBM
switch

Access to vendor specific

out-of-band management port

Ethernet access

Router
NAT

NMS

Configuration
management
server

Management VLAN

Servers

Management servers

connect communicate collaborate

NMS server access to devices

In out-of-band network
Dedicated interface inside of out-of-band network is used to access
devices
Access to NMS servers should be done through this interface (ssh,
web access)
VLAN environment
Dedicated interface in management VLAN
Access to management VLAN through NAT (static NAT)

connect communicate collaborate

SNMP Protocol V3 vs. V2c

SNMP V2c is more often used than V3, why?

Administrators do not have experience in configuration of SNMP V3

protocol.
V2c is much more easy to configure (snmpd, snmptrapd) .
A lot of devices use V2c as default mode of work.
Network device must support data encryption in order to use stronger
SNMP V3 security model.
SNMP V3 with enabled encryption can be processor demanding.
V2c in read-only mode is considered as safe solution?!

connect communicate collaborate

SNMP Protocol V3 vs. V2c

SNMP V3 user-based security models

AuthPriv (Authentication is based on MD5 or SHA algorithm and DES or AES is

used for data encryption)

AuthNoPriv ( Authentication is based on MD5 or SHA algorithm, but SNMP data is

sent in plain text)

NoAuthNoPriv (User name is used like community string in V2c and SNMP data is
sent in plain text)

connect communicate collaborate

SNMP Protocol V3 - Guidelines

SNMP V3 security in Read-Only and Read/Write mode

Select best security model (SNMPv3 provides three

important services: authentication, privacy and access
control).
Define security model for Read-Only mode.
Define security model for Read/Write mode.
Restrict MIB tree information on the remote device for the
particular user.
Restirct SNMP traffic trough the network (ACL, Firewall.)

connect communicate collaborate

Commonly used SNMP variables

Network Devices

CPU Load
Example: cpmCPUTotalTable (.1.3.6.1.4.1.9.9.109.1.1.1.1)
Available memory
I/O memory
CPU memory
Example: ciscoMemoryPoolTable (.1.3.6.1.4.1.9.9.48.1.1)
Interface
Traffic throughput (bytes/sec, packets/sec)
Interface Status (L2 Up/Down, L3 Up/Down)
Example: ifXTable (.1.3.6.1.2.1.31.1.1)

connect communicate collaborate

Commonly used SNMP variables

Servers

CPU Load
Linux Example: systemStats (.1.3.6.1.4.1.2021.11)
Windows Example: hrProcessorTable (.1.3.6.1.2.1.25.3.3.1)
Memory status
RAM memory
Storage memory
Example: hrStorageTable (.1.3.6.1.2.1.25.2.3)
Interface
Traffic throughput (bytes/sec, packets/sec)
Interface status (L2 Up/Down, L3 Up/Down)
Example: ifXTable (.1.3.6.1.2.1.31.1.1)

connect communicate collaborate

Commonly used SNMP variables

Servers

Number of established TCP connections

Example: tcpCurrEstab (.1.3.6.1.2.1.6.9)
List of running process
Example: hrSWRunTable (.1.3.6.1.2.1.25.4.2)
Number of currently logged system users
Example: hrSystemNumUsers (.1.3.6.1.2.1.25.1.5)

connect communicate collaborate

Commonly used SNMP variables

UPS

UPS Status
Example: upsBasicOutputStatus (.1.3.6.1.4.1.318.1.1.1.4.1.1)
UPS Battery Capacity
Example: upsAdvBattertyCapacity (.1.3.6.1.4.1.318.1.1.1.2.2.1)
UPS Battery remaining runtime
Example: upsAdvBattertyRuntimeRemaining (.
1.3.6.1.4.1.318.1.1.1.2.2.3)
UPS Battery temperature
Example: upsAdvBatteryTemperature (.1.3.6.1.4.1.318.1.1.1.2.2.2)
UPS Output load
Example: upsAdvOutputLoad (.1.3.6.1.4.1.318.1.1.1.4.2.3)

connect communicate collaborate

Commonly used SNMP variables

Other Network Devices

Air Conditioner (Temperature, Humidity, Compressor status.)

Sensors Appliance (Noise, Temperature, Humidity, Vibration, Motion,

Smoke, Leak)

Printer (Cartridge status, Paper status, Number of printed pages.)

connect communicate collaborate

DRAFT ON NETWORK MANAGEMENT

ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009

connect communicate collaborate