DRAFT ON NETWORK MANAGEMENT
ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009
connect communicate collaborate
�Network management
implementation - goals
Define network topology
Isolate management network (possibility for implementing out-ofband management)
Approaches for non-isolated part of management network
Implementing NMS
Define management protocols and their usage
SNMP v2c & v3
What to monitor?
connect communicate collaborate
�Out-of-band environment
Create separate network with links to each monitored device
Management access ports
Network devices
Out-of-band management port
Console port (via terminal server)
Dedicated Ethernet interface
Servers
Vendor specific out-of-band management port
Dedicated Ethernet interface
UPS, printers, A/C etc
Dedicated management interface
Management servers should have an interface in out-of-band network.
connect communicate collaborate
�Out-of-band environment
Access to devices using dedicated
out-of-band management port
Access to vendor specific
out-of-band management port
Terminal server
Network devices
Access to console
port
OOBM
switch
NMS
Ethernet access
Servers
Configuration
management
server
Management servers
connect communicate collaborate
�Management access to devices
Host connected only to out-of-band network
Access from user/administrator network (VLAN) through L3 device
Access from public network via VPN connection which assumes one
interface of VPN server inside of out-of-band network
connect communicate collaborate
�Management access to devices
Access to management network
Router with
VPN support
VPN
Public
Network
Administrator
-remote location-
Host
LAN
Access to devices using dedicated
out-of-band management port
Administrator
Terminal server
Network devices
Access to console port
NMS
Configuration
management
server
Management servers
OOBM
switch
Access to vendor specific
out-of-band management port
Ethernet access
Servers
connect communicate collaborate
�Access to devices in non-isolated
network
Common situation in campuses is lack of redundant links which could be
used only for management purposes
Possible solution
VLAN for management purposes
Network devices with interface (logical, physical) in management
VLAN
Server management interface in management VLAN
connect communicate collaborate
�Access to devices in non-isolated
network
Access to management network
Router with
VPN support
VPN
Public
Network
Administrator
-remote location-
Host
LAN
Access to devices using dedicated
out-of-band management port
Administrator
Terminal server
Access to console port
Network devices
OOBM
switch
Access to vendor specific
out-of-band management port
Ethernet access
Router
NAT
NMS
Configuration
management
server
Management VLAN
Servers
Management servers
connect communicate collaborate
�NMS server access to devices
In out-of-band network
Dedicated interface inside of out-of-band network is used to access
devices
Access to NMS servers should be done through this interface (ssh,
web access)
VLAN environment
Dedicated interface in management VLAN
Access to management VLAN through NAT (static NAT)
connect communicate collaborate
�SNMP Protocol V3 vs. V2c
SNMP V2c is more often used than V3, why?
Administrators do not have experience in configuration of SNMP V3
protocol.
V2c is much more easy to configure (snmpd, snmptrapd) .
A lot of devices use V2c as default mode of work.
Network device must support data encryption in order to use stronger
SNMP V3 security model.
SNMP V3 with enabled encryption can be processor demanding.
V2c in read-only mode is considered as safe solution?!
connect communicate collaborate
�SNMP Protocol V3 vs. V2c
SNMP V3 user-based security models
AuthPriv (Authentication is based on MD5 or SHA algorithm and DES or AES is
used for data encryption)
AuthNoPriv ( Authentication is based on MD5 or SHA algorithm, but SNMP data is
sent in plain text)
NoAuthNoPriv (User name is used like community string in V2c and SNMP data is
sent in plain text)
connect communicate collaborate
�SNMP Protocol V3 - Guidelines
SNMP V3 security in Read-Only and Read/Write mode
Select best security model (SNMPv3 provides three
important services: authentication, privacy and access
control).
Define security model for Read-Only mode.
Define security model for Read/Write mode.
Restrict MIB tree information on the remote device for the
particular user.
Restirct SNMP traffic trough the network (ACL, Firewall.)
connect communicate collaborate
�Commonly used SNMP variables
Network Devices
CPU Load
Example: cpmCPUTotalTable (.1.3.6.1.4.1.9.9.109.1.1.1.1)
Available memory
I/O memory
CPU memory
Example: ciscoMemoryPoolTable (.1.3.6.1.4.1.9.9.48.1.1)
Interface
Traffic throughput (bytes/sec, packets/sec)
Interface Status (L2 Up/Down, L3 Up/Down)
Example: ifXTable (.1.3.6.1.2.1.31.1.1)
connect communicate collaborate
�Commonly used SNMP variables
Servers
CPU Load
Linux Example: systemStats (.1.3.6.1.4.1.2021.11)
Windows Example: hrProcessorTable (.1.3.6.1.2.1.25.3.3.1)
Memory status
RAM memory
Storage memory
Example: hrStorageTable (.1.3.6.1.2.1.25.2.3)
Interface
Traffic throughput (bytes/sec, packets/sec)
Interface status (L2 Up/Down, L3 Up/Down)
Example: ifXTable (.1.3.6.1.2.1.31.1.1)
connect communicate collaborate
�Commonly used SNMP variables
Servers
Number of established TCP connections
Example: tcpCurrEstab (.1.3.6.1.2.1.6.9)
List of running process
Example: hrSWRunTable (.1.3.6.1.2.1.25.4.2)
Number of currently logged system users
Example: hrSystemNumUsers (.1.3.6.1.2.1.25.1.5)
connect communicate collaborate
�Commonly used SNMP variables
UPS
UPS Status
Example: upsBasicOutputStatus (.1.3.6.1.4.1.318.1.1.1.4.1.1)
UPS Battery Capacity
Example: upsAdvBattertyCapacity (.1.3.6.1.4.1.318.1.1.1.2.2.1)
UPS Battery remaining runtime
Example: upsAdvBattertyRuntimeRemaining (.
1.3.6.1.4.1.318.1.1.1.2.2.3)
UPS Battery temperature
Example: upsAdvBatteryTemperature (.1.3.6.1.4.1.318.1.1.1.2.2.2)
UPS Output load
Example: upsAdvOutputLoad (.1.3.6.1.4.1.318.1.1.1.4.2.3)
connect communicate collaborate
�Commonly used SNMP variables
Other Network Devices
Air Conditioner (Temperature, Humidity, Compressor status.)
Sensors Appliance (Noise, Temperature, Humidity, Vibration, Motion,
Smoke, Leak)
Printer (Cartridge status, Paper status, Number of printed pages.)
connect communicate collaborate
�DRAFT ON NETWORK MANAGEMENT
ARCHITECTURE
Esad Saitovic, Ivan Ivanovic AMRES
Network monitoring workshop for GN3/NA3/T4
Belgrade
October 20-21, 2009
connect communicate collaborate
