Transcript How to Use This Template

Open Network Administrator (ona)
Presented by Bruce Campbell
Ona
overview




Web based network management tool
Administrators interact with ona over the web
Ona interacts with network devices.
Device configurations, permissions, etc. stored in
mysql database.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Ona overview
Ona users
switch
switch
ona
database
router
AP
etc
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Without ona
Network staff
switch
switch
router
ap
etc
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Ona
key features
 Provides a common interface to a number of different makes
and models of switches.
 Supports delegation through granular access control.
 Logs all changes
 Traffic graphs
 Saves switch configurations to tftp server
 E-mails a daily summary of changes and diff report.
 IP/MAC search
 extensible – if you can think it, you can build it… or ask me to
build it.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Some details
 Approximately 10,000 lines of php
 Uses net_snmp library (formerly ucd-snmp)
 Uses snmp primarily, and telnet for some functions I could
not figure out via snmp.
 Platform independent
 Currently hosted on 2.4GHz PC running FreeBSD, Apache
web server, .htaccess authentication to ADS and Nexus.
 telnet script features written using php socket library.
 Supports Nortel Baystack, Extreme, Cisco 2900/3500, Cisco
2950/3550, Avaya AP. Limited support for Cisco 1900 and
Enterasys AP.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Use at UW
 Used by Arts, CS, Engineering, Math, Science to
(help) manage approximately 250 switches and
150 Aps.
 Most visible use is “day to day” activities, ie
configure port speed, duplex, vlan, find a machine,
etc.
 Behind the scenes, ona saves configs, cvs config,
graphs traffic, sends alerts upon device
up/down/reboot, equipment inventory, tracks
ARP/MAC changes, daily report, etc.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
End user features
 Ona has some features for end users
 Whereami (works on switch port or AP). Shows
port configuration, traffic graph.
 Java bandwidth test (complete with java nuances)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Intro screen
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
MAC/IP search
 Ona queries router ARP tables 5 times daily.
 Queries switch MAC tables 5 times daily. (takes 30-40
minutes for 250 switches)
 Queries AP MAC tables every 5 minutes. (30 seconds for 150
APs)
 Everything goes in the database… forever. And everything is
logged.
 Search tools consult the database (ie. not real time search of
device MAC tables)
 Button for real time update of the MAC table from a switch or
AP (one at a time only).
 Real time AP MAC search
 Future: smartsearch will track down a MAC from a starting
point using some cleverness to avoid searching all switches.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Search tool
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
History part of search tool
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Traffic Graphs
 Maintained on all ports with rrdtool, 5 minute
interval.
 Also track number of wireless users on each AP,
and total for Aps for each orgunit.
 Real time graphs. Port or switch, 10 second
update. Useful for getting a snapshot of activity.
 TopPorts button shows busiest ports in last 20
seconds.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Port graphs
(5 graphs of various intervals)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Switch configurations
 Switch configs saved to tftp server each night
 Can be pushed to alternate tftp or ftp servers as
well
 Can create a tar ball of configs for automated
download to a network admins laptop (instructions
included for cygwin procedure and scheduled
tasks). Who gets what is configurable.
 Difference between yesterdays config e-mailed in
daily report (minus sensitive information)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Switch config view
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
CVS
 Switch configurations stored in cvs server (plain
text configs only)
 Makes for easy comparison between arbitrary
dates, going back to an old version.
 Two cvs trees. One with real configs, one with
configs minus sensitive info (passwords etc).
Latter available via cvsweb to ona admins.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Cvsweb diff
between versions
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Daily report





Admin changes
Port changes
Diff report
Summary of alerts
Sent to relevant ona users only. Ie. Math guys
don’t get Arts report.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Daily report
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
telnet feature
 Separately enabled
 Allows batch telnet commands to devices which
support a command line interface
 After a telnet command is issued, switch can be
optionally “Sync’ed”, next time someone accesses
it.
 Option to send telnet commands in daily report or
not, and to trigger saving the config.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
telnet window
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Vlan conversion tool
(part of telnet window if Cisco
switch and all ports on vlan 1)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Access control
Done through groups
Each admin and device has a primary group.
Admins and devices can be added to further groups.
Ports can be added to groups
Vlans are members of groups.
To edit a port, an admin must have a group in common with
the port or switch.
 Use of regular expressions simplifies listing which switches
are in which groups.
 To put a port on a vlan, the admin must have a group in
common with that vlan.
 To edit a trunk, an admin must not have “denytrunkchanges”
setting, and must have permission on all vlans on the trunk.






WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Device groups window
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
More access control
 All tools (buttons) can be selectively disabled, or
all disabled and some selectively re-enabled.
 The ability to set port settings can be similarly
restricted.
 For example, can give permission to Search only,
and disable/enable port only.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Administrative interface
 Typically one ona user per faculty is an ona
administrator.
 They can add switches, users, configure
permissions.
 Cannot delete other admins, or create more
admins, depending on settings.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Admin interface
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Admins table
(note systemadmin setting)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Adding a device
 Add ipname, make, devicetype (switch, router or
ap), telnet and snmp passwords.
 The passwords are encrypted in the ona database
 First attempt to access newly added device will
force a “Sync”.
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Device add window
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Few other odds and ends
 When a port is disabled, an optional message can
be entered which is sent to the DNS contact,
admin.
 When a vlan is created, it is named based on UW
convention.
 Comment field for each port (stored in database,
not the same as port description)
 Configuration translator
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Configuration translator
(converts port settings between
vendors)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
See ?
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Main Screen
(note sort buttons)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Sorted by version
(example)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Switch Screen
example 1
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Printable version
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Some buttons
 Sync : pull config from switch into ona (done daily
automatically)
 Freshen : pull port states only (happens
automatically if over an hour since last time)
 Save : save settings to NVRAM (ona does this
automatically if changes are made and not saved,
once per day)
 UpdateMacs : pull MAC table (done 5 times daily
automatically, typically)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Switch screen
example 2 (note trunks)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Showing MACs on a trunk
(note show naa users button)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Ping tool
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
TopPorts tool
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Alerts
(e-mailed also)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Showing changes on a switch
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Port edit screen
(note save now vs. later)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Port edit screen
(trunk)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Access Point view
(note 1 AP down)
Users column is MACs seen in last 24
hours
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Usage graphs part of AP view
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Single AP view
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Showing users on an AP
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
telnet command on multiple Aps
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Preferences window
(note Mail me changes field)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Where am I ?
(wired)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Where am I ?
(wireless)
(note update button)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Java Bandwidth test
(to endpoint in Eng)
(well, I ran this from home)
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
To have an unsupported device
added to ona…
 You figure out all the snmp, and test it with the command
line net-snmp tools.
 I will write the code. (or you can if you’d prefer)
 Look at nortel.php in the ona package as an example of what
you need to figure out. You don’t need to write the code, just
figure out the logic and oids. Functionality needed is:
function
function
function
function
function
function
function
function
function
function
function
set_nortel_port_tagged_vlans_via_snmp( $d, $portname, $olduntaggedvlan,
set_nortel_port_untagged_vlan_via_snmp( $d, $portname, $oldvlan, $vlan,
adjust_nortel_vlan_members( $d, $vlan, $remove_this_port, $add_this_port)
set_nortel_port_trunkmode_via_snmp( $d, $portname, $trunkmode,
get_nortel_vlan_configuration_via_snmp( $d, $signature )
get_nortel_port_speeds_and_duplexes_via_snmp( $d, $signature )
set_nortel_port_speed_duplex_via_snmp( $d, $portname, $speed, $duplex )
get_nortel_model_and_version_via_snmp( &$d )
nortel_telnet_login( $d, $contin )
nortel_telnet_logout()
create_nortel_vlan_if_needed( $d, $vlan )
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator
Future ideas
 SmartSearch (as mentioned earlier)
 Network topology diagram. Should be doable as
ona knows MAC addresses of all switches and
which trunks they are on.
 syslog integration
WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator