Transcript AANTS - Internet2

AANTS:
Web-Based Network Administration
Tools - Latest Developments
Charles Thomas
AANTS Administration Team
Division of Info. Tech. (DoIT)
Network Services
University of Wisconsin - Madison
[email protected]
Talk Overview
• 20 minutes = BARNSTORM!
• Focus more on latest work with
AANTS.
• Show kinds of tools we’ve found
necessary to manage a large network.
• Show the kind of tools which can be
created by a network-specific
programmer using open-source tools.
Present UW Campus Network
• Nearly 1800 Cisco network devices,
many models.
• A few Juniper and NetScreen devices.
• 64,000+ managed ports.
• The number of managed buildings,
devices, and ports is growing every day.
The Challenge
• Campus LAN admins (Authorized Agents)
need to administer the switches and ports
which carry their LANs.
• The gear is centrally owned/managed,
therefore we cannot allow them direct access
(e.g. ssh or telnet) to the switches themselves.
• Need to maintain good relations with AAs and
not deprive them of their sense of autonomy
(political/practical).
The Goal
• Give our Authorized Agents comparable
(and in many cases improved) network
management capabilities.
• Maintain appropriate levels of security,
authorization and access control.
• Must be easy-to-use.
• Must protect centrally-managed gear,
protect AAs from each other.
AANTS: Authorized Agent
Network Tool Suite
• Loosely-coupled set of web-based utilities for
network administration.
• Tools are team-developed in-house, optimized
toward local networking practices, driven by user
need.
• Allow users (campus LAN administrators and
network engineers) to manage network devices,
change device configurations, troubleshoot,
inspect traffic data, coordinate with users, and
perform other network management tasks.
AANTS: Authorized Agent
Network Tool Suite (cont.)
• Dozens of web-based GUI tools which allow all aspects of
day-to-day network administration to be performed with a
few clicks in a browser.
• Supported by a wide variety of behind-the-scenes scripts
which handle things like database updates, SNMP
information gathering, network state auditing, etc.
• Arranged into a hierarchy of functionality:
– Network Contacts
– Authorized Agents
– Super Users
Foundation Technologies:
• NetCMS - Network Device Configuration
Management System for tracking router/switch
configurations.
• WiscNIC - RIPE whois database of network
resources (VLANs, Administrators, Subnets).
• MySQL - Network configurationinformation.
• Cisconf - Cisco tftp config tool.
• GNU Make - Project management.
• FlowScan and MRTG (Multi-Router Traffic
Grapher).
No Time For:
• LookingGlass - run command-line device queries.
• NetWatch - Find IP and MAC addresses on network
devices.
• NetStats - Multitude of traffic graphs and statistics.
• VLAN Finder - Discover VLAN config info.
• MailByDevice - Contact users responsible for devices.
• MailByVlan - Contact users responsible for VLANs.
• PortTextSearch - Locate device/port combinations by
searching any user-entered port labeling.
• Many more!
EdgeConf
• Configure device ports.
• Perform multiple port changes as one
transaction.
• Label ports with user information
• Work with port subsets.
• Examine switch port configurations and
other switch information.
• Users can only change devices/ports for
which they are authorized.
New Features
• Configure POE on ports.
• Ability to lock ports to a specific MAC
address (security).
• Display history of port changes.
• EdgeConf for platform (6500 series)
devices.
MailByDevice
• Select one or more network devices.
• Find all VLANs on each device.
• Get all technical and administrative contacts
for each VLAN from the WiscNIC database.
• User can compose an email message.
• Message will be mailed to all users.
• Used to alert users when certain devices are
going to be affected by NS actions.
UPSManager
• Select one or more UPS devices.
• Display current device config.
• View all technical device info:
– make/model/SN/IP/OS
– Contact info
– Building/room info, etc.
• Create/edit/delete maintenance records.
• View/edit maintenance history.
• Maintain list of associated components (e.g.
batteries, fans).
CodePusher
• Push commands, operating code, or configuration
code to selected network devices.
–
–
–
–
Run command-line directives (e.g. ‘show int’).
Upgrade system software.
Modify device configurations.
Manage ACLs.
• Parallelized for maximum efficiency.
• Can specify a delayed device restart date/time.
• Parses results into log files which can be viewed
from the web browser .
• Performs error-checking.
• Reports results via email.
Usage - Past 365 Days
• MailByDevice - Used 130 times by DoIT
net engineers and NOC staff to alert campus
agents of potential network outages.
• ConfigPusher - 827 transactions by DoIT net
engineers, tens/hundreds of devices per
transaction.
• EdgeConf - 10,500 transactions, between 1
and 200 port changes per transaction.
Summary
• AANTS tools allow our customers to manage their
network over the web, regardless of the user’s
platform of choice.
• AANTS tool development is driven by user input
and real-world needs.
• AANTS is built on a foundation of freely-available
software.
• Local networking practices guide AANTS’ growth
as a customized system.
Summary (cont.)
• Day-to-day management tasks are handled more
quickly and easily for network services staff.
• Improved Security Management
– Maintain common Access-Control-Lists across network
gear.
– Locate and isolate compromised and abusive machines.
– Identify and block abusive traffic.
– Lock ports to individual MAC addresses
Summary (cont.)
• These tools help us maintain good relations with
campus LAN admins by empowering them rather
than moving responsibility away from them.
• This cooperative policy makes use of available
campus IT talent to help network services staff
manage the network.
Contact the AANTS Admin Team
[email protected]