Transcript 20050920-aants

AANTS:
Web-Based Tools for Cooperative
Campus Network Administration
Charles Thomas
Dave Plonka
AANTS Administration Team
Division of Info. Tech. (DoIT)
Network Services
University of Wisconsin - Madison
Past Campus Network:
• ATM LANE environment with 5 or 6
routers.
• Multiple switch brands, many models.
• Centrally-managed configurations for
50-75 devices.
Past Campus Network:
• Campus departments administered their
own LANs and had their own IT staff.
• Gear purchase, configuration,
deployment, and maintenance was
handled on a department-by-department
basis.
• This led to a hodgepodge of operating
procedures and network designs, some
incompatible with each other.
Campus XXI Century Network
Upgrade
• Use Cisco equipment as a standard to
minimize cross-vendor
incompatibilities.
• Increase the backbone speed to 10 Gb/s.
• Offer 1 Gb/s departmental connections.
• Move to a centrally-purchased and
centrally-managed network model.
Present Campus Network
• Nearly 900 Cisco network devices,
many models.
• A few Juniper and NetScreen devices.
• 41,000+ managed ports.
• The number of managed buildings,
devices, and ports is growing every day.
The Challenge
• Campus LAN admins (Authorized Agents)
need to administer the switches and ports
which carry their LANs.
• The gear is centrally owned/managed,
therefore we cannot allow them direct access
(e.g. ssh or telnet) to the switches themselves.
• Need to maintain good relations with AAs and
not deprive them of their sense of autonomy
(political/practical).
The Goal
• Give our Authorized Agents comparable
(and in many cases improved) network
management capabilities.
• Maintain appropriate levels of security,
authorization and access control.
– Protect centrally-managed gear.
– Protect AAs from each other.
AANTS: Authorized Agent
Network Tool Suite
• Loosely-coupled set of web-based utilities for
network administration.
• Tools are team-developed in-house, optimized
toward local networking practices, driven by user
need.
• Allow users (campus LAN administrators and
network engineers) to manage network devices,
change device configurations, troubleshoot,
inspect traffic data, coordinate with users, and
perform other network management tasks.
Foundation Technologies:
• NetCMS - Network Device Configuration
Management System for tracking router/switch
configurations.
• WiscNIC - RIPE whois database of network
information.
• Oracle/MySQL - Device config database.
• Cisconf - Cisco tftp config tool.
• GNU Make - Project management.
• FlowScan and MRTG (Multi-Router Traffic
Grapher).
LookingGlass
• Run command-line operations on
devices and view results.
• View ethernet switch logs.
NetStats
• Graph router interface and switch port
statistics.
• Several summary graphs displaying
different types of traffic statistics at the
campus network border.
• Searchable interface to traffic statistics.
NetWatch
• Locate a host given a MAC or IP
address.
• Discover which devices are connected
to a specific switch.
EdgeConf
• Configure device ports.
• Perform multiple port changes as one
transaction.
• Label ports with user information
• Work with port subsets.
• Examine switch port configurations and
other switch information.
• Users can only change devices/ports for
which they are authorized.
VlanFinder
• Discovers all currently active VLANs.
• User selects one or more VLANs.
• Display devices and ports on which the VLANs are
active.
• Display VLAN attributes:
– Configuration of routed VLAN interfaces
– Any trunk allowed VLANs
– VLAN Spanning Tree Protocol priorities
• Device names and ports will be hot-linked (where
applicable) to EdgeConf.
VlanFinder
• Used to identify devices/ports which could
potentially be affected by work on a specific
VLAN.
• Used to map the current configuration of a
VLAN prior to reconfiguration.
• Used to verify the real-world result of
network configuration changes (“Did my
change do what I wanted?”).
MailByDevice
• Select one or more network devices.
• Find all VLANs on each device.
• Get all technical and administrative contacts
for each VLAN from the WiscNIC database.
• User can compose an email message.
• Message will be mailed to all users.
• Used to alert users when certain devices are
going to be affected by NS actions.
CodePusher
• Push commands, operating code, or configuration
code to selected network devices.
–
–
–
–
Run command-line directives (e.g. ‘show int’).
Upgrade system software.
Modify device configurations.
Manage ACLs.
• Parallelized for maximum efficiency.
• Can specify a delayed device restart date/time.
• Parses results into log files which can be viewed
from the web browser .
• Performs error-checking.
• Reports results via email.
Live Demos
Summary
• AANTS tools allow our customers to manage their
network over the web, regardless of the user’s
platform of choice.
• AANTS tool development is driven by user input
and real-world needs.
• AANTS is built on a foundation of freely-available
software.
• Local networking practices guide AANTS’ growth
as a customized system.
Summary (cont.)
• Day-to-day management tasks are handled more
quickly and easily for network services staff.
• Improved Security Management
– Maintain common Access-Control-Lists across network
gear.
– Locate and isolate compromised and abusive machines.
– Visually identify bouts of abusive traffic.
– Block traffic involving abusive intra- or extra-campus
hosts
Summary (cont.)
• These tools help us maintain good relations with
campus LAN admins by empowering them rather
than moving responsibility away from them.
• This cooperative policy makes use of available
campus IT talent to help network services staff
manage the network.
Contact the AANTS Admin Team
[email protected]
Q&A