Open Network Administrator (ona) Presented by Bruce Campbell

Open Network Administrator (ona)

Presented by Bruce Campbell

WatITis | Supporting UW’s Mission Through I.T. | December 7, 2004 | Open Network Administrator

Onaoverview

Web based network management tool Administrators interact with ona over the web Ona interacts with network devices. Device configurations, permissions, etc. stored in

mysql database.


Ona overview

Ona users

ona

switch

switch

router

AP

etc

database


Without ona

Network staffswitch

switch

router

ap

etc


Onakey features

Provides a common interface to a number of different makes and models of switches.

Supports delegation through granular access control. Logs all changes Traffic graphs Saves switch configurations to tftp server E-mails a daily summary of changes and diff report. IP/MAC search extensible – if you can think it, you can build it… or ask me to

build it.


Some details

Approximately 10,000 lines of php Uses net_snmp library (formerly ucd-snmp) Uses snmp primarily, and telnet for some functions I could

not figure out via snmp. Platform independent Currently hosted on 2.4GHz PC running FreeBSD, Apache web

server, .htaccess authentication to ADS and Nexus. telnet script features written using php socket library. Supports Nortel Baystack, Extreme, Cisco 2900/3500, Cisco

2950/3550, Avaya AP. Limited support for Cisco 1900 and Enterasys AP.


Use at UW

Used by Arts, CS, Engineering, Math, Science to (help) manage approximately 250 switches and 150 Aps.

Most visible use is “day to day” activities, ie configure port speed, duplex, vlan, find a machine, etc.

Behind the scenes, ona saves configs, cvs config, graphs traffic, sends alerts upon device up/down/reboot, equipment inventory, tracks ARP/MAC changes, daily report, etc.


End user features

Ona has some features for end users Whereami (works on switch port or AP). Shows

port configuration, traffic graph. Java bandwidth test (complete with java nuances)


Intro screen


MAC/IP search

Ona queries router ARP tables 5 times daily. Queries switch MAC tables 5 times daily. (takes 30-40 minutes for

250 switches) Queries AP MAC tables every 5 minutes. (30 seconds for 150 APs) Everything goes in the database… forever. And everything is

logged. Search tools consult the database (ie. not real time search of

device MAC tables) Button for real time update of the MAC table from a switch or AP

(one at a time only). Real time AP MAC search Future: smartsearch will track down a MAC from a starting point

using some cleverness to avoid searching all switches.


Search tool


History part of search tool


Traffic Graphs

Maintained on all ports with rrdtool, 5 minute interval.

Also track number of wireless users on each AP, and total for Aps for each orgunit.

Real time graphs. Port or switch, 10 second update. Useful for getting a snapshot of activity.

TopPorts button shows busiest ports in last 20 seconds.


Port graphs(5 graphs of various intervals)


Switch configurations

Switch configs saved to tftp server each night Can be pushed to alternate tftp or ftp servers as

well Can create a tar ball of configs for automated

download to a network admins laptop (instructions included for cygwin procedure and scheduled tasks). Who gets what is configurable.

Difference between yesterdays config e-mailed in daily report (minus sensitive information)


Switch config view


CVS

Switch configurations stored in cvs server (plain text configs only)

Makes for easy comparison between arbitrary dates, going back to an old version.

Two cvs trees. One with real configs, one with configs minus sensitive info (passwords etc). Latter available via cvsweb to ona admins.


Cvsweb diffbetween versions


Daily report

Admin changes Port changes Diff report Summary of alerts Sent to relevant ona users only. Ie. Math guys

don’t get Arts report.


Daily report


telnet feature

Separately enabled Allows batch telnet commands to devices which

support a command line interface After a telnet command is issued, switch can be

optionally “Sync’ed”, next time someone accesses it.

Option to send telnet commands in daily report or not, and to trigger saving the config.


telnet window


Vlan conversion tool(part of telnet window if Cisco switch and all ports on vlan 1)


Access control

Done through groups Each admin and device has a primary group. Admins and devices can be added to further groups. Ports can be added to groups Vlans are members of groups. To edit a port, an admin must have a group in common with the

port or switch. Use of regular expressions simplifies listing which switches are in

which groups. To put a port on a vlan, the admin must have a group in common

with that vlan. To edit a trunk, an admin must not have “denytrunkchanges”

setting, and must have permission on all vlans on the trunk.


Device groups window


More access control

All tools (buttons) can be selectively disabled, or all disabled and some selectively re-enabled.

The ability to set port settings can be similarly restricted.

For example, can give permission to Search only, and disable/enable port only.


Administrative interface

Typically one ona user per faculty is an ona administrator.

They can add switches, users, configure permissions.

Cannot delete other admins, or create more admins, depending on settings.


Admin interface


Admins table(note systemadmin setting)


Adding a device

Add ipname, make, devicetype (switch, router or ap), telnet and snmp passwords.

The passwords are encrypted in the ona database First attempt to access newly added device will

force a “Sync”.


Device add window


Few other odds and ends

When a port is disabled, an optional message can be entered which is sent to the DNS contact, admin.

When a vlan is created, it is named based on UW convention.

Comment field for each port (stored in database, not the same as port description)

Configuration translator


Configuration translator(converts port settings between

vendors)


See ?


Main Screen(note sort buttons)


Sorted by version(example)


Switch Screenexample 1


Printable version


Some buttons

Sync : pull config from switch into ona (done daily automatically)

Freshen : pull port states only (happens automatically if over an hour since last time)

Save : save settings to NVRAM (ona does this automatically if changes are made and not saved, once per day)

UpdateMacs : pull MAC table (done 5 times daily automatically, typically)


Switch screenexample 2 (note trunks)


Showing MACs on a trunk(note show naa users button)


Ping tool


TopPorts tool


Alerts(e-mailed also)


Showing changes on a switch


Port edit screen(note save now vs. later)


Port edit screen(trunk)


Access Point view(note 1 AP down)

Users column is MACs seen in last 24 hours


Usage graphs part of AP view


Single AP view


Showing users on an AP


telnet command on multiple Aps


Preferences window(note Mail me changes field)


Where am I ?(wired)


Where am I ?(wireless)

(note update button)


Java Bandwidth test(to endpoint in Eng)

(well, I ran this from home)


To have an unsupported device added to ona…

You figure out all the snmp, and test it with the command line net-snmp tools.

I will write the code. (or you can if you’d prefer) Look at nortel.php in the ona package as an example of what

you need to figure out. You don’t need to write the code, just figure out the logic and oids. Functionality needed is:

function set_nortel_port_tagged_vlans_via_snmp( $d, $portname, $olduntaggedvlan,function set_nortel_port_untagged_vlan_via_snmp( $d, $portname, $oldvlan, $vlan,function adjust_nortel_vlan_members( $d, $vlan, $remove_this_port, $add_this_port)function set_nortel_port_trunkmode_via_snmp( $d, $portname, $trunkmode,function get_nortel_vlan_configuration_via_snmp( $d, $signature )function get_nortel_port_speeds_and_duplexes_via_snmp( $d, $signature )function set_nortel_port_speed_duplex_via_snmp( $d, $portname, $speed, $duplex )function get_nortel_model_and_version_via_snmp( &$d )function nortel_telnet_login( $d, $contin )function nortel_telnet_logout()function create_nortel_vlan_if_needed( $d, $vlan )


Future ideas

SmartSearch (as mentioned earlier) Network topology diagram. Should be doable as

ona knows MAC addresses of all switches and which trunks they are on.

syslog integration

Documents

Open Network Administrator (ona) Presented by Bruce Campbell