Implementation of a Switch Port Management System. using SNMP

Transcription

1 Implementation of a Switch Port Management System using SNMP Thesis for Master of Science Department of Computer Science and Engineering Tatung University July 2005

2

3 ABSTRACT Network administrators often use automatic mechanism to reduce the load of the network management. Including the computer centers of many universities, many people invest in this field to develop the management system which is suitable for their network architecture and meets the requirements of their network policy. These systems are usually base on monitoring IP address or MAC address of the client. For example, which IP address is attacking other nodes or which IP address is over the maximum traffic limited by the organization. In this thesis, we propose a network management system to resolve some common management problems. The system will collect the information about the relationship between user and switch port in multi-vendor environment. The proposed system is based on SNMP and runs scripts written in PHP on the Linux system with Apache server. Using the crontab, the system periodically fetches the information we need and writes the information into the MySQL database. According to the IP address or MAC address fetched from the existing hardware, the system can find out the relationship between user and the switch port quickly. The system will record the change of this relationship for auditing purpose. If, for example, a computer is infected by virus and is sending out large number of packets, the network administrator can turn off the corresponding port to avoid the spread of the influence if necessary. Keywords: SNMP, Network Management, Switch Port i

4 IP IP IP SNMP Linux PHP crontab MySQL IP ii

5 iii

6 TABLES OF CONTENTS ENGLISH ABSTRACT i CHINESE ABSTRACT ii ACKNOWLEDGEMENTS..iii TABLE OF CONTENTS..iv LIST OF FIGURES...vi LIST OF TABLES..viii CHAPTER 1 Introduction Motivation Thesis Organization 2 2 Background Simple Network Management Protocol Introduction Management Information Base Versions of SNMP Community String Net-SNMP MAC Address Table PHP 16 iv

7 2.5 MySQL System Design SNMP Agent SNMP Manager Graphical User Interface Database Management System 20 4 System Implementation Procedures of Data Processing Performance Evaluation Further Evaluation for Cisco 2924-XL Further Evaluation for Cisco Conclusions and Future Works..47 REFERENCES 48 v

8 LIST OF FIGURES 2.1 MIB-II subtree MAC address table Network architecture diagram Using dot1dtpfdbport OID to poll the switch Using dot1dbaseportifindex OID to poll the switch Using ifname OID to poll the switch Using ipnettomediaphysaddress OID to poll the switch Using ifadminstatus OID to poll the switch Creating profile of the managed switch Obtaining the port information of the specified switch Changes of the mapping relationship Turning off the port based on IP address CPU utilization of the Cisco 8510 Layer3 switch CPU utilization of the Cisco 2924-XL Layer2 switch Raw data of the CPU utilization of the Cisco 2924-XL Layer2 switch Bandwidth utilization of the 5-th port of the Cisco 2924-XL Transmission log of the generated traffic CPU utilization of the Cisco 2924-XL under the traffic of 92.9Mbps Response time of the PC on FastEthernet0/ vi

9 4.18 CPU utilization of the Cisco 2924-XL running the loop Loop script and raw data of the Cisco 2924-XL CPU utilization Response time of a PC connected to Cisco 2924-XL switch CPU utilization of the Cisco 8510 when running the loop Loop script and raw data of the Cisco 8510 CPU utilization Response time of a PC connected to Cisco 8510 switch..46 vii

10 LIST OF TABLES 2.1 Textual OIDs of the five managed objects used in this thesis Numerical OIDs of the five managed objects used in this thesis Net-SNMP applications common options Summary of snmpget applications Summary of snmpwalk applications Summary of snmpbulkwalk applications Summary of snmpset applications Empty table before executing the four snmpbulkwalk commands Partial table after executing the first command Partial table after executing the second command Partial table after executing the third command Complete entry after executing all the four commands.30 viii

11 CHAPTER 1 INTRODUCTION The task of network management is becoming increasingly complex due to the increasing number of networked computers running different operating systems and speaking various network protocols. In recent years, there are more and more virus, worm, backdoor and intrusion activities. Without an automatic network management system, the network administrator will be kept constantly on routine work and can t pay attention to something more important. 1.1 Motivation In order to manage a campus network well, we need some effective ways and tools. Many researches have been focused on this topic, however they usually suffer a common problem when they want to monitor or locate their user exactly. Maybe this can be done at the beginning of a newly constructed network. However, as time goes on, it is difficult to keep this information intact because users are changing frequently. We need an automatic method to collect the information about which user is connecting to the network from which port. This is challenging because in a large network, there are usually network devices of different vendors. The network management tool of a particular vendor is often used to manage their own devices only. Therefore we proposed a general method to 1

12 collect this information based on Simple Network Management Protocol (SNMP). 1.2 Thesis Organization The rest of the thesis is organized as follows: In Chapter 2, the background of techniques used in this thesis such as SNMP, will be discussed in detail. System design and architecture will be described in Chapter 3. The system implementation is described in Chapter 4. Finally, conclusions and future works are given in Chapter 5. 2

13 CHAPTER 2 BACKGROUND 2.1 Simple Network Management Protocol (SNMP) Introduction Based on the description of the RFC 3411 [1], a Simple Network Management Protocol (SNMP) system contains: Several (potentially many) nodes, each with an SNMP entity containing command responder and notification originator applications, which have access to management instrumentation (traditionally called agents) At least one SNMP entity containing command generator and/or notification receiver applications (traditionally called a manager) A management protocol, used to convey management information between the SNMP entities SNMP is an application-layer protocol that provides a message format for communication between SNMP entities. SNMP entities which generate command and receive notification monitor and control managed elements. Managed elements are devices such as routers, switches and hosts, etc. They are monitored and controlled via access to their management information base. 3

14 2.1.2 Management Information Base The management information can be viewed as a collection of managed objects residing in a virtual information storage area called Management Information Base (MIB). The Structure of Management Information (SMI) defines precisely how managed objects in the MIB are named and specifies their associated data types. In other words, the SMI provides a way to define managed objects, while the MIB is the definition of the objects themselves using the SMI syntax. Like a dictionary, which shows how to spell a word and then gives its meaning or definition, a MIB defines a textual name for a managed object and explains its meaning. The second version of the Management Information Base (MIB-II) is defined in RFC 1213 [2]. RFC 1213 defines the base OIDs for the mib-2 subtree which looks like this: mib-2 OBJECT IDENTIFIER ::= { mgmt 1 } system OBJECT IDENTIFIER ::= { mib-2 1 } interfaces OBJECT IDENTIFIER ::= { mib-2 2 } at OBJECT IDENTIFIER ::= { mib-2 3 } ip OBJECT IDENTIFIER ::= { mib-2 4 } icmp OBJECT IDENTIFIER ::= { mib-2 5 } tcp OBJECT IDENTIFIER ::= { mib-2 6 } udp OBJECT IDENTIFIER ::= { mib-2 7 } 4

15 egp OBJECT IDENTIFIER ::= { mib-2 8 } transmission OBJECT IDENTIFIER ::= { mib-2 10 } snmp OBJECT IDENTIFIER ::= { mib-2 11 } MIB-II is a very important management group, because every device that supports SNMP must also support MIB-II. Therefore, the five objects we used in this research are all from MIB-II and its successive versions. They are described on RFC 1213, RFC 1493 [3] and RFC 1573 [4]. Figure 2.1 MIB-II subtree 5

16 Table 2.1 Textual OIDs of the five managed objects used in this thesis Managed Objects Beginning with iso.org.dod.internet.mgmt.mib-2. dot1dtpfdbport dot1dbridge.dot1dtp.dot1dtpfdbtable.dot1dtpfdbentry.2 dot1dbaseportifindex dot1dbridge.dot1dbase.dot1dbaseporttable.dot1dbaseportentry.2 ifname ifmib.ifmibobjects.ifxtable.ifxentry.1 ipnettomediaphysaddress ip.ipnettomediatable.ipnettomediaentry.2 ifadminstatus interfaces.iftable.ifentry.7 Table 2.2 Numerical OIDs of the five managed objects used in this thesis Managed Objects Beginning with RFC Number dot1dtpfdbport RFC 1493 dot1dbaseportifindex RFC 1493 ifname RFC 1573 ipnettomediaphysaddress RFC 1213 ifadminstatus RFC

17 2.1.3 Versions of SNMP SNMP Version 1 (SNMPv1) is defined in RFC The security of the SNMPv1 is based on communities, which are similar to passwords. SNMP Version 2 (SNMPv2) is often referred to as community-string based SNMPv2. This version of SNMP is technically called SNMPv2c. The letter c stands for community. SNMPv2c uses the community-based security model of SNMPv1. SNMP Version 3 (SNMPv3) is the newest version of the SNMP. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: Message integrity: Ensuring a packet has not been tampered with in-transit. Authentication: Determining the message is from a valid source. Encryption: Scrambling the contents of a packet and preventing it from being seen by an unauthorized source. Both SNMPv1 and SNMPv2c use a community-based form of security. SNMPv2c support includes a bulk retrieval mechanism and more detailed error message reporting to management stations. The bulk retrieval mechanism supports the retrieval of tables and large quantities of information, minimizing the number of round-trips required. The 7

18 SNMPv2c improved error handling support includes expanded error codes that distinguish different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error return codes now report the error type. Because of these advantages, we use SNMPv2c to implement our management system Community String The community is a plain-text string that allows any SNMP-based application to gain access to the management information of a device in SNMPv1 and SNMPv2c. There are three kinds of communities: read-only, read-write and trap. Some standard MIBs (e.g. BRIDGE-MIB ::= { mib-2 17 }, RFC 1493) assume that a particular SNMP entity contains only one instance of the MIB. Therefore, the standard MIB does not have any index that allow us to directly access an instance of the MIB. But Cisco Catalyst switch includes one instance of the standard BRIDGE-MIB for each VLAN in the switch [10]. To overcome this problem, Cisco provides a way called community string indexing to access each instance of the standard MIB. The syntax of the community string is: [community string]@[instance number]. For example, if the read-only community is public we could use public@9 to read the BRIDGE-MIB for VLAN 9. If just public is used, the BRIDGE-MIB for VLAN 1 is accessed. 8

19 2.2 Net-SNMP This section provides brief summaries of the command-line tools included in Version of the Net-SNMP package. Instead of trying to describe all the options of all the commands, we will focus on those that are used in our research. By default, Net-SNMP reads the MIB files in the directory /usr/share/snmp/mibs. During the installation of Net-SNMP, it puts several MIB files including RFC 1213 (MIB-II) and Net-SNMP MIB in this directory. Net-SNMP uses the MIB files to translate between numeric object IDs and their textual format. If you want to add MIB file of a particular vendor to Net-SNMP, it is as simple as placing it into the mibs directory describing above. The Net-SNMP commands follow a similar command structure. There are two kinds of options: common options and application relative options. For example, an snmpwalk command looks like snmpwalk [APPLICATION OPTIONS] [COMMON OPTIONS] [OID] The commands used in this thesis are summarized in Table 2.3 to

20 Table 2.3 Net-SNMP applications common options Options Description -v 1 2c 3 Specifies SNMP version to use -c COMMUNITY Set the SNMP Version 1 or 2c specific community string -r RETRIES Set the number of retries -t TIMEOUT Set the request timeout (in seconds) -d Dump input/output packets in hexadecimal -m MIB[: ] Load given list of MIBs ( ALL loads everything) -M DIR[: ] Allow specifying a colon-separated list of directories to search for MIB files -O OUTOPTS Toggle various defaults controlling output display -I INOPTS Toggle various defaults controlling input parsing -L LOGOPTS Toggle various defaults controlling logging -C APPOPTS Set various application specific behaviors 10

21 Table 2.4 Summary of snmpget application NAME snmpget: Communicates with a network entity using SNMP GET requests SYNOPSIS snmpget [COMMON OPTIONS] [-Cf] OID [OID]... DESCRIPTION snmpget is an SNMP application that uses the SNMP GET request to query for information on a network entity. One or more object identifiers (OIDs) may be given as arguments on the command line. OPTIONS -Cf If Cf is not specified, some applications will try to fix errors returned by the agent that we were talking to and resend the request. EXAMPLE snmpget -v 1 -c public system.sysdescr.0 will retrieve the variable system.sysdescr.0. For example, SNMPv2-MIB::sysDescr.0 = STRING: TigerSwitch 10/ AL2 11

22 Table 2.5 Summary of snmpwalk application NAME snmpwalk: Retrieve a subtree of management values using SNMP GETNEXT requests SYNOPSIS snmpwalk [APPLICATION OPTIONS] [COMMON OPTIONS] [OID] DESCRIPTION snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information. An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETNEXT requests. OPTIONS -Cc Do not check whether the returned OIDs are increasing -Cp Upon completion of the walk, print the number of ariables found -Ct Upon completion of the walk, print the total wall-clock time it took to collect the data (in seconds). EXAMPLE snmpwalk -v 2c -c public Error: OID not increasing: (Note) Note: Some agents like Extreme Summit48i return OIDs out of order, but can complete the walk anyway. Using Cc to turn off this check can avoid this error. 12

23 Table 2.6 Summary of snmpbulkwalk application NAME snmpbulkwalk: Retrieve a subtree of management values using SNMP GET-BULK requests SYNOPSIS snmpbulkwalk [APPLICATION OPTIONS] [COMMON OPTIONS] [OID] DESCRIPTION snmpbulkwalk is an SNMP application that uses SNMP GETBULK requests to query a network entity efficiently for a tree of information. An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETBULK requests. All variables in the subtree below the given OID are queried and their values presented to the user. OPTIONS -Cc Do not check whether the returned OIDs are increasing -Cp Upon completion of the walk, print the number of ariables found EXAMPLE snmpbulkwalk -v 2c -Cc -c public ipnettomediaphysaddress = STRING: 0:80:3f:3:47:ee ipnettomediaphysaddress = STRING: 0:b:cd:e5:bf:bc 13

24 Table 2.7 Summary of snmpset application NAME snmpset: Communicates with a network entity using SNMP SET requests SYNOPSIS snmpset [COMMON OPTIONS] OID TYPE VALUE [OID TYPE VALUE]... DESCRIPTION snmpset is an SNMP application that uses the SNMP SET request to set information on a network entity. One or more object identifiers (OIDs) must be given as arguments on the command line. A type and a value to be set must accompany each object identifier. EXAMPLE snmpset -v 2c -c private i 2 IF-MIB::ifAdminStatus.21 = INTEGER: down(2) snmpset -v 2c -c private i 1 IF-MIB::ifAdminStatus.21 = INTEGER: up(1) 14

25 2.3 MAC Address Table Layer 2 switch has several key functions, including MAC address learning, forwarding and filtering decisions, and so on. When a switch is just powered on, the MAC address table is empty. When a device transmits a frame and is received on an interface of the switch, the switch will cache the source address in the MAC address table. Then, the switch uses the table to both forward and filter frames received on the switch. It determines if frames are transmitted via a specified port, or not. Hence, the MAC address table is also called the MAC filtering table. Figure 2.2 MAC address table 15

26 2.4 PHP Taken directly from PHP's home, "PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly." This is generally a good definition of PHP. PHP is similar in function to Microsoft Active Server Pages (ASP) and Sun JavaServer Pages (JSP) scripting languages. PHP code is embedded in documents that are to be sent out by a Web server, and is interpreted before the page gets served. It has a set of commands specifically for connecting to MySQL databases. PHP can format the results of the database lookups as HTML, which the Web server would then send to the requesting browser. We can set up HTML forms to be submitted to PHP scripts as well, which means we can use HTML, PHP, and MySQL together to create complete user interfaces for our databases. 16

27 2.5 MySQL MySQL is the most popular open source database server in existence. It is commonly used in conjunction with PHP scripts to create dynamic and powerful server applications. MySQL is a relational database which is much more oriented to the human mind. In a relational structured database there are tables that store data. Each table is made up of columns and rows. The columns of a table define what kind of information is going to be stored. While columns define what kind of information is going to be stored, a row is the actual data that is stored. Each row is an entry of that table and contains values for each column of the table. MySQL has many advantages like free, easy to use, high performance, and security etc. 17

28 CHAPTER 3 SYSTEM DESIGN We want to design a switch port management system that will provide three key functions: data collection, database management and administrative action. The system is composed of SNMP agents, SNMP manager, Graphical User Interface (GUI) and database. 3.1 SNMP Agent The SNMP agent is the software that controls all the SNMP communication to and from any SNMP compatible device. In some devices, such as routers and switches, the agent software is often built into the device itself and requires no installation. On other platforms, such as Windows NT, we need to install the agent as part of an additional software package. Because our system uses SNMPv2c, we must identify if our switches support SNMP first and what version they support. If the switch is not SNMP-compatible, we may need to retire our existing equipment and buy new one that supports SNMPv2c or let this part out of the control of this system. If the switch supports SNMP but not support SNMPv2c, we can contact the equipment vendors to see if they provide firmware upgrade to SNMPv2c. 18

29 3.2 SNMP Manager The SNMP manager is also called Network Management Station (NMS). The NMS in this system is a Linux server installing Net-SNMP on it. There are several considerations about determining what kind of hardware is appropriate for managing our network. For example, the number of devices we want to poll, the amount of information we will request from each devices, and the interval at which we want to poll them. Besides, the software running on the server also needs to be considered. NMS software such as HP OpenView is a large, heavyweight application. It requires more computing power and more memory to achieve the level of performance we want. Our NMS is running scripts written in PHP, we can use a much smaller management platform. The NMS will execute a program using the crontab periodically. The program will use the configurations stored in the MySQL database to poll the managed switches. After filtering the response, the final information we need is written back to the database. 3.3 Graphical User Interface The GUI written by PHP is running on an Apache web server. The network administrator can perform configuration management, database query and port management via GUI. In the configuration management, the administrator can view, add, delete and modify the information of the building, organization, Layer 2 and Layer 3 19

30 switches. Some of these information are use by NMS to poll the switches as its argument and others are reference for administrator to identify where the switches are. In the database query, the administrator can query the information based on switch, IP address or MAC address. In port management, the administrator can turn on and off a port by the specify IP address. 3.4 Database Management System The proposed system uses MySQL as the database management system. The database will store the Layer 2 and Layer 3 switches profile and the NMS will use this information such as IP address and SNMP community string to poll the managed switch. The switch profile also include the information meaningful to the administrator such as building name, floor, organization name and so on. Because we use MAC address table and IP ARP table of the switches to gather the information we need, there are many redundant entries on the uplink and downlink ports. In order to filter these redundant entries, we use a temporary table to maintain raw data. After filtering out the redundant entries, we write the information to the actual table in our MySQL database. The final information will include MAC and IP address of the client, the switch and the port it attached, the time interval we found the client on this port. 20

31 CHAPTER 4 SYSTEM IMPLEMENTATION There are two Layer 3 and six Layer2 switches in our test environment. The network architecture is shown in Fig The two Layer3 switches are Cisco 8510 and Extreme Summit48i, respectively. The six Layer2 switches are five Cisco 2924XL and one SMC Tiger. The SNMP Manager is a workstation with Net-SNMP, Apache, PHP, and MySQL on it. Figure 4.1 Network architecture diagram 21

32 The network administrator can create managed switch information via Web-GUI. The SNMP manager will query managed switch via Net-SNMP command every ten minutes, and process the data respond from the managed switch. The core process of the SNMP query is composed of four SNMP snmpbulkwalk command with different OID values. The administrative action to turn on or off a certain switch port is achieved by the snmpset command using single OID value with different arguments. The purpose and the sample outputs of these OIDs are discussed below. We will fill Table 4.1 step by step to demonstrate how these four SNMP snmpbulkwalk commands with different OID values work. Table 4.1 Empty table before executing the four snmpbulkwalk commands textual name ifindex dot1dtp index MAC IP 22

33 4.1 Procedures of Data Processing The first snmpbulkwalk command uses dot1dtpfdbport OID to poll the switch, and the switch will return the dotted decimal notation of Ethernet address and corresponding dot1dtp instance index. Name: BRIDGE-MIB!dot1dTpFdbPort Identifier: Macro: OBJECT-TYPE Access: read-only Syntax: Integer32 Description: Either the value 0, or the port number of the port on which a frame having a source address equal to the value of the corresponding instance of dot1dtpfdbaddress has been seen. A value of 0 indicates that the port number has not been learned but that the bridge does have some forwarding/filtering information about this address (e.g. in the dot1dstatictable). File: BRIDGE-MIB 23

34 Figure 4.2 Using dot1dtpfdbport OID to poll the switch We take the first entry in Fig. 4.2 as an example. The string is the dotted decimal notation of Ethernet address which is corresponding to 0:30:48:2b:51:6a in colon-separated hexbyte notation. The integer 26 is the dot1dtp instance index. We can map the Ethernet address 0:30:48:2b:51:6a to the dot1dtp instance index 26 in the first step. Table 4.2 Partial table after executing the first command textual name ifindex dot1dtp index MAC IP 26 0:30:48:2b:51:6a 24

35 The second snmpbulkwalk command uses dot1dbaseportifindex OID to poll the switch, and the switch will return the dot1dtp instance index and corresponding ifindex. Name: BRIDGE-MIB!dot1dBasePortIfIndex Identifier: Macro: OBJECT-TYPE Access: read-only Syntax: Integer32 Description: The value of the instance of the ifindex object, defined in MIB-II, for the interface corresponding to this port. File: BRIDGE-MIB 25

36 Figure 4.3 Using dot1dbaseportifindex OID to poll the switch The output information shown in Fig. 4.3 includes the dot1dtp instance index and corresponding ifindex. The string 26 is the dot1dtp instance index and the integer 14 is the ifindex. We can map the dot1dtp instance index 26 to the ifindex 14 in the second step. Table 4.3 Partial table after executing the second command textual name ifindex dot1dtp index MAC IP :30:48:2b:51:6a 26

37 The third snmpbulkwalk command uses ifname OID to poll the switch, and the switch will return the ifindex and corresponding textual name of the interface. Name: IF-MIB!ifName Identifier: Macro: OBJECT-TYPE Access: read-only Syntax: OCTET STRING Textual Convention: SNMPv2-TC!DisplayString Format: 255a Description: Retrieve the textual name of the interface. The value of this object should be the name of the interface as assigned by the local device and should be suitable for use in commands entered at the console of the device. This might be a text name, such as e0 or a simple port number, such as 1, depending on the interface naming syntax of the device. File: IF-MIB 27

38 Figure 4.4 Using ifname OID to poll the switch The output information shown in Fig. 4.4 includes the ifindex and corresponding textual name of the interface. The integer 14 is the ifindex and the string Fa0/13 is the textual name of the interface. We can map the ifindex 14 to the textual name Fa0/13 of this interface in the third step. Table 4.4 Partial table after executing the third command textual name ifindex dot1dtp index MAC IP Fa0/ :30:48:2b:51:6a 28

39 The fourth snmpbulkwalk command uses ipnettomediaphysaddress OID to poll the switch, and the switch will return the dotted decimal notation of IP address and corresponding colon-separated hexadecimal notation of MAC address. Name: IP-MIB!ipNetToMediaPhysAddress Identifier: Macro: OBJECT-TYPE Access: read-create Syntax: OCTET STRING Textual Convention: SNMPv2-TC!PhysAddress Format: 1x: Description: The media-dependent physical address. File: IP-MIB 29

40 Figure 4.5 Using ipnettomediaphysaddress OID to poll the switch The string in Fig. 4.5 is the dotted decimal notation of IP address and the string 0:30:48:2b:51:6a is the colon-separated hexadecimal notation of MAC address. We can map the MAC address 0:30:48:2b:51:6a to the IP address in the fourth step. Finally, we can summarize that the IP address of is attached to the port Fa0/13. Table 4.5 Complete entry after executing all the four commands textual name ifindex dot1dtp index MAC IP Fa0/ :30:48:2b:51:6a

41 The ifadminstatus OID can be used to poll the administrative port status of the switch, or change the port status depending on using snmpbulkwalk or snmpset command. Name: IF-MIB!ifAdminStatus Identifier: Macro: OBJECT-TYPE Access: read-write Syntax: Integer32 Enumeration: up 1 down 2 testing 3 Description: Retrieve or set the desired state of the interface. The testing(3) state indicates that no operational packets can be passed. When a managed system initializes, all interfaces start with ifadminstatus in the down(2) state. As a result of either explicit management action or per configuration information retained by the managed system, ifadminstatus is then changed to either the up(1) or testing(3) states (or remains in the down(2) state). File: IF-MIB 31

42 Figure 4.6 Using ifadminstatus OID to poll the switch The output information shown in Fig. 4.6 includes the ifindex and its administrative port status. If we use the read-only community and OID of , it will show the administrative status of the switch ports. If we use read-write community and OID of with ifindex and extra integer 1 or 2, we can change the administrative status of the specified ifindex. 32

43 Figure 4.7 Creating profile of the managed switch Figure 4.8 Obtaining the port information of the specified switch 33

44 Figure 4.9 Changes of the mapping relationship Figure 4.10 Turning off the port based on IP address 34

45 The summary outputs of our system are shown in Fig. 4.7 to The profile creation of the managed switch is shown in Fig The profile includes the necessary information such as switch IP and community string and the optional information such as device model and physical location. The database query based on specified switch is shown in Fig. 4.8 and the result of this query includes switch IP address, interface name, client IP address, client MAC address, last update time, and first recording time. The change of the mapping relationship is shown in Fig This function can be used to monitor and audit these changes. For example, the PC with MAC address of 0:30:48:21:74:9 used IP address of from June 28th to June 29th. Also, it changed IP address to from July 20th. Turning off the particular port based on IP address is shown in Fig We compare this function to the mechanism of the Intrusion Prevention System (IPS). The IPS has a built-in attack database as the signature and can perform packet filtering based on this database. If we want to perform packet filtering at a particular branch in our network architecture, we must implement an IPS at this branch. Therefore, if we want to perform packet filtering at a number of branches, we must install the same number of IPS. In comparison, our system has no built-in attack database; therefore, it can not judge which IP address is attacking other node. However, if we implement an IPS in a suitable location of our network environment, and can retrieve the attacking IP address detected 35

46 by the IPS, we can turn off the port where the attacking IP address comes from to isolate the infected device at the very begining. Therefore, our system with an IPS can perform access control regardless of the number of network branches. However, there is a difference between these two circumstances. When we use multiple IPS to separate our network, we can filer out the malicious packets while let normal packets to pass through. However, if we use our system with an IPS, we can only turn on or off the port to let all the packets either passing through or filtered. 36

47 4.2 Performance Evaluation When we implement a network management system, it is very important to evaluate the additional network load caused by this system. The result of this evaluation can help us determine the polling interval. We run our scripts once a minute and record the CPU utilization of the Cisco 8510 Layer3 switch and Cisco 2924-XL Layer2 switch. We monitor the CPU utilization of the switch over a 15 minutes interval while polling the switch for the information we used in this research during the last 10 minutes. Cisco provides a set of OID for collecting CPU utilization over different time interval [11]. The OID busyper ( ) is the CPU utilization over the last five seconds. The OID avgbusy1 ( ) and avgbusy5 ( ) are the CPU utilization over the last one minute and last five minutes, respectively. We use the three OIDs to poll the CPU utilization of the switch every ten seconds. Figure 4.11 CPU utilization of the Cisco 8510 Layer3 switch 37

48 Figure 4.12 CPU utilization of the Cisco 2924-XL Layer2 switch We can make two conclusions from Fig and First, the influence of SNMP polling on switch CPU utilization is slight even running the scripts per minute. Second, we can not find any relation in Fig. 4.11; however, we can see there is one peak busyper per minute when we run our scripts in Fig This is probably because of the difference of the hardware design between Cisco 8510 and Cisco 2924-XL switches [12]. The Cisco 2900XL switches have two separate hardware subsystems, the switching subsystem and the internal CPU engine. The switching subsystem controls the receiving and forwarding of data traffic. The internal CPU engine implements higher-level protocols to control and monitor switch behavior. In comparison, Cisco routers or Layer3 switches such as the Cisco 8510 process and route packets using software; therefore, the 38

49 CPU utilization is proportion for the amount of packet processing and routing being performed on the switch. Therefore, in comparison with packet processing, we can ignore the CPU utilization variation caused by SNMP polling to the Cisco However, the CPU utilization of the Cisco 2924-XL is almost the same under different traffic conditions. Therefore, we can see a little increase of the CPU utilization. The corresponding raw data of the CPU utilization of the Cisco 2924-XL is shown in Fig Because we run our scripts once per minute, we can see one small peak of busyper at the 14th second every minute after we start. Figure 4.13 Raw data of the CPU utilization of the Cisco 2924-XL Layer2 switch 39

50 4.3 Further Evaluation for Cisco 2924-XL We generate a data stream with the average bitrate of 92.9Mbps for 900 seconds from FastEthernet0/5. The bandwidth utilization is shown in Fig The OID locifinbitssec( ) is the five minute exponentially-decayed moving average of input bits per second. The transmission log is shown in Fig The CPU utilization over the last five seconds of the Cisco 2924-XL is shown in Fig We use ping to monitor the response time of the PC on FastEthernet0/8 and the result is shown in Fig The result of this experiment is the same as we mention in section 4.2. There is no relation between CPU utilization and data traffic being switched on Cisco 2924-XL switches. Figure 4.14 Bandwidth utilization of the 5-th port of the Cisco 2924-XL 40

51 Figure 4.15 Transmission log of the generated traffic Figure 4.16 CPU utilization of the Cisco 2924-XL under the traffic of 92.9Mbps 41

52 Figure 4.17 Response time of the PC on FastEthernet0/8 42

53 We use a loop of 100 times to run the three snmp commands used in our scripts on Cisco 2924-XL switch and record the CPU utilization of the switch shown in Fig The loop script and raw data of the Cisco 2924-XL CPU utilization is shown in Fig We ping a PC on Cisco 2924-XL switch and the response time is shown in Fig It spent about 192 seconds to finish this loop which is equal to once every two minutes. The CPU utilization is no more 80 percent and the response time is also normal under this situation. Figure 4.18 CPU utilization of the Cisco 2924-XL running the loop 43

54 Figure 4.19 Loop script and raw data of the Cisco 2924-XL CPU utilization Figure 4.20 Response time of a PC connected to Cisco 2924-XL switch 44

55 4.5 Further Evaluation for Cisco 8510 We use another loop of 100 times to run the snmp command used in our scripts on Cisco 8510 switch and record the CPU utilization of the switch, as shown in Fig The loop script and raw data of the Cisco 8510 CPU utilization is shown in Fig We ping a PC on Cisco 8510 switch and the response time is shown in Fig It spent about 100 seconds to finish this loop which is equal to once per second. The CPU utilization is no more than 75 percent and the response time is also normal under this situation. Figure 4.21 CPU utilization of the Cisco 8510 when running the loop 45

56 Figure 4.22 Loop script and raw data of the Cisco 8510 CPU utilization Figure 4.23 Response time of a PC connected to Cisco 8510 switch 46

57 CHAPTER 5 CONCLUSIONS AND FUTURE WORKS The network environment is becoming more and more complicated because of the cascade of Firewall, Viruswall, Intrusion detection and prevention, and flow control systems. The major difference between the proposed system in this thesis and other approaches is the way to query the network devices. Every vendor has his own command to achieve this requirement. But in fact, we usually must face devices of different vendors in our environment. This thesis proposed a system to achieve the same requirement in a muli-vendor environment based on SNMP. The additional network load caused by this system is slight even running the scripts once per minute. The future work is the integration of the existing network management system. Many network management systems proposed in other literature will filter out the ip address of the computer based on different criteria such as flows, Virus, Worm, etc. If the existing network management system can be integrated into the system we proposed as a module, it can obtained the information of the switch port the computer attached. According to how serious the infected computer is, the network administrator can shutdown the corresponding port to avoid the spread of the influence if necessary. 47

58 REFERENCE [1] Harrington, D., Presuhn, R. and B. Wijnen, An Architecture for describing Simple Network Management Protocol (SNMP) Management Frameworks, STD 62, RFC 3411, December [2] McCloghrie K., and M. Rose, Management Information Base for Network Management of TCP/IP-based internets: MIB-II, STD 17, RFC 1213, March [3] Decker E., Langille P., Rijsinghani A., and K. McClonghrie, Definitions of Managed Objects for Bridges, RFC 1493, July [4] McCloghrie K., and F. Kastenholz, Evolution of the Interfaces Group of MIB-II, RFC 1573, January [5] Presuhn, R. Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, Protocol Operations for the Simple Network Management Protocol (SNMP), STD 62, RFC 3416, December [6] Douglas Mauro, and Kevin Schmidt, Essential SNMP, O Reilly, July 2001 [7] Huai-Chung Tsai, Integrated Network User Management System, Tatung University, January 2005 [8] 2002 [9]

59 [10] Cisco SNMP Community String Indexing, Cisco Systems, Inc., May 2004 [11] Cisco How to Collect CPU Utilization on Cisco IOS Devices Using SNMP, Cisco Systems, Inc., June 2005 [12] Cisco High CPU Utilization on Catalyst 2900XL/3500XL Switches, Cisco Systems, Inc., May