Making the most of your Network Management System

Transcription

1 Making the most of your Network Management System Karl Solie, CCIE 4599, CCSI Ramsey County Technical Services '()*+,-&.&/(0( &9:&/(1;45160&:(,<51(8&=(6>&:?(156058)& Author of CCIE Practical Studies Volume 1 & Volume 2 &

2 Making the most of your Network Management System Session Outline Components of a Managed Network (Technical, and fun, Section) Simple Network Management Protocol (SNMP) Configuring Basic Management Detailed Management Template for Cisco Routers and Switches Securing SNMP and Network Management Gaining the most of NMS (Fun Section) Network Maps Configuration Management Alerting Visual Path Tracking Other Features Make your NMS evolutionary not revolutionary, and a valuable tool for your team. RFC Listing What is a NMS /+&26-(&);(&2+8)&+@&A+3,&'B:C&5)&58&<(,A&52?+,)64)&)+&34>(,8)64>&);(& D34>62(4)608&+@&:'BEF&/;58&?,+)+1+0&*500&-(A&54&?,+<5>54G&600&);(&1++0&H(008&64>&& I;58)0(8&>+*4&);(&,+6>F&& & J4&:'BEK2646G(>&4()*+,-&1+4858)8&+@&);,((&-(A&1+2?+4(4)8L& B646G(>&M(<51(8& JG(4)8&.&B9N8& '()*+,-K2646G(2(4)&8A8)(28&O'B:8PF "&

3 What is a NMS B646G(>&>(<51(8&6,(&2+45)+,(>&64>&1+4),+00(>&3854G&@+3,&H6851&:'BE& >8L&"#$%&'()"%&)#*%&64>&)#+",#-&.*"#/.0,F&& & /;(&"#$&1+2264>&58&38(>&HA&64&'B:&)+&2+45)+,&2646G(>&>(<51(8F&/;(&'B:& (R6254(8&>5S(,(4)&<6,56H0(8&);6)&6,(&2654)654(>&HA&2646G(>&>(<51(8F& && /;(&'()"&1+2264>&58&38(>&HA&64&'B:&)+&1+4),+0&2646G(>&>(<51(8F&/;(&'B:& 1;64G(8&);(&<603(8&+@&<6,56H0(8&8)+,(>&*5);54&2646G(>&>(<51(8F&& & /;(&)#*&1+2264>&58&38(>&HA&2646G(>&>(<51(8&)+&68A41;,+4+380A&,(?+,)& (<(4)8&)+&);(&'B:F&I;(4&1(,)654&)A?(8&+@&(<(4)8&+113,C&6&2646G(>&>(<51(& 8(4>8&6&),6?&)+&);(&'B:F&& & 1#+",#-&.*"#/.0,&6,(&38(>&HA&);(&'B:&)+&>()(,254(&*;51;&<6,56H0(8&6& 2646G(>&>(<51(&83??+,)8&64>&)+&8(T3(47600A&G6);(,&54@+,267+4&54&<6,56H0(& )6H0(8C&831;&68&6&,+374G&)6H0(F&& SNMP Simple Network Management Protocol (SNMP) UDP port 161, 162 (Traps) 2345&6",(.0&7&& :'BE<&58&6&852?0(&,(T3(8)#,(8?+48(&?,+)+1+0F&/;(&4()*+,-K2646G(2(4)&8A8)(2&5883(8&6&,(T3(8)C& 64>&2646G(>&>(<51(8&,()3,4&,(8?+48(8F&/;58&H(;6<5+,&58&52?0(2(4)(>&HA&3854G&+4(&+@&@+3,&?,+)+1+0& +?(,67+48L&U()C&U()'(R)C&:()C&64>&/,6?F&/;(&U()&+?(,67+4&58&38(>&HA&);(&'B:&)+&,(),5(<(&);(&<603(&+@& +4(&+,&2+,(&+HV(1)&548)641(8&@,+2&64&6G(4)& & 2345&6",(.0&8&& O:'BE<"&64>&:'BE/<"1P&58&64&(<+037+4&+@&);(&545760&<(,85+4C&:'BE<F&:'BE<"1&58&541+2?67H0(&*5);& :'BE<&54&)*+&-(A&6,(68L&2(886G(&@+,26)8&64>&?,+)+1+0&+?(,67+48F&:'BE<"1&2(886G(8&38(& >5S(,(4)&;(6>(,&64>&?,+)+1+0&>6)6&345)&OEMWP&@+,26)8&@,+2&:'BE<&2(886G(8F&:'BE<"1&608+&38(8& )*+&?,+)+1+0&+?(,67+48&);6)&6,(&4+)&8?(15X(>&54&:'BE<F&D3,);(,2+,(C&YDZ&"[%\&>(X4(8&)*+&?+885H0(&:'BE<#<"1&1+(R58)(41(&8),6)(G5(8F&& & 2345&6",(.0&9&& :'BE&<(,85+4&Q&O:'BE<QP&?,+<5>(8&8(13,(&(R1;64G(8&+@&2646G(2(4)&>6)6&H()*((4&4()*+,-&>(<51(8& 64>&2646G(2(4)&8)67+48F&/;(&(41,A?7+4&64>&63);( &@(6)3,(8&54&:'BE<Q&(483,(&;5G;& 8(13,5)A&54&),648?+,74G&?61-()8&)+&6&2646G(2(4)&1+48+0(& Q&

4 SNMP SNMP Data and message flow Configuring basic Management SNMP is one of the primary building blocks for your management system. Managed devices can be anything depending on how much detail you want from and to provide to that device. To get the most of your Network Management system, consider the following for managed devices: SNMP support (Versions) ICMP Support NTP and standardize clocks (Stratum 1-3) Independent IP address/ranges for mngt Syslog Server SNMP Read, Read/Write Community Strings SSHv2 Support Develop a standard template that can be used to mange a ranges of devices. Management Template for Cisco Routers and Switches $&

5 Configuring basic Management on Cisco Routers and Switches SETUP Proper timestamps service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone clock timezone CST -6 clock summer-time CDT recurring SETUP NTP for consistent clocks on all devices ntp server ntp server SETUP a high privilege level for your NMS username NMS-1 privilege 15 password MN-Symposium-2017 SETUP a Management Interface for your NMS (Virtual addresses are always up) interface Loopback1 description mngt-id ip address Configuring basic Management on Cisco Routers and Switches SETUP SSHv2 for configuration backup and secure writing ip domain-name co.countyname.mn.us crypto key generate rsa general-keys modulus 2048 ip ssh time-out 20 ip ssh authentication-retries 2 ip ssh version 2 SETUP a SYSLOG Server for your NMS logging host session-id hostname SETUP SNMP READ and WRITE strings snmp-server community R@mseyn3t-sym2017-w RW snmp-server community R@mseyn3t-sym2017-r RO [&

6 Configuring basic Management on Cisco Routers and Switches SETUP SSH access to the router and switch line vty 0 4 login local no transport input exec-timeout 20 logging sync transport input ssh Securing SNMP and Network Management Always Secure SNMP and management access: SNMP is often overlooked Consider the following security enhancements: Disable older management protocols like TELNET Disable public SNMP community and/or read read/write keys Use Complex SNMP Community strings Only allow your NMS Server and other key subnets reachability to your managed devices. (Use loopbacks, VRFs) Use the highest version of SNMP you can, SNMPv3 if available Use SSHv2 and above only (Set Modulus for 2048 bits.) Use ACLs to restrict SSH, SNMP community access. \&

7 Securing SNMP and Network Management SETUP ACL for the NMS platform and other privileged access access-list 99 permit host access-list 99 permit SETUP ACLs for SNMP snmp-server community RW 99 snmp-server community RO 99 REMOVE and public community strings no snmp-server community public RO SETUP Secure access for SSH line vty 0 4 access-class 99 in Gaining the most of your NMS; Maps Make your Maps Shine Make Maps meaningful A quick glance to tell what's going on. Keep your teams and MNGT informed. Make Maps Color coded, and Dynamic (Be Creative) Make Maps viewable on all devices (Tablets, Phones, etc) Use NOC views. Keep them up to date. Maps and data must be accurate, your NMS must have Integrity. Making detailed, color coded dynamic maps takes time and a lot of work. Keep working on your maps and evolve them over years. Remember your Maps must have Integrity. Upkeep is essential %&

8 ]&

9 "#$#%& ^&

10 "#$#%& Change and Configuration Management Just don t backup. Make the Backups Useful Backup Startup - Sundays 06:00 a.m. Backup Active Memory Fridays 6:00 p.m. Compare for Weekly Change Audit _&

11 Change Advanced Alerting Use automated Alerting, but be careful Too many s means no one reads them. Be selective on what and who gets the alerts Test the alerts before adding people to the list Use more then just down alerts Make headers very descriptive. Use High Priority when it is a high priority. Use different key words, alert, warning, critical Track on High availability timers, but only send these to key personal. &

12 Alerts Alerts: Use detailed descriptions so you can ascertain the issue just by headers: Alerts: Track High Availability Timers "&

13 Visual path trackers Use Visual Trace Route applications to isolate problems. Launch agents from your NMS, Test segments and known good segments to isolate path and network problems. Know exactly what path, the probability of that path, latency, delay, etc, and even owner s phone number. NetPath Google Q&

14 Net Path Net Path $&

15 Integration to other systems opens up even more features LADP Integration can provide User Device Tracking Net flow for traffic analysis and QoS Hardware EOS/EOL Support List, warning, and other OS related info HIPPA, PCI, security audits and recommendations. Mass configuration changes and custom jobs, automation Parting Notes Make your NMS evolutionary not revolutionary. Make good use of your information, (Informed to information overload) Upkeep, is essential for the integrity of the system. Make your NMS work for your team and your organization. Make it a valuable tool. RFC List included in the back. [&

16 RFC Lists YDZ&[[& O:/M&\P&`&"#$%"$#&'()*'+*&),-%(,.)'./'0()(1&2&)"'+)/.#2(,.)'/.#'"3&' (:&*'+)"&#)&":&& YDZ&[\& Oa58)+,51P&`&0()(1&2&)"'+)/.#2(,.)';(:&'/.#'<&"=.#>'0()(1&2&)"'./' (:&*'?)"&#)&":&& YDZ&[%& YDZ&"Q& O:/M&%P&`&0()(1&2&)"'+)/.#2(,.)';(:&'/.#'<&"=.#>'0()(1&2&)"'./' (:&*'?)"&#)&":E'0+;8++&YDZ&$["& YDZ&^_& OcR?(,52(4)60P&`&+)"#.*$%,.)'".'5.22$)?"K89(:&*'<06GI&& YDZ&^_"& OM,6d&:)64>6,>P&`&"#$%"$#&'./'0()(1&2&)"'+)/.#2(,.)'/.#'<06GI&ObH8+0()(>&HA&YDZ&"[%]P&& YDZ&^_]& O:)64>6,>8&/,61-P&`&5.&F?:"&)%&'9&"=&&)'L&#:?.)'H'()*'L&#:?.)'I'./'"3&'+)"&#)&"8:"()*(#*'<&"=.#>'0()(1&2&)"'J#(2&=.#>&YDZ&"[%_& &YDZ&"[%]& O:/M&[]P&`&"#$%"$#&'./'0()(1&2&)"'+)/.#2(,.)'L&#:?.)'I'C0+GID&& YDZ&Q$_& \&

17 RFC Lists YDZ&Q$& YDZ&Q$"& &`&0&::(1&'6#.%&::?)1'()*'N?:A("%3?)1'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D& YDZ&Q$Q& YDZ&Q$$& &`&O:&#89(:&*'&%$#?"K'0.*&B'CO0D'/.#'G&#:?.)'M'./'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06GMD& YDZ&Q$[& YDZ&Q$\& &`&L&#:?.)'I'./'"3&'6#.".%.B'PA&#(,.):'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D& YDZ&Q$%& &`&4#():A.#"'0(AA?)1:'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D& YDZ&Q$]& &`&0()(1&2&)"'+)/.#2(,.)';(:&'C0+;D'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D& RFC Lists YDZ&Q$Q_& OcR?(,52(4)60P&`&?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D'.G&#'4#():2?::?.)'5.)"#.B'6#.".%.B'C456D'4#():A.#"'0(AA?)1&& YDZ&Q[]$& ONZE&%$P&`&5.&F?:"&)%&'9&"=&&)'L&#:?.)'HQ'L&#:?.)'IQ'()*'L&#:?.)'M'./'"3&'+)"&#)&"8:"()*(#*'<&"=.#>'0()(1&2&)"'J#(2&=.#>&& YDZ&Q]"\& YDZ&$%]^& OE,+?+8(>P&`&?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D'.G&#'+RRR'STI'<&"=.#>:&& YDZ&[Q$Q& O:/M&%]P&`&?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D'5.)"&F"'R)1?)&+N'N?:%.G&#K&& YDZ&[[^_& O:/M&%]P&`&4#():A.#"'$9:K:"&2'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D&& YDZ&[[^& O:/M&%]P&`&4#():A.#"'&%$#?"K'0.*&B'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D&& YDZ&[[^"& OE,+?+8(>P&`&&%$#&'3&BB'4#():A.#"'0.*&B'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D&& YDZ&[\_]& YDZ&\Q[Q& O:/M&%]P&`&4#():A.#"'W(K&#'&%$#?"K'C4WD'4#():A.#"'0.*&B'/.#'"3&'?2AB&'<&"=.#>'0()(1&2&)"'6#.".%.B'C<06D&& YDZ&%\Q_& %&

18 ]&