26 |
ROUTER AND NETWORK MANAGEMENT |
providers to leak their SNMP community strings to peers and customers because they try to monitor the links connecting them. This is particularly risky at Internet Exchange Points. If you try to manage the shared network of the exchange, you will transmit your SNMP community string to every single router on the network, regardless of whether they are a peer or not. What is worse, those neighbours may well log the fact that you tried to query their box using an invalid community string.
In order to overcome many of these limitations and associated risks, version 3 of SNMP provides significant improvements in the security of SNMP messages. SNMPv3 provides authentication mechanisms to allow the managed devices and the management systems to confirm the source and integrity of messages they receive. It is also possible for messages to be encrypted so that configuration and statistical information are protected from snooping. In addition, SNMPv3 provides the mechanism to allow different views of the available data. This means that it is possible, for example, for a customer to be given a highly constrained view of the router to which they are connected, while the NOC would be able to view the entire MIB.
It is clear that in an ideal world everyone would use SNMPv3. However, SNMPv3 has not yet been widely implemented. Therefore, both SNMP versions 1 and 2c are still widely deployed in networks throughout the world.
3.5 REMOTE MONITORING (RMON)
RMON is a significant extension to the functionality of SNMP (actually, it’s a MIB), that allows the monitoring of a subnetwork as a single unit rather than as a collection of individual interfaces attached to a network device.
3.6 NETWORK MANAGEMENT SYSTEMS
SNMP is a mechanism for the transfer of information relating to the status of your network devices. However, on its own, the raw data is rather dry and can be difficult to interpret. Network management systems are designed to overcome some of these limitations by presenting the information in an easily readable and understandable format. In general, this involves a graphical front end with network diagrams and coloured icons representing nodes and links.
3.6.1 CISCOWORKS
CiscoWorks is a set of network management modules, each of which provides a function within an overall network management system designed to monitor and control Cisco Systems network nodes. The system relies on element managers. These are agents that are responsible for obtaining information from a specific network node type (e.g. a particular
3.7 CONFIGURATION MANAGEMENT |
27 |
Cisco router model or a particular Cisco switch model) and then passing that information to other parts of the system (e.g. trend managers, provisioning managers, performance monitors, etc.). It is these latter parts of the system to which the network operators have direct access and through which they monitor and influence the behaviour of the managed network nodes.
3.6.2JUNOScope
JUNOScope is a Juniper Networks proprietary system. It is a graphical user interface for the interrogation of Juniper Networks routers. Currently in very early releases, JUNOScope does not provide any configuration functionality.
3.6.3NON-PROPRIETARY SYSTEMS
In addition to the network management systems developed and marketed directly by the hardware vendors, there are a vast number of non-vendor-specific network management systems from a variety of vendors. Most of these non-vendor-specific systems specialize in specific parts of the overall network management function (e.g. provisioning, red/green monitoring, trend management). For a single vendor to produce a network management system containing all the aspects of an integrated, network management architecture with support for all hardware vendors’ equipment would be an almost insurmountable task. This is particularly difficult given the speed at which all the hardware vendors add new features to their software and new hardware modules to their network devices.
3.7 CONFIGURATION MANAGEMENT
As an operator of a network, it is important to keep track of the current configurations on each of your network devices. If a failure occurs, it is essential that you understand the way the device was configured when it was last working. It is also essential, should a network device completely fail, that you know the physical and logical configuration of the device when it was last working. Given how many network failures can be attributed to errors in a configuration file, it is vital that if changes are made to the configuration of a network device, a record is kept of those changes and who made those changes.
3.7.1CONCURRENT VERSION SYSTEM (CVS)
CVS is a version management system, which is widely used for version control of software. However, it is equally useful in the control of versions of configurations for
28 |
ROUTER AND NETWORK MANAGEMENT |
network devices. CVS allows the administrator to record a base configuration (or software code base) and, as modifications are made, keep track of them as differences from the previous configuration. As changes are made, they are timestamped. Thus, it is possible to recover any version of the configuration that has been saved at any specific time.
It is also possible to create a new branch of the configuration tree, thus creating parallel configurations that can be independently developed. The ability to record updates to a configuration can be restricted to certain users, while a wider list of users can be authorized to pull copies of the latest configurations. This provides a degree of control over who can actually make changes while enabling other network operators to restore the latest configuration to a failed box.
3.7.2SCRIPTING AND OTHER AUTOMATED CONFIGURATION DISTRIBUTION AND STORAGE MECHANISMS
It is common practice in service providers to use various commercial applications and ‘home-grown’ scripts to keep records of configurations, update those configurations and also retrieve and analyse network management data.
3.7.2.1 Perl/Expect Examples
Perl and Expect are scripting languages, both of which are well suited to sending information to and parsing the replies from network devices.
Expect is basically a scripting language to pass commands directly to the command line interface of a network device and wait for known responses before passing more commands. It is relatively easy to write an Expect script that uses telnet or SSH to connect to a network device, execute several commands on the command line interface (CLI) and parse the replies. This could be particularly useful for issuing the same set of commands on a list of devices. Table 3.1 is an example Expect script.
Perl, on the other hand, is a much more flexible scripting language for which configuration modifications is just one of a wide variety of possible uses (see Table 3.2). However, control of input and output is somewhat more complex in Perl than it is in Expect. It is not particularly easy to undertake the bidirectional exchange of information required for carrying out management tasks on network devices.
3.7.2.2 CiscoWorks Software
CiscoWorks includes modules specifically designed to keep track of the configurations on Cisco Systems network devices. Cisco Systems devices support the use of telnet, SSH, FTP, TFTP and rcp to access configuration information and these mechanisms are encoded into the CiscoWorks software.
3.7 CONFIGURATION MANAGEMENT |
29 |
Table 3.1 Expect script to delete MPLS traffic engineering configuration from a Juniper router
Expect script
#!/usr/bin/expect -f
#
#This script is used to delete MPLS traffic engineering from a set of
#Juniper routers.
#
#It reads the hostname from a file "listhosts.txt" that contains a list
#of hostnames or ip addresses with one device per line. It logs into each
#one using telnet. It then deletes mpls traffic engineering.
#
# To run the script, simply type ./myscript.
set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn’t run conservatively originally
if {$force_conservative} { set send_slow {1 .1}
proc send {ignore arg} { sleep .1
exp_send -s -- $arg
}
}
set timeout 60
#rprompt is the regular prompt of Juniper routers set rprompt ">"
#cprompt is the configuration mode prompt of Juniper routers set cprompt "#"
#lprompt is the login prompt
set lprompt "ogin:"
#pprompt is the password prompt set pprompt "assword:"
#sprompt is the prompt on the server set sprompt "\[guyd@myserver script\]\$"
#HOME is the base directory for this script set HOME /home/guyd/script
spawn $env(SHELL) match_max 100000 expect -ex $sprompt
#Logon onto router and modify the config set file [open ./listhosts.txt "r"] while {[gets $file line] != -1} {
if {[string length $line] != 0 } {
if { [string first "#" $line] == -1} { send -- "telnet $line\r"
expect -ex $lprompt send -- "robot\r"
expect -ex $pprompt log_user 0
(continued overleaf )
30 |
ROUTER AND NETWORK MANAGEMENT |
Table 3.1 (continued)
Expect script
send -- "a1g0115\r" log_user 1
expect -ex $rprompt send -- "configure\r" expect -ex $cprompt
send -- "delete protocols mpls traffic-engineering\r" expect -ex $cprompt
send -- "commit and-quit\r" expect -ex $rprompt
send -- "exit\r" expect -ex $sprompt
}
}
}
puts "The config change has completed" close $file
puts [timestamp -format %X-%a-%d-%b]
Table 3.2 Perl script to delete MPLS traffic engineering configuration from a Juniper router
Perl script
#!/usr/bin/perl
#
#This script is used to delete MPLS traffic engineering from a set of
#Juniper routers.
#
#It reads the hostname from a file "listhosts.txt" that contains a list
#of hostnames or ip addresses with one device per line. It logs into each
#one using telnet. It then deletes mpls traffic engineering.
#
#The user must have key based access to the device. This reduces the need for
#interaction to return a password.
#
#To run the script, simply type ./myscript.
#Perl doesn’t easily support the bidirectional opening of data pipes.
#It is much better at producing formatted text that can be either cut
#and paste into a CLI or used by an API like JUNOScript
#
# Need to work with IPC open2(). Might need Comm.pl or IPC::Chat.
Use IPC::Open2;
Use Symbol;