Open Network Administrator (ona)

1
Open Network Administrator (ona)

• Presented by Bruce Campbell

2
Onaoverview

• Web based network management tool
• Administrators interact with ona over the web
• Ona interacts with network devices.
• Device configurations, permissions, etc. stored
  in mysql database.

3
Ona overview

• Ona users

switch
switch
ona
router
AP
database
etc
4
Without ona

• Network staff

switch
switch
router
ap
etc
5
Onakey features

• Provides a common interface to a number of
  different makes and models of switches.
• Supports delegation through granular access
  control.
• Logs all changes
• Traffic graphs
• Saves switch configurations to tftp server
• E-mails a daily summary of changes and diff
  report.
• IP/MAC search
• extensible if you can think it, you can build
  it or ask me to build it.

6
Some details

• Approximately 10,000 lines of php
• Uses net_snmp library (formerly ucd-snmp)
• Uses snmp primarily, and telnet for some
  functions I could not figure out via snmp.
• Platform independent
• Currently hosted on 2.4GHz PC running FreeBSD,
  Apache web server, .htaccess authentication to
  ADS and Nexus.
• telnet script features written using php socket
  library.
• Supports Nortel Baystack, Extreme, Cisco
  2900/3500, Cisco 2950/3550, Avaya AP. Limited
  support for Cisco 1900 and Enterasys AP.

7
Use at UW

• Used by Arts, CS, Engineering, Math, Science to
  (help) manage approximately 250 switches and 150
  Aps.
• Most visible use is day to day activities, ie
  configure port speed, duplex, vlan, find a
  machine, etc.
• Behind the scenes, ona saves configs, cvs config,
  graphs traffic, sends alerts upon device
  up/down/reboot, equipment inventory, tracks
  ARP/MAC changes, daily report, etc.

8
End user features

• Ona has some features for end users
• Whereami (works on switch port or AP). Shows
  port configuration, traffic graph.
• Java bandwidth test (complete with java nuances)

9
Intro screen
10
MAC/IP search

• Ona queries router ARP tables 5 times daily.
• Queries switch MAC tables 5 times daily. (takes
  30-40 minutes for 250 switches)
• Queries AP MAC tables every 5 minutes. (30
  seconds for 150 APs)
• Everything goes in the database forever. And
  everything is logged.
• Search tools consult the database (ie. not real
  time search of device MAC tables)
• Button for real time update of the MAC table from
  a switch or AP (one at a time only).
• Real time AP MAC search
• Future smartsearch will track down a MAC from a
  starting point using some cleverness to avoid
  searching all switches.

11
Search tool
12
History part of search tool
13
Traffic Graphs

• Maintained on all ports with rrdtool, 5 minute
  interval.
• Also track number of wireless users on each AP,
  and total for Aps for each orgunit.
• Real time graphs. Port or switch, 10 second
  update. Useful for getting a snapshot of
  activity.
• TopPorts button shows busiest ports in last 20
  seconds.

14
Port graphs(5 graphs of various intervals)
15
Switch configurations

• Switch configs saved to tftp server each night
• Can be pushed to alternate tftp or ftp servers as
  well
• Can create a tar ball of configs for automated
  download to a network admins laptop (instructions
  included for cygwin procedure and scheduled
  tasks). Who gets what is configurable.
• Difference between yesterdays config e-mailed in
  daily report (minus sensitive information)

16
Switch config view
17
CVS

• Switch configurations stored in cvs server (plain
  text configs only)
• Makes for easy comparison between arbitrary
  dates, going back to an old version.
• Two cvs trees. One with real configs, one with
  configs minus sensitive info (passwords etc).
  Latter available via cvsweb to ona admins.

18
Cvsweb diffbetween versions
19
Daily report

• Admin changes
• Port changes
• Diff report
• Summary of alerts
• Sent to relevant ona users only. Ie. Math guys
  dont get Arts report.

20
Daily report
21
telnet feature

• Separately enabled
• Allows batch telnet commands to devices which
  support a command line interface
• After a telnet command is issued, switch can be
  optionally Synced, next time someone accesses
  it.
• Option to send telnet commands in daily report or
  not, and to trigger saving the config.

22
telnet window
23
Vlan conversion tool(part of telnet window if
Cisco switch and all ports on vlan 1)
24
Access control

• Done through groups
• Each admin and device has a primary group.
• Admins and devices can be added to further
  groups.
• Ports can be added to groups
• Vlans are members of groups.
• To edit a port, an admin must have a group in
  common with the port or switch.
• Use of regular expressions simplifies listing
  which switches are in which groups.
• To put a port on a vlan, the admin must have a
  group in common with that vlan.
• To edit a trunk, an admin must not have
  denytrunkchanges setting, and must have
  permission on all vlans on the trunk.

25
Device groups window
26
More access control

• All tools (buttons) can be selectively disabled,
  or all disabled and some selectively re-enabled.
• The ability to set port settings can be similarly
  restricted.
• For example, can give permission to Search only,
  and disable/enable port only.

27
Administrative interface

• Typically one ona user per faculty is an ona
  administrator.
• They can add switches, users, configure
  permissions.
• Cannot delete other admins, or create more
  admins, depending on settings.

28
Admin interface
29
Admins table(note systemadmin setting)
30
Adding a device

• Add ipname, make, devicetype (switch, router or
  ap), telnet and snmp passwords.
• The passwords are encrypted in the ona database
• First attempt to access newly added device will
  force a Sync.

31
Device add window
32
Few other odds and ends

• When a port is disabled, an optional message can
  be entered which is sent to the DNS contact,
  admin.
• When a vlan is created, it is named based on UW
  convention.
• Comment field for each port (stored in database,
  not the same as port description)
• Configuration translator

33
Configuration translator(converts port settings
between vendors)
34
See ?
35
Main Screen(note sort buttons)
36
Sorted by version(example)
37
Switch Screenexample 1
38
Printable version
39
Some buttons

• Sync pull config from switch into ona (done
  daily automatically)
• Freshen pull port states only (happens
  automatically if over an hour since last time)
• Save save settings to NVRAM (ona does this
  automatically if changes are made and not saved,
  once per day)
• UpdateMacs pull MAC table (done 5 times daily
  automatically, typically)

40
Switch screenexample 2 (note trunks)
41
Showing MACs on a trunk(note show naa users
button)
42
Ping tool
43
TopPorts tool
44
Alerts(e-mailed also)
45
Showing changes on a switch
46
Port edit screen(note save now vs. later)
47
Port edit screen(trunk)
48
Access Point view(note 1 AP down)Users column
is MACs seen in last 24 hours
49
Usage graphs part of AP view
50
Single AP view
51
Showing users on an AP
52
telnet command on multiple Aps
53
Preferences window(note Mail me changes field)
54
Where am I ?(wired)
55
Where am I ?(wireless)(note update button)
56
Java Bandwidth test(to endpoint in Eng)(well, I
ran this from home)
57
To have an unsupported device added to ona

• You figure out all the snmp, and test it with the
  command line net-snmp tools.
• I will write the code. (or you can if youd
  prefer)
• Look at nortel.php in the ona package as an
  example of what you need to figure out. You
  dont need to write the code, just figure out the
  logic and oids. Functionality needed is
• function set_nortel_port_tagged_vlans_via_snm
  p( d, portname, olduntaggedvlan,function
  set_nortel_port_untagged_vlan_via_snmp( d,
  portname, oldvlan, vlan,function
  adjust_nortel_vlan_members( d, vlan,
  remove_this_port, add_this_port)function
  set_nortel_port_trunkmode_via_snmp( d,
  portname, trunkmode,function
  get_nortel_vlan_configuration_via_snmp( d,
  signature )function get_nortel_port_speeds_and_d
  uplexes_via_snmp( d, signature )function
  set_nortel_port_speed_duplex_via_snmp( d,
  portname, speed, duplex )function
  get_nortel_model_and_version_via_snmp( d
  )function nortel_telnet_login( d, contin
  )function nortel_telnet_logout()function
  create_nortel_vlan_if_needed( d, vlan )

58
Future ideas

• SmartSearch (as mentioned earlier)
• Network topology diagram. Should be doable as
  ona knows MAC addresses of all switches and which
  trunks they are on.
• syslog integration