telco operations operations support systems - c.ymcdn.comc.ymcdn.com/sites/ · what's new in...
TRANSCRIPT
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
What's new in Network Node Manager and Network Management Smart Plug-Ins
Telco Operations
Operations Support Systems
HP Software
Universe
June 18-22, 2007 | The Venetian | Las Vegas, Nevada
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
What's new in Network Node Manager and Network Management Smart Plug-Ins Fred F. ShadSoftware Technology Solutions Group
3 6 August 2007
About the presenter•
Software Technology Solutions Group
•
Support, design and implementation for management solutions
•
Working with network and telecom system management for 22 years. With Hewlett Packard since 16 years
•
Technical lead engineer for network management applications in the support and services organization
•
Fields of studies computer science and microelectronics
4 6 August 2007
Agenda•
What’s new in network node manager
•
Advanced routing SPI •
Event classifier correlator
•
MPLS/VPN SPI functionalities and OVPI report packs integration
•
LAN/WAN Edge functionalities and OVPI Report Packs integration
•
RAMS integration module and RAMS reporting •
SNMPv3 SPI and Secure Polling Agent
5 6 August 2007
What’s new in Network Node Manager•
NNM Advanced Edition (AE) & Starter Edition (SE)•
Run on HP-UX, Solaris, Windows and Linux Operating Systems •
Active Problem Analyzer (APA) major enhancements •
Handling overlapping IP address domains from a single management
station with full support for HSPR, VRRP and MPLS discovery and layout•
Adjacent device failures analysis and correlation•
Inclusion of problem diagnosis capabilities and smart path•
Many extended topology discovery and layout enhancement •
Multiple dynamic views enhancements (e.g. containers, topology filter, node view ET filtering, security (NIAP certification)
•
Event subsystem major enhancements (ECS/Composer/pmd and ovtrapd)
6 6 August 2007
NNM v7.5 AE key benefits for telecom consumers •
Root cause analysis & event correlation •
L2/L3 discovery and layout•
Overlapping address domain management (a.k.a. NAT management)
•
Device board/port aggregation and address level support with APA
•
Active Problem Analyzer (APA)•
VLAN, HSRP, VRRP, OSPF and IPv6 discovery and layout •
Integration with MPLS/VPN, LAN/WAN Edge, IPT (e.g. Avaya and Cisco), SNMPv3 and Secure Polling Smart plug ins.
•
Route Analytics Management System (RAMS) integration module •
OVPI integration module •
Cisco Classifier Event SPI
7 6 August 2007
Key benefits (cont.)•
Integrations, e.g.−OVO/U and OVO/W −HP Multicast SPI −Cisco Works −HP Dashboard −See Network Node Manager Release Notes
for more information
8 6 August 2007
High-level architecture of NNM advanced edition
pd
Managed Networks
ovtrapd
pmd/ecs
traps
syslog agent
SysLog MessagesHSRP,dupipL2,L3polling
L3 Discovery L2/,vlan,HSRPDiscovery
Dynamic Views UI Legacy ovw UI
Java Alarm Browser
NNM Databases
ovet_disco
Composer
ovet_pollnetmon
10 6 August 2007
NNM AE extended topology L2 view
Now we see the connections to the port level(physical view)
13 6 August 2007
Technical tools and materials •
http://partners.openview.hp.com (channel partners)
−
Search demos & evaluations:•
Evaluation kits, demos−
Search sales tool central, technical white papers•
Migration guides, performance & configuration guides−
Search sales tool central, technical sales guides•
Technical sales guides−
Search pricing & configuration, product support matrices:•
OV support matrix, ET device support matrix
•
http://openview.hp.com−
Search information library:•
Product manuals, whitepapers
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice ©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
15 6 August 2007
Network management solution Smart Plug In (SPI) for telecom consumers
•
Dramatically increase size of total managed environment
•
Reduce number of distributed system required to manage large environments
•
New product structure (Starter Edition and Advanced Edition) to support cost effective license, installation, support and maintenance (e.g., upgrading, version control)
Dramatically reduce TCO•Optimize use of existing management
resources and investments
16 6 August 2007
Network services management solutions
•
Network Smart Plug-ins provide unique out-of-the-box management for popular network infrastructure services. The Network Management Smart Plug-ins include discovery, monitoring, root-cause analysis, performance optimization and forecasting.−
Network Management Smart Plug-in for IP Telephony−
Network Management Smart Plug-in for MPLS VPN−
Network Management Smart Plug-in for LAN/WAN Edge−
Network Node Manager Smart Plug-in for Advanced Routing (HSRP, VRRP, OSPF, IPv6)
−
SNMPv3 and Secure Polling Agent −
Network Node Manager Integration Module with RAMS and OVPI (Report Pack)
Network services management•Out-of-the-box management for specific network protocols and services
through Network Management Smart Plug-ins (SPIs)
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Network Node Manager v7.5 advanced routing SPI
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
18 6 August 2007
Advanced routing SPI overview •
Network Node Manager v7.5 Advanced Edition Extended Topology discovery subsystem discovers and layout L2 and L3 device connectivity information that you can use to diagnose network problems. The Advanced Routing SPI enhances Extended Topology offerings
by providing protocol based discovery for HSRP, VRRP, OSPF and IPv6
appliances in the Extended Topology managed domain.
•
The AR SPI Provides information about interconnections for HSRP,
VRRP, OSPF and IPv6
•
The AR SPI discovers and displays (in Dynamic Views User Interface) HSRP, VRRP, OSPF and IPv6 information from managed devices
•
The AR SPI monitor multiple network domains that contain Overlapping Addresses from the private internet address space Domains (OAD),
HSRP, VRRP and local OSPF and IPv6 domains
19 6 August 2007
Advanced routing SPI requirements•
Network Node Manager v7.5 Advanced Edition with Extended Topology Subsystem Enabled
•
For IPv6 discovery and layout the Network Node Manager v7.5 Advanced Edition with Extended Topology Subsystem Enabled must
be dual stacked
(IPv6 and IPv4)•
Support for Specific protocol based MIB is required (see MIB Support in the User Guides) to discover and monitor protocol based managed devices
20 6 August 2007
Advanced routing SPI requirements (cont.)•
SNMP Access for the managed devices •
For OSPF discovery (a.k.a. OSPF Basic) discovery and layout must be initiated manually or via automated code. OSPF discovery and layout is not part of the Extended Topology Discovery process (ovet_disco) and dos not use the Extended Topology Data Store (ETTopoDB).
•
The OSPF discovery requires manual configuration for the OSPF Areas
•
The OSPF database is a stand alone database base (flat files) and not part of the ETTopoDB or NNMTopoDB
•
If RAMS Integration Module is loaded the OSPF Basic discovery and layout functionality is automatically disabled.
21 6 August 2007
Advanced routing SPI requirements (cont.)•
IPv6 discovery requires manual configuration for the IPv6 appliances
•
IPv6 Routers must be duals stacked (IPv6 and IPv4) for accurate discovery and monitoring for IPv6 devices
•
Name Revolver should be properly configured •
Active Problem Analyzer (ovet_poll) must be running to monitor HSRP and VRRP network appliances
•
Verify Operating System support, patching and release requirements in the product release notes.
22 6 August 2007
Enabling the AR SPIs•
The Advanced Routing SPI code is part of the Network Node Manager v7.5 media
and is
installed during Network Node Manager v7.5 installation. It is important to notice that event the Advanced Routing SPI code is installed it is not
activated
•
Users must activate AR SPI code during the Extended Topology Subsystem setup (controlled by the setupExtTopo.ovpl script)
23 6 August 2007
Enabling the AR SPIs (cont.)•
During Network Node Manager Advanced Edition setup the user is informed that “..you should have a valid Advanced Routing license..”
If the user has
an LTU for the AR SPI s/he can select yes and the AR SPI functionality will be automatically enabled.
•
In case the user wants to disable the AR SPI functionality, re-run setupExtTopo.ovpl and select No to the “..you should have a valid Advanced Routing license..”
statement.
•
The same procedure applies to protocol bases discovery HSRP, VRRP IPv6 but not OSPF
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Event Classifier Correlator Smart Plug In
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
25 6 August 2007
NNM Event Classifier Correlator (ECC), version (Advanced or Starter Editions overview)•
The Event Classifier Correlator is a value-add (FREE)
software component to HP OpenView Network Node Manager.
•
The Event Classifier Correlator works with both NNM Advanced Edition and NNM Starter Edition.
•
The Event Classifier Correlator correlates traps from devices into higher-
level NNM alarms, greatly reducing the number of alarms an operator must consider in the NNM alarm browser.
•
Event Classifier Correlator correlates traps from Cisco devices only.•
The Event Classifier Correlator classifies traps into one of the
pre-
defined categories of the NNM alarm browser, which enables users
to find the important traps more quickly.
26 6 August 2007
ECC overview (cont.)•
For Cisco traps, there are eight pre-defined categories, which are based on the exception groups defined in Cisco Device Fault Manager (DFM)
•
When an identical classifier alarm is generated, NNM and the Event Classifier Correlator use de-duplication to nest the duplicate alarm
•
beneath the most recent alarm. By reducing the quantity of alarms displayed in the alarm browser, you can easily identify the most important alarms
•
For this release, NO Cisco traps are configured for the OV Backplane Utilization Exception Event or OV Resource Exception Event categories.
27 6 August 2007
Event classifications•
Traps are classified and correlated into one of eight event classifications or categories. These pre-defined categories correspond to the exception groups in Cisco Device Fault Manager (DFM). The
following list contains the types of alarms that can be generated and forwarded to the NNM alarm browser.−
OV Backplane Utilization Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001001)
−
OV Error Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001002)−
OV Operational Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001003)−
OV Performance Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001004)
−
OV Power Supply Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001005)
−
OV Resource Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001006)−
OV Temperature Exception Event (OID .1.3.6.1.4.1.11.2.17.1.60001007)
−
OV Unclassified Event (OID .1.3.6.1.4.1.11.2.17.1.60001008)
28 6 August 2007
ECC SPI requirements•
Network Node Manager v7.5 Advanced Edition with Extended Topology Subsystem Enabled or …
•
Network Node Manager v7.5 Starter Edition
•
SNMP Access to the Cisco managed devices highly recommended (not a must)
•
Name Revolver is highly recommended (not a must) •
Reporting and Network Solution (RNS) Media for NNM v7.50 and lower
•
Network Solution Media (June 2006) or greater for NNM v7.51 and higher
•
Proper Cisco traps configuration
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
MPLS/VPN Management Solution for Network Node Manager v7.5 Advanced Edition
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
30 6 August 2007
MPLS and VPN together•
Technologies are distinct and complimentary−
MPLS is usually installed to support IP VPNs
•
Virtual private network −
Allocated internal router interfaces that separates customer traffic and maintains security.
−
Makes it possible to manage multiple customers securely over a shared core network
•
Multiple protocol label switching−
Allows reliable, secure transport of legacy payloads with minimum packet handling in core network.
−
Label Switching Routers (LSRs) determine optimum local routes and manage forwarding using Layer 2 protocol techniques.
31 6 August 2007
Customer A
Site 3
Customer A
Site 1
CE-A1
Customer B
Site 1
Customer A Site 2
CE-A2
Customer B
Site 2
PE-3
VPN network
PE-1 Customer A VPNs
PE-2
PE-4
CE-A3
CE-B2
CE-B1
33 6 August 2007
MPLS VPN SPI for NNM AE overview•
Integrates with NNM Advanced Edition 7.5
•
Discovers VPN network configurations and relationships
•
Adds two new categories to the NNM alarms browser:−MPLS VPN for status and connectivity alarms−MPLS VPN Performance for threshold breaches
(optional)
•
Monitors the MPLS VPN PE routers within the service provider network
34 6 August 2007
MPLS VPN SPI for NNM AE overview (cont.)•
Monitors the CE routers that connect to the PE routers•
Enriches events to show the effect on one or more VPNs −
Node Down, IF Down, Address Down, Connection Down
•
Clears the enriched event event using pair-wise correlation•
Provides automated reach-ability testing configuration for Cisco SAA ICMP echo request test and reports status in the VPN Views
•
Displays MPLS VPN views in the Dynamic Views User Interface
35 6 August 2007
MPLS VPN OVPI ReportPack overview•
Focuses on MPLS-enabled networks that support large-scale site-to-site VPNs.
•
The fundamental reporting component is the device-level logical interface. −
The interface can be MPLS-enabled, or it can be configured as one of many VPN endpoints, known as VRFs.
•
The package contains 27 reports in the following folders:−
Admin (3)−
Devices (3)−
Interfaces (11)−
VPNs (6)−
VRFs (4)
36 6 August 2007
MPLS VPN ReportPack Features•
Reporting solution that monitors, reports, and alarms on MPLS-based networks delivering VPN services
•
Understands VPN/VRF configurations & relationships −
Via OVPI auto-discovery or synchronization with NNM•
Identify VPN endpoints on the network that are generating errors
•
Identify VRFs that are not (or only partially) functioning•
Understand VRF associated interface relationships•
Rank VPNs based on historical utilization•
Group VPN-interfaces into logical VPN entities for SLR•
Apply service-level metrics to VPNs and VRFs•
Generate exception traps when thresholds are breached•
Understand label usage and lookup failure
37 6 August 2007
NNM
MPLS SPI w/SAA test
MPLS SPI w/SAA test
OVPI
MPLS, CAR, SAA, IR, DR
MPLS, CAR, SAA, IR, DR
MPLS Network
VPN Discovery
SAA traps
Report Cross-Launch
Enriched VPN events
Polling
Polling
OVPIThresholdForwarding
Overview of solution operation
38 6 August 2007
MPLS VPN SPI –
What does it do?•
Discovers the MPLS VPN network layout•
Maintains status information about these elements:−
Edge nodes−
Edge node interfaces−
Connectivity within the MPLS VPN cloud
•
When status is down, helps answer the questions:−
Who is impacted?−
What is the impact on the customer’s service availability?−
What is the priority of this failure?−
Are customers experiencing a service impact?
•
Identifies the VPNs and VRFs that are impacted
39 6 August 2007
MPLS VPN viewsMPLS VPN inventory
(home base)
MPLS VPN router inventory VPN Details –
Table view
VPN Details –
Graph view
VRF Details view
PE Details view
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
MPLS VPN Solution OVPI Report Pack
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
46 6 August 2007
MPLS VPN and OVPI ReportPack•
ReportPack first released in January 2003
•
Cross-product integration efforts continue with enhancements to the MPLS VPN SPI OVPI Integration.−Topology discovery−Automated SAA test configuration
47 6 August 2007
MPLS VPN and OVPI ReportPack (cont.)•
Two distinct technologies: MPLS and VPN•
MPLS is often installed to support VPNs•
Customers are confused between MPLS, VPNs, QoS, Service Assurance
•
We are selling a composite “solution,”
one part of which is PI MPLS VPN reporting.
Other parts include:−
SAA reporting−
QoS reporting (CAR and IPStat) and in the future CB-QoS−
NNM –
for network management−
ECS –
for advanced event correlation
48 6 August 2007
MPLS VPN ReportPack— customer added value
•
Customer value− Identify VPN endpoints on the network that are
generating errors− Identify VRFs that are not (or only partially) functioning−Understand VRF associated interface relationships−Rank VPNs based on historical utilization−Group VPN-interfaces into logical VPN entities for SLR−Apply service-level metrics to VPNs and VRFs−Generate exception traps when thresholds are breached−Auto-discover VPN/VRF configurations & relationships−Understand label usage and lookup failure
49 6 August 2007
MPLS VPN OVPI reports•
Requires MPLS VPN MIB −
Available on IOS 12.2.10(T) or later−
Also on Juniper Systems•
Works with Interface Reporting−
Re-indexing−
Directed instance polling−
Leverages polled interface stats−
Inherits property & customer information•
Large number of reports•
Integrated with thresholds package−
Traps NNM/OVO−
Remote report launching•
Very compelling solution for MPLS VPN providers−
Largely “invisible”
technology−
New technology means few solutions in the marketplace
50 6 August 2007
MPLS VPN OVPI reports (cont.)•
At the device level−
Recent MPLS activity−
Recent VPN activity−
Recent VPN route activity•
At the MIB-II interface level−
Availability & response-time reports for VPNs and MPLS interfaces
−
Unreachable MPLS & VPN interfaces−
Near real-time reports for MPLS & VPN interfaces
−
Exception reports−
Grade of service reports−
Top-10 volume of MPLS & VPN interfaces
51 6 August 2007
MPLS VPN OVPI reports (cont.)•
VPN−
Route activity−
Top-10 & Bottom-10 interface availability per VPN
−
Traffic & exception counts per VPN−
Exception hot-spots across all VPNs−
Executive summary of historical VPN across VPNs
•
VRF−
Current operational status−
Historical utilization−
Recent operational status−
Recent utilization
52 6 August 2007
MPLS VPN RP -
information provided•
Reports include−
Active interfaces−
Associated interfaces−
Availability−
Discard rate−
Error rate−
Discard rate threshold violations−
Error rate threshold violations−
Response time−
Route activity−
Label security violations−
Utilization−
Utilization threshold violations•
Provisioned information includes−
Customer id−
Location•
SLAs for VPNs!−
Response time for VPN component interfaces−
Operational availability of VPN component interfaces
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
LAN/WAN Edge Solution
(a.k.a. Frame Relay SPI)
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
54 6 August 2007
LAN/WAN Edge SPI for NNM What does it do?
•
The LAN/WAN Edge SPI detects and reports problems with frame relay virtual connections.
•
It performs root cause analysis to distinguish between failures within the provider network and failures within the local edge router.
•
Enriched alarms are sent to the Frame Relay Alarms category of the NNM Alarms Browser
55 6 August 2007
LAN/WAN Edge SPI event messages•
Example alarm text:−Frame Relay: Local PVC problem due to LMI failure.− ifIndex=3 ((40, 1), (42, 3)) connect to Cisco4k1-S0.1
56 6 August 2007
Frame Relay OVPI solution •
Reports in the Frame Relay Report Pack display performance information for frame relay switches and edge devices.
•
Use these reports to deal with the following issues:−Which locations are experiencing service degradation
due to network congestion?− Which PVCs or ports are overloaded? Are there
underutilized PVCs or ports that could handle more traffic?
−What are the traffic patterns on the network?
57 6 August 2007
Frame Relay Report Pack benefits •
Port and PVC reports•
Utilization, discards and errors•
Capacity planning•
Congestion •
FECN and BECN reporting•
Monthly and daily reports•
Near Real Time.•
Multiple data pipes−
RFC1315−
Wellfleet (Bay Nortel)−
Stratacom (Cisco WAN)−
Newbridge (Alcatel)−
Ascend (Lucent)
58 6 August 2007
Change PVC configuration•
Enter Description, CIR, PVC Id, location, customer, and thresholds for FECN, BECN, and DE.
•
Incorrect CIR is RED
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
OpenView Route Analytics Management System (RAMS) and Network Node Manager Integration Module (IM)
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
61 6 August 2007
Route analytics—a new technique to manage modern IP networks•
Management by network service instead of network element−
Understand the dynamics of the network as it provides the intended services to its members
−
Most accurate and authoritative view of how the current routed network is operating
•
Management at the speed of the network, from inside the network−
Issues detected in real-time by passive router, no polling required−
Faster root cause analysis (RCA) isolation of service-affecting problems•
New ability to manage the routing protocol layer−
This is the service layer−
IS-IS, OSPF, EIGRP, BGP visualization, monitoring, diagnosis −
Intelligently diagnose the problem
62 6 August 2007
AS 1 (OSPF)
IGP Routing Adjacencies
BGP Routing Adjacencies
RouteReflector
AS 2 (IS-IS)
AS 3 (OSPF)Complete concurrent monitoring of multiple routing protocols –OSPF, IS-IS, BGP, EIGRPA single appliance can monitor multi-AS networksProvides routing protocol-specific or network-wide viewing and analysis
HP OV RAMS Appliance
RAMS appliance
63 6 August 2007
RAMS
NNM AE
syslog
Reports
SNMP Traps
Events
XML
DB Query
RAMS
GUI Launch
NNM/RAMS integration module
64 6 August 2007
Use Case -
Direct OSPF adjacency loss•
Upon link failure, RAMS generates an adjacency lost event •
NNM AE receives this event and either:−Correlates it beneath a physical layer 2 failure, or−Active Problem Analyzer (APA) does on-demand polling
at the area of the failure
Adjacency Loss!
65 6 August 2007
Samples of RAMS protocols•
Interior Gateway Protocols (IGP)−OSPF− IS-IS−EIGRP
•
Exterior Gateway Protocols (EGP)−BGP
66 6 August 2007
NNM AE
syslog
SNMP Traps
Events
RAMS
*NOTE: New Route Analytics Alarms category on Home Base
RAMS specific events•
Types of events generated include−
Route flaps−
Excessive routing events −
Router adjacency loss−
Router config errors−
Route prefix availability−
Route prefix origination change−
Route prefix flood/drought−
Route redundancy changes−
BGP routing instabilities−
Rerouting for metric-sensitive services such as VoIP
69 6 August 2007
RAMS Path History View•
A view dedicated to visualizing IGP path data−A path from a router to any IP address can be viewed at
different points in time
•
Similar to existing path view, but specifically tied to routing protocol data−Source node must be an OSPF router ID−Destination is any routable IP address−Path shown is based on base time specified
71 6 August 2007
RAMS GUI—unified view of routed network in real-time•
As changes are detected in the network, the topology map is instantly updated
•
Detailed data can be easily accessed−
link status, link metrics, new prefixes
•
A specific source and destination can be highlighted for viewing of the active route between routers
72 6 August 2007
RAMS GUI— solves new classes of problems!
•
Playback route changes•
Forensic analysis of intermittent routing problems
•
Time-series correlation (e.g. MRTG)
•
Validate redundancy of network routes
•
What if analysis of the operational network
73 6 August 2007
Comprehensive reports•
Predefined reports provide detailed routing activity data and higher-level trend information; examples−
Flapping links−
Link metric changes−
New prefixes and routers
•
Web-based reports can be generated for any time period recorded in the database
74 6 August 2007
NNM/RAMS integration event configurationThe following RAMS events must be configured via NNM ET RAMS cfg in order to receive them−Adjacency Lost Event−Route Flap Event
•
Must specify a watch list
−Prefix Origination Change−Prefix Flap
75 6 August 2007
RAMS benefits summary•
Increase network availability−
Isolate problems (layer 2 and layer 3) to relevant network segments in real-
time and historically
−
Manage a new class of problems in the routed network, undetectable by today’s traditional SNMP-based systems
•
Optimize network performance−
Monitor/alert on end-to-end changes of key routes/routers (VoIP, top customers, etc.)
−
Identify route instabilities that go undetected but impact services−
Reduce Operating Costs−
Reduce dramatically the time spent in fault isolation and root cause analysis; diagnose problems with forensic accuracy
−
Speed frequent maintenance tasks by planning changes on “as running”
network and quickly validating operational results−
Increase productivity of network engineering team; reduce problem escalations and handle them more quickly
−
Improve processes between network design and engineering
76 6 August 2007
RAMS technical tools•
http://partners.openview.hp.com
(channel)•
Search demos & evaluations:−
Eval kits, demos•
Search sales tool central, technical white papers−
Migration guides, perf & cfg guides•
Search sales tool central, technical sales guides−
Technical sales guides•
Search pricing & configuration, product support matrices:−
OV support matrix, NNM ET device support matrix•
http://openview.hp.com
(customer)•
Search information library:−
Product manuals, whitepapers
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
SPI for SNMPv3 & Secure Polling
Agent
©
2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
78 6 August 2007
SNMP in one slide
Common organization structure for management information (SMI)
One naming space for all management “objects” (MIB)
Communications Protocol (SNMP)
Manager
Agents
Requests
Responses NotificationsGetSet
Networking EquipmentServers
PCsSoftware Applications
79 6 August 2007
AdministrativeWorkstation
HPOV NNM
Firewall
ManagedDevice(s)
Attacker
ManagedSystem(s)
SNMPv1/v2 traffic
SNMPv1/SNMPv2c—not secure
80 6 August 2007
AdministrativeWorkstation
HP OV NNMwith
NNM SPI for
SNMPv3
Firewall
ManagedDevice(s)
Attacker
ManagedSystem(s)
SNMPv3 traffic
Secure SNMPv3
81 6 August 2007
SNMPv3 includes everything in versions 1 and 2c plus…•
Authentication: −
User-based authentication of messages−
Who is doing the communicating•
Privacy: −
The ability to encrypt management messages−
Protection from disclosure•
Authorization:−
The concept of users−
What operations are allowed (e.g., read, write, notify)•
Access control:−
View-based−
Restriction on what data may be read/written•
Administrative framework to support the above
82 6 August 2007
SNMPv3 typical deployment scenarios for telecom consumers •
A few “user”
names are associated with
management stations (e.g., ow1, nnmbldg4)•
Authentication used for all communications
•
Both authentication and privacy used for sets•
Authentication and privacy used for retrieval of sensitive information (e.g., routing tables)
•
SNMP security configuration management is done by:−Hand—Editing or copying over local configuration files−Security configuration distribution application(s) via
SNMPv3 set requests
83 6 August 2007
Key elements of a complete solution•
Secure agents
•
Secure management applications•
Administrative policies
•
Configuration management of users, keys, etc•
Coexist with legacy systems
84 6 August 2007
Secure agents•
SNMPv3 agents available on most networking devices•
SNMPv3 agents available on most open operating systems and embedded real-time operating systems
•
For integrated network and system management, smart agents based
on SNMPv3 are available−
Support common SNMPV3 administrative framework−
Network monitoring−
Host resource monitoring−
File system monitoring−
Critical application monitoring−
Log file monitoring−
Service monitoring
85 6 August 2007
Secure management applications•
Network Node Manager with HP OpenView NNM SPI for SNMPv3
•
After initial configuration, NNM functions work transparently−MIB browser−Node polling−Data collection
•
Partner applications which use NNM SNMP stack will also work transparently
86 6 August 2007
Configuration management issues•
Users, keys, notifications, etc. must be configured on both managers and agents
•
Keys are generated from pass-phrases, pass-phrases not stored on managed devices
•
Keys need to be changed periodically•
Configuration must be updated in a timely manner (e.g., deny rights to a terminated employee)
•
Configuration needs to be done remotely from a security management station, using a secure and private method
87 6 August 2007
Coexist with legacy systems•
Some managed systems will not have SNMPv3 agents
•
Cannot upgrade all agents at once•
NNM SPI for SNMPv3 is multi-lingual, so fully supports a heterogeneous SNMPv1/ SNMPv2c/SNMPv3 agent environment−Old agent, old packet, old rules, old response−New agent, new packet, new rules, new response
•
Properly handle SNMPv1 traps•
Properly handle SNMPv2c traps and informs
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Questions?