Open Network Administrator

Table of Contents

Overview

Open Network Administrator (ONA) is a web based network management tool written in php. Administrators interact with ONA over the web, while the server side php program interacts with network devices using telnet and/or snmp. Device configurations are stored in a mysql database.

Resnet

The resnet ona guide is available here. It covers the functions provided to staff and RCCs who support resnet.

Presentations and papers

• WatITis '04 : presentation
• LISA '05 : paper and presentation

mail list

• available here

Features

• Provides a common management interface to a number of different vendors' products.
• Maintains traffic statistics and creates graphs with rrdtool
• Supports grouping of administrators, devices and vlans to control access rights.
• Supports granular access lists to control access down to the port level.
• Maintains a detailed, searchable log of all changes.
• Supports mac, ip address and ip name search, with quick link to port (if found).
• Automatically saves switch configurations to a tftp server. The switch configurations can also be optionally pushed to alternate tftp/ftp servers, and placed in a tar ball for daily copying to the net operations staff's laptop computer(s).
• Maintains a searchable log of arp table and mac address table changes.
• Includes an administrative interface to add devices, administrators, groups, access lists, etc.
• Switch configs stored in a cvs repository, for easy analysis of configuration changes, or to go back to an old config.
• e-mails a daily summary of port changes to admins
• raw config (minus passwords and other sensitive strings) can be viewed, refreshed.
• e-mails a daily diff report of configuration file changes to admins (only applies to switches with text configuration files, ie not the Baystack). Sensitive data (ie passwords, community strings) is removed from the e-mail report.
• When disabling/enabling a port, an e-mail can be automatically sent to the owner of the computer which is connected to that port, based on DNS TXT records, and an LDAP query to determine the e-mail address.
• telnet interface allows admins with telnet permissions to run commands on multiple switches readily, and optionally have the commands e-mailled out with the daily reports.
• creates vlans when needed, and names them based on DNS (assuming a model of vlan n = subnet n with 24 bit mask)

Screenshots and Help

• Main Screen
  • Administrators will only see switches where they have management permission on at least one port, unless they click on "Show All". "Show All" allows them to view all switches.
  • The "location" field comes from DNS
  • An asterisk beside a switch name means there are changes that have not been saved to NVRAM yet.
• Administrator Screen
  • This allows certain administrators to add/delete/change switches, administrators, groups, vlans, etc.
• Switch Screen
  • A green background on the Description field means the link is up.
  • A red background on the Description field means the link is down.
  • A red background on the Maxmacs field means a MAC address violation has been detected.
  • "Freshen" updates the link states. This is done automatically if it has not been done in the last hour.
  • "Sync" updates the entire switch configuration by reading the switch configuration and storing it in the ona database (ie a Pull). This is done automatically if it has not been done in the last 24 hours.
  • A red background on an entire row means the port has been administratively disabled.
  • A grey background on speed/duplex means the port is autonegotiate, and has negotiated the values shown.
  • A blank speed/duplex means the port is auto/auto and either the port is down or the negotiated values are not known.
  • A white background on speed/duplex values means speed/duplex are hardcoded.
  • The "Description" field is the port description from the switch itself.
  • The "Comment" field is stored in the ona database.
  • The MAC, IP address and IP name are determined automatically from the arp and mac address tables. These values are determined at preset times troughout the day, and are stored in the database. They are therefore not guaranteed to represent the current state.
• Port Edit Screen
  • After entering new values, select "Change and save settings later" or "Change and save settings now". In both cases, the changes are made immediately, the only difference is when the changes are saved to NVRAM on the switch. Any unsaved changes are automatically saved daily.
  • Note the port change history is shown at the bottom.
• Trunk Port Edit Screen
  • This is the same as above, it just includes the tagged and untagged vlans on the port.
• Switch Port Change History Screen
• MAC/IP Search Screen
  • Allows searching by MAC address, IP address or IP name
  • MAC addresses may be entered in several formats
    • 000000000000
    • 00 00 00 00 00 00
    • 00:00:00:00:00:00
    • 0000.0000.0000
  • IP Names are resolved to IP addresses, and that is resolved to a MAC address for the search, through use of the arp table saved in the database. As the ARP table is saved at preset times throughout the day, it is not guaranteed to be current.
  • If the MAC is found to exist on a port with no other MAC addresses on that same port, that port is considered to be home of the MAC address.
  • If the MAC address is found on ports where other MAC addresses are present (ie trunk ports) those ports are also displayed, sorted by order of the number of MACs on each port.
  • Results are also shown from the arplog, maclog and portchangelog, for the IP, MAC and port found (if any).
• Telnet
  • The telnet interface requires separate authorization.
  • Allows commands to be run on multiple switches, with the commands optionally announced in the daily report.

Supported Hardware

• Cisco 2900xl, 3500xl, 2950, 3550, 3750
• HP Procurve 2600, 2800, 3400 (probably 5300 but not tested)
• Extreme Summit200, Summit 400, all "si" series (48si, Alpine, Black Diamond)

Installation

• OnaInstallation / download
• PullingConfigTarBallDaily

Tables

• OnaTables

Groups

Each device and administrator account has a primary group.

Additional group memberships can be assigned to:

• administrators
• switches
• ports
• vlans

An administrator has permissions on switches, ports or vlans which are in the same group as one or more of the administrators groups.

To edit a port, an administrator must have permissions on the switch, or port.

To edit a trunk port, an administrator must have permissions on all vlans on the trunk port.

To assign a vlan to a port, an administrator must have permissions on that vlan.

Other admin permissions

Administrator userids can have their access restricted

• Set the "allowededits" field in the admins table to blank, or the word "all" or "description,comment,duplex,speed,maxmacs,poeadmin,portfast,portstate,porttrunkmode,taggedvlans,untaggedvlan" to allow all port edit commands. Enter a minus sign in front of a command to disable it. Blank defaults to all all commands. To allow all commands except "maxmacs" set it to "-maxmacs,all". To allow only portstate and comment, set it to "comment,portstate".
• Set "denytrunkchanges" to "1" to prevent changes to trunks (defined as ports with tagged vlans present)
• Set the "allowedtools" field in the admins table to blank, or the word "all" or "admin,config,configalator, editport,freshen,logsearch,ping,preferences,save,search,showall,stats,sync,telnet,updatemacs". Similar to allowededits (above).

ona systemadmin Administrators

The "systemadmin" setting gives an administrator elevated privileges, to administer ona itself.

systemadmin settings are as follows

systemadmin setting	meaning
0	default - no elevated privileges
1 or higher	permission to administer ona itself, ie add switches, administrators, adjust permissions, create groups etc

An administrator with a systemadmin setting of 'n' cannot create, edit or delete any other administrator with a systemadmin setting of 'n' or higher. This provides some level of privilege separation, in that administrators with equal systemadmins settings cannot delete each other, etc. Further, an administrator with a systemadmin setting of '1' cannot give a non zero systemadmin setting to someone else.

A typical ona installation would likely include:

• 1 or 2 administrators with a systemadmin setting of '2'
• 2 or 3 administrators with a systemadmin setting of '1'
• all other administrators would have a systemadmin setting of '0'

Ona administrators with a systemadmin setting of '1' or higher can add/edit/delete entries in the administrators, groups, and devices tables, even those outside their own group. ie, there is no granular access control with this privilege. The normal ona access controls on editting switch ports etc apply, but since one could change their own group to match the group of any other switch, administrators with a systemadmin setting of '1' or higher can essentially change all switch ports, with some effort, with all activity logged.

DHCP Management Tool

Ona includes a DHCP management tool which works in conjunction with one or more dhcp servers running ISC dhcpd. See:

• OnaDhcpManagement

Adding a new switch

Administrators can open the Maintenance window, and then select "Devices" to add/remove/edit/view a switch.

To add a new switch, go to the bottom of the screen and select "Add new entry to devices". Fill in the form:

ipname	ipname of switch
groupid	ie Engineering, Science, etc
devicetype	switch or router
manufacturer	Cisco, Extreme or Nortel
comment	optional
encryptionkey	leave blank
userid, password1, password2	see below
communityro	read/only snmp community
communityrw	read/write snmp community

At most 2 of the userid, password1 and password2 fields are filled in, depending on the switch.

For Nortel, enter the password in password1.

For Extreme, enter the userid, and password in password1.

For Cisco, it will depend on whether you login with a userid and password, or a password and enable password. If you login with a userid and password, enter the userid and password in password1. If you login with a password and enable password, enter them as password1 and password2 respectively.

Alerts and Change notifications by e-mail

To receive a daily summary of switch port changes, and device alerts as they happen, go to "Preferences" and enter a list of groups and/or switches in the "Mail me changes" window, separated by vertical bars. You can enter regular expressions also. Examples:

Mail me changes	result
Engineering	All switches in Engineering group
Arts|dccore-exsw02	All switches in Arts group plus dccore-exsw02 switch
ceit-exsw..	All ceit-exsw?? switches
ceit-exsw..|dccore-exsw..	All ceit-exsw?? and dccore-exsw?? switches
.{0,80}	All switches

Batch operation

It is possible to perform edit commands using a tool like lynx and crafted urls. The format of the url is:

http://hostname/ona/ona/editport.php?ipname=switchname&port=portname&change=change

where additional parameters are added to the end of the url above. To determine the initial url to use, go into ona via the usual web interface, and then go into the port edit screen for some port. Copy down the url used, add &change=change (or &change=changesave) and add extra parameters as follows:

parameter	allowed values
&description=	some text
&comment=	some text
&duplex=	auto half full
&speed=	10 100 1000
&maxmacs=	number
&portfast=	enabled disabled
&portstate=	enabled disabled
&porttrunkmode=	no dot1q isl
&taggedvlans=	comma separated list of vlan numbers
&untaggedvlan=	vlan number

Example with lynx:

lynx -dump -auth=jsmith:Hg7,hqUi "https://ecserv1.uwaterloo.ca/ona/ona/editport.php?ipname=eng-swcph-gaff&port=FastEthernet0/43&change=changesave&portstate=disabled"

CVS Repository

The switch configurations are stored nightly in a CVS (concurrent version system) repository. There are 2 versions stored. One is the raw configuration, and one has the passwords and community strings removed. The latter is available through cvsweb to ona users.

cvsweb makes it easy to compare configurations between arbitrary dates, or get an old configuration, if needed.

Performance

Navigation between menus is typical of most web based applications, usually instantaneous, occasional 1 second delay.

Navigating to a switch which has not been Synced within the last 24 hours results in the Sync delay as shown in the table below.

model	Method	Sync	Freshen	Port Change	Port Change with Save
Cisco 3550	Telnet	1 second	1 second	1 second	1 seconds
Cisco 3548	Telnet	6 seconds	1 second	1 second	2 seconds
Baystack 470-48T	SNMP	3 seconds	1 second	instantaneous	instantaneous
Extreme Alpine 3808	Telnet	3 seconds	1 second	<1 second </td>	15 seconds
Extreme Black Diamond	Telnet	3 seconds	1 second	<1 second </td>	15 seconds

Note that the Baystack performs a save to NVRAM automatically, and in the background.

When changing alot of ports on a switch, it is recommended that "Change and Save Settings later" be used. This makes it faster, and avoids needlessly writing the NVRAM. When done making changes, click on "Change and Save Settings now" from the edit window for any port on the switch, or wait for the daily save.

Possible enhancements

• maxmacs on Extreme, HP and Nortel (see MaxmacsSnmpStuff)
• extreme IP access list management
• reboot switch tool
• allow apostrophe in comment
• if switch has rebooted since last sync, force a sync (important for vlan interface indices)
• show alerts etc in reverse order, or make it a preference

SNMP nuances etc

Baystack support is exclusively through snmp. The port description, which is IF-MIB::ifAlias on Cisco/Extreme, either does not exist, or is not saved in NVRAM on Baystacks. The menu interface on the Baystack has the "vlan port name" in one of the menus, and it is not IF-MIB::ifAlias, and I can't find an oid for it. So, the port description for Baystack is stored in the ona database only.

Some functions on Extreme and Cisco switches are done by telnet, as I haven't figured out the snmp procedures yet. Feel free to help with these:

Cisco "switchport mode trunk"

I can turn a trunk into a non trunk with (example port Gi0/2):

  CISCO-VTP-MIB::vlanTrunkPortDynamicState.51 i 2

but I cannot turn it back into a trunk with:

  CISCO-VTP-MIB::vlanTrunkPortDynamicState.51 i 1

Apart from that, I can change the vlan on a normal port, native vlan or allowed vlans on a trunk, encapsulation type, etc, no problem. Interestingly, if an attempt is made to change the native vlan on a port that isn't a trunk, the switch reboots.

Cisco 2950 (and probably 3550) trunk allowed vlans

After setting a port to a trunk, allowed vlans can't be added (or queried) unless the link is up.

• confirmed fixed on C2950 12.1(22)EA6
• confirmed fixed on C3550 12.1(22)EA6

Cisco 3550 port speed/duplex

The new 3550 uses CISCO-STACK-MIB instead of CISCO-C2900-MIB for port info.

With the 3550 I cannot determine whether a port is hardcoded or auto, (unless the link is down). Furthermore, setting the speed/duplex via snmp does not appear to go into the permanent switch config (see below)

Example:

CISCO-STACK-MIB::portAdminSpeed.1.42 INTEGER: s100000000(100000000)	auto/auto	up
CISCO-STACK-MIB::portAdminSpeed.1.43 INTEGER: autoDetect(1)	auto/auto	down
CISCO-STACK-MIB::portAdminSpeed.1.44 INTEGER: s100000000(100000000)	100/full	down

CISCO-STACK-MIB::portDuplex.1.42 INTEGER: full(2)	auto/auto	up
CISCO-STACK-MIB::portDuplex.1.43 INTEGER: auto(4)	auto/auto	down
CISCO-STACK-MIB::portDuplex.1.44 INTEGER: full(2)	100/full	down

Port 43 is auto/auto and the link is down, and auto/auto can be correctly identified through snmp.

Port 42 is auto/auto, and the link is up. It cannot be distinguished from port 44 which is hardcoded 100/full.

Some progress: C3550 running 12.1(22)EA6 shows the portAdminSpeed as autoDetect, independent of link state. This is good. portDuplex is shown as "half". (tested on a mismatched port by the way)...

CISCO-STACK-MIB::portDuplex.1.7 INTEGER: half(1)	auto/auto	up
CISCO-STACK-MIB::portAdminSpeed.1.7 INTEGER: autoDetect(1)	auto/auto	up

The result of the above is that ona shows auto/auto ports with the speed component greyed, but the duplex component with a white background. This is better than before, and some changes to the code to handle the 3550 specifically should address the cosmetic issue in ona.

C2900 had 2 separate oids:

CISCO-C2900-MIB::c2900PortDuplexState
CISCO-C2900-MIB::c2900PortDuplexStatus

but the STACK MIB only has CISCO-STACK-MIB::portDuplex (ie no separate State and Status)

As for setting, speed/duplex, the following example settings 100/full works:

CISCO-STACK-MIB::portAdminSpeed.1.13 i 100000000
CISCO-STACK-MIB::portDuplex.1.13 i 2

and can be read back with SNMP, but if one logs into the switch and looks at the running-config, the port does not show "speed 100" and "duplex full", it doesn't reflect the changes at all. A "show interfaces" does however show it as hardcoded 100/full. Net result is that a switch reboot will revert to auto/auto. A "write mem" and "show start" shows the port still auto/auto.

• confirmed fixed in 12.1(22)EA6 - setting speed/duplex via snmp correctly shows up in the running-config, etc.

Cisco "write memory" operation

I have not figured out how to do the equivalent of a "write memory" via snmp. ie. copying the running config to the startup config.

Investigate http://www.notarus.net/networking/cisco_snmp_config.html#wrmem

Extreme vlan port membership

Version 4 devices must be upgraded to 4.1.21 or the walk of ifStackStatus doesn't return all ports reliably.

Creating Extreme vlans

Get the next available IfIndex^?...

EXTREME-VLAN-MIB::extremeNextAvailableVirtIfIndex

Create the vlan...

EXTREME-VLAN-MIB::extremeVlanIfDescr.96 = "testing"

That works. Now have to set the tag. The tagged If has an index 2 greater than the Vlan If, and is connected in the stack table. But I cannot set any of this. Tried using "create" (4) on the stack table and encapsifstatus. No luck.

IF-MIB::ifStackStatus.96.98 = active(1)

EXTREME-VLAN-MIB::extremeVlanEncapsIfIndex.98 = 98
EXTREME-VLAN-MIB::extremeVlanEncapsIfType.98 = vlanEncaps8021q(1)
EXTREME-VLAN-MIB::extremeVlanEncapsIfTag.98 = 199
EXTREME-VLAN-MIB::extremeVlanEncapsIfStatus.98 = active(1)

Here is an example of a vlan created through telnet:

IF-MIB::ifDescr.82 STRING: VLAN 00012 (SwenNet)
IF-MIB::ifDescr.84 STRING: 802.1Q Encapsulation Tag 0092

EXTREME-VLAN-MIB::extremeVlanIfIndex.82 INTEGER: 82
EXTREME-VLAN-MIB::extremeVlanIfDescr.82 STRING: "SwenNet"
EXTREME-VLAN-MIB::extremeVlanIfType.82 INTEGER: vlanLayer2(1)
EXTREME-VLAN-MIB::extremeVlanIfGlobalIdentifier.82 INTEGER: 12
EXTREME-VLAN-MIB::extremeVlanIfStatus.82 INTEGER: active(1)
EXTREME-VLAN-MIB::extremeVlanIfIgnoreStpFlag.82 INTEGER: false(2)
EXTREME-VLAN-MIB::extremeVlanIfIgnoreBpduFlag.82 INTEGER: false(2)
EXTREME-VLAN-MIB::extremeVlanIfEntry.9.82 INTEGER: 2

EXTREME-VLAN-MIB::extremeVlanEncapsIfIndex.84 INTEGER: 84
EXTREME-VLAN-MIB::extremeVlanEncapsIfType.84 INTEGER: vlanEncaps8021q(1)
EXTREME-VLAN-MIB::extremeVlanEncapsIfTag.84 INTEGER: 92
EXTREME-VLAN-MIB::extremeVlanEncapsIfStatus.84 INTEGER: active(1)
EXTREME-VLAN-MIB::extremeVlanStackHigherLayer.82.84 INTEGER: 82
EXTREME-VLAN-MIB::extremeVlanStackLowerLayer.82.84 INTEGER: 84

Here is all I end up with when using snmp...

IF-MIB::ifDescr.96 STRING: VLAN 00013 (testing)

EXTREME-VLAN-MIB::extremeVlanIfIndex.96 INTEGER: 96
EXTREME-VLAN-MIB::extremeVlanIfDescr.96 STRING: "testing"
EXTREME-VLAN-MIB::extremeVlanIfType.96 INTEGER: vlanLayer2(1)
EXTREME-VLAN-MIB::extremeVlanIfGlobalIdentifier.96 INTEGER: 13
EXTREME-VLAN-MIB::extremeVlanIfStatus.96 INTEGER: active(1)
EXTREME-VLAN-MIB::extremeVlanIfIgnoreStpFlag.96 INTEGER: false(2)
EXTREME-VLAN-MIB::extremeVlanIfIgnoreBpduFlag.96 INTEGER: false(2)
EXTREME-VLAN-MIB::extremeVlanIfEntry.9.96 INTEGER: 2

Summit 200 Trunk vlans

Walk of IF-MIB::ifStackStatus does not show tagged vlans on ports.

However, a specific query of a tagged vlan and port combination works, example IF-MIB::ifStackStatus.1070.50

• confirmed fixed on 7.4e.2 (Build 6) on summit200

Extreme mac address table

On a version 6 device, one must first do:

enable snmp dot1dTpFdbTable

and then can one walk SNMPv2-SMI::mib-2.17.4.3.1 but it is extremely slow on the Alpine 3808 I tested it with. It displays 5 or 6 entries per second, and drives the CPU load on the switch to 45%

On a version 4 device, the walk works, and appears to behave correctly, but gives a "0" instead of the port, for most entries.

Interesting looking tools

• cacti
• snmpc
• ip-manager
• kiwi cattools
• what's up gold
• hp openview

Engineering Computing network information

• https://www.eng.uwaterloo.ca/twiki/bin/view/Engcomp/NetworkProcedures

Commonly used switch configuration commands

• Commonly used Extreme commands
• Commonly used Cisco IOS commands

Cisco oids used

set port description on FastEthernet0/4 to "testing"

IF-MIB::ifAlias.5 s testing

---

set port FastEthernet0/4 to auto/auto

CISCO-C2900-MIB::c2900PortAdminSpeed.0.4 i 1
CISCO-C2900-MIB::c2900PortDuplexState.0.4 i 3

---

set port FastEthernet0/4 to full/100

CISCO-C2900-MIB::c2900PortAdminSpeed.0.4 i 100000000
CISCO-C2900-MIB::c2900PortDuplexState.0.4 i 1

---

lock down FastEthernet0/4 to 5 mac addresses

CISCO-C2900-MIB::c2900PortUsageApplication.0.4 i 2
CISCO-C2900-MIB::c2900PortAddrSecureMaxAddresses.0.4 i 5
CISCO-C2900-MIB::c2900PortClearAddresses.0.4 i 1

---

turn off mac lockdown on FastEthernet0/4

CISCO-C2900-MIB::c2900PortUsageApplication.0.4 i 1
CISCO-C2900-MIB::c2900PortAddrSecureMaxAddresses.0.4 i 132
CISCO-C2900-MIB::c2900PortClearAddresses.0.4 i 1

---

set portfast on FastEthernet0/47

CISCO-C2900-MIB::c2900PortSpantreeFastStart.0.47 i 1

---

disable portfast on FastEthernet0/47

CISCO-C2900-MIB::c2900PortSpantreeFastStart.0.47 i 2

---

disable port FastEthernet0/4

interfaces.ifTable.ifEntry.ifAdminStatus.5 i 2

---

enable port FastEthernet0/4

interfaces.ifTable.ifEntry.ifAdminStatus.5 i 1

---

change vlan on port FastEthernet0/4 to 20

CISCO-VLAN-MEMBERSHIP-MIB::vmVlan.5 i 20

---

change native vlan on trunk port GigabitEthernet0/2 to 100

CISCO-VTP-MIB::vlanTrunkPortNativeVlan.51 i 100

---

change allowed vlans on trunk port GigabitEthernet0/2 to 20,100

CISCO-VTP-MIB::vlanTrunkPortVlansEnabled.51 x 8000080000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

---

-- BruceCampbell - 03 Mar 2004
to top