AANTS: Web-Based Tools for Cooperative Campus Network Administration Charles Thomas Dave Plonka AANTS Administration Team Division of Info. Tech. (DoIT) Network Services University of Wisconsin - Madison

Past Campus Network: ATM LANE environment with 5 or 6 routers. Multiple switch brands, many models. Centrally-managed configurations for devices.

Past Campus Network: Campus departments administered their own LANs and had their own IT staff. Gear purchase, configuration, deployment, and maintenance was handled on a department-by-department basis. This led to a hodgepodge of operating procedures and network designs, some incompatible with each other.

Campus XXI Century Network Upgrade Use Cisco equipment as a standard to minimize cross-vendor incompatibilities. Increase the backbone speed to 10 Gb/s. Offer 1 Gb/s departmental connections. Move to a centrally-purchased and centrally-managed network model.

Present Campus Network Nearly 900 Cisco network devices, many models. A few Juniper and NetScreen devices. 41,000+ managed ports. The number of managed buildings, devices, and ports is growing every day.

The Challenge Campus LAN admins (Authorized Agents) need to administer the switches and ports which carry their LANs. The gear is centrally owned/managed, therefore we cannot allow them direct access (e.g. ssh or telnet) to the switches themselves. Need to maintain good relations with AAs and not deprive them of their sense of autonomy (political/practical).

The Goal Give our Authorized Agents comparable (and in many cases improved) network management capabilities. Maintain appropriate levels of security, authorization and access control. –Protect centrally-managed gear. –Protect AAs from each other.

AANTS: Authorized Agent Network Tool Suite Loosely-coupled set of web-based utilities for network administration. Tools are team-developed in-house, optimized toward local networking practices, driven by user need. Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks.

Foundation Technologies: NetCMS - Network Device Configuration Management System for tracking router/switch configurations. WiscNIC - RIPE whois database of network information. Oracle/MySQL - Device config database. Cisconf - Cisco tftp config tool. GNU Make - Project management. FlowScan and MRTG (Multi-Router Traffic Grapher).

LookingGlass Run command-line operations on devices and view results. View ethernet switch logs.

NetStats Graph router interface and switch port statistics. Several summary graphs displaying different types of traffic statistics at the campus network border. Searchable interface to traffic statistics.

NetWatch Locate a host given a MAC or IP address. Discover which devices are connected to a specific switch.

EdgeConf Configure device ports. Perform multiple port changes as one transaction. Label ports with user information Work with port subsets. Examine switch port configurations and other switch information. Users can only change devices/ports for which they are authorized.

VlanFinder Discovers all currently active VLANs. User selects one or more VLANs. Display devices and ports on which the VLANs are active. Display VLAN attributes: –Configuration of routed VLAN interfaces –Any trunk allowed VLANs –VLAN Spanning Tree Protocol priorities Device names and ports will be hot-linked (where applicable) to EdgeConf.

VlanFinder Used to identify devices/ports which could potentially be affected by work on a specific VLAN. Used to map the current configuration of a VLAN prior to reconfiguration. Used to verify the real-world result of network configuration changes (“Did my change do what I wanted?”).

MailByDevice Select one or more network devices. Find all VLANs on each device. Get all technical and administrative contacts for each VLAN from the WiscNIC database. User can compose an message. Message will be mailed to all users. Used to alert users when certain devices are going to be affected by NS actions.

CodePusher Push commands, operating code, or configuration code to selected network devices. –Run command-line directives (e.g. ‘show int’). –Upgrade system software. –Modify device configurations. –Manage ACLs. Parallelized for maximum efficiency. Can specify a delayed device restart date/time. Parses results into log files which can be viewed from the web browser. Performs error-checking. Reports results via .

Live Demos

Summary AANTS tools allow our customers to manage their network over the web, regardless of the user’s platform of choice. AANTS tool development is driven by user input and real-world needs. AANTS is built on a foundation of freely-available software. Local networking practices guide AANTS’ growth as a customized system.

Summary (cont.) Day-to-day management tasks are handled more quickly and easily for network services staff. Improved Security Management –Maintain common Access-Control-Lists across network gear. –Locate and isolate compromised and abusive machines. –Visually identify bouts of abusive traffic. –Block traffic involving abusive intra- or extra-campus hosts

Summary (cont.) These tools help us maintain good relations with campus LAN admins by empowering them rather than moving responsibility away from them. This cooperative policy makes use of available campus IT talent to help network services staff manage the network.

Contact the AANTS Admin Team

Q&A