AANTS: Web-Based Network Administration Tools - Latest Developments Charles Thomas AANTS Administration Team Division of Info. Tech. (DoIT) Network Services University of Wisconsin - Madison

Talk Overview 20 minutes = BARNSTORM! Focus more on latest work with AANTS. Show kinds of tools we’ve found necessary to manage a large network. Show the kind of tools which can be created by a network-specific programmer using open-source tools.

Present UW Campus Network Nearly 1800 Cisco network devices, many models. A few Juniper and NetScreen devices. 64,000+ managed ports. The number of managed buildings, devices, and ports is growing every day.

The Challenge Campus LAN admins (Authorized Agents) need to administer the switches and ports which carry their LANs. The gear is centrally owned/managed, therefore we cannot allow them direct access (e.g. ssh or telnet) to the switches themselves. Need to maintain good relations with AAs and not deprive them of their sense of autonomy (political/practical).

The Goal Give our Authorized Agents comparable (and in many cases improved) network management capabilities. Maintain appropriate levels of security, authorization and access control. Must be easy-to-use. Must protect centrally-managed gear, protect AAs from each other.

AANTS: Authorized Agent Network Tool Suite Loosely-coupled set of web-based utilities for network administration. Tools are team-developed in-house, optimized toward local networking practices, driven by user need. Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks.

AANTS: Authorized Agent Network Tool Suite (cont.) Dozens of web-based GUI tools which allow all aspects of day-to-day network administration to be performed with a few clicks in a browser. Supported by a wide variety of behind-the-scenes scripts which handle things like database updates, SNMP information gathering, network state auditing, etc. Arranged into a hierarchy of functionality: –Network Contacts –Authorized Agents –Super Users

Foundation Technologies: NetCMS - Network Device Configuration Management System for tracking router/switch configurations. WiscNIC - RIPE whois database of network resources (VLANs, Administrators, Subnets). MySQL - Network configurationinformation. Cisconf - Cisco tftp config tool. GNU Make - Project management. FlowScan and MRTG (Multi-Router Traffic Grapher).

No Time For: LookingGlass - run command-line device queries. NetWatch - Find IP and MAC addresses on network devices. NetStats - Multitude of traffic graphs and statistics. VLAN Finder - Discover VLAN config info. MailByDevice - Contact users responsible for devices. MailByVlan - Contact users responsible for VLANs. PortTextSearch - Locate device/port combinations by searching any user-entered port labeling. Many more!

EdgeConf Configure device ports. Perform multiple port changes as one transaction. Label ports with user information Work with port subsets. Examine switch port configurations and other switch information. Users can only change devices/ports for which they are authorized.

New Features Configure POE on ports. Ability to lock ports to a specific MAC address (security). Display history of port changes. EdgeConf for platform (6500 series) devices.

MailByDevice Select one or more network devices. Find all VLANs on each device. Get all technical and administrative contacts for each VLAN from the WiscNIC database. User can compose an message. Message will be mailed to all users. Used to alert users when certain devices are going to be affected by NS actions.

UPSManager Select one or more UPS devices. Display current device config. View all technical device info: –make/model/SN/IP/OS –Contact info –Building/room info, etc. Create/edit/delete maintenance records. View/edit maintenance history. Maintain list of associated components (e.g. batteries, fans).

CodePusher Push commands, operating code, or configuration code to selected network devices. –Run command-line directives (e.g. ‘show int’). –Upgrade system software. –Modify device configurations. –Manage ACLs. Parallelized for maximum efficiency. Can specify a delayed device restart date/time. Parses results into log files which can be viewed from the web browser. Performs error-checking. Reports results via .

Usage - Past 365 Days MailByDevice - Used 130 times by DoIT net engineers and NOC staff to alert campus agents of potential network outages. ConfigPusher transactions by DoIT net engineers, tens/hundreds of devices per transaction. EdgeConf - 10,500 transactions, between 1 and 200 port changes per transaction.

Summary AANTS tools allow our customers to manage their network over the web, regardless of the user’s platform of choice. AANTS tool development is driven by user input and real-world needs. AANTS is built on a foundation of freely-available software. Local networking practices guide AANTS’ growth as a customized system.

Summary (cont.) Day-to-day management tasks are handled more quickly and easily for network services staff. Improved Security Management –Maintain common Access-Control-Lists across network gear. –Locate and isolate compromised and abusive machines. –Identify and block abusive traffic. –Lock ports to individual MAC addresses

Summary (cont.) These tools help us maintain good relations with campus LAN admins by empowering them rather than moving responsibility away from them. This cooperative policy makes use of available campus IT talent to help network services staff manage the network.

Contact the AANTS Admin Team