AANTS:Web-Based Network Administration

Tools - Latest Developments

Charles ThomasAANTS Administration Team

Division of Info. Tech. (DoIT)

Network Services

University of Wisconsin - Madison

CTHOMAS@wisc.edu

Talk Overview

• 20 minutes = BARNSTORM!• Focus more on latest work with

AANTS.• Show kinds of tools we’ve found

necessary to manage a large network.• Show the kind of tools which can be

created by a network-specific programmer using open-source tools.

Present UW Campus Network

• Nearly 1800 Cisco network devices, many models.

• A few Juniper and NetScreen devices.• 64,000+ managed ports.• The number of managed buildings,

devices, and ports is growing every day.

The Challenge

• Campus LAN admins (Authorized Agents) need to administer the switches and ports which carry their LANs.

• The gear is centrally owned/managed, therefore we cannot allow them direct access (e.g. ssh or telnet) to the switches themselves.

• Need to maintain good relations with AAs and not deprive them of their sense of autonomy (political/practical).

The Goal

• Give our Authorized Agents comparable (and in many cases improved) network management capabilities.

• Maintain appropriate levels of security, authorization and access control.

• Must be easy-to-use.• Must protect centrally-managed gear,

protect AAs from each other.

AANTS: Authorized Agent Network Tool Suite

• Loosely-coupled set of web-based utilities for network administration.

• Tools are team-developed in-house, optimized toward local networking practices, driven by user need.

• Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks.

AANTS: Authorized Agent Network Tool Suite (cont.)

• Dozens of web-based GUI tools which allow all aspects of day-to-day network administration to be performed with a few clicks in a browser.

• Supported by a wide variety of behind-the-scenes scripts which handle things like database updates, SNMP information gathering, network state auditing, etc.

• Arranged into a hierarchy of functionality:– Network Contacts– Authorized Agents– Super Users

Foundation Technologies:

• NetCMS - Network Device Configuration Management System for tracking router/switch configurations.

• WiscNIC - RIPE whois database of network resources (VLANs, Administrators, Subnets).

• MySQL - Network configurationinformation.• Cisconf - Cisco tftp config tool.• GNU Make - Project management.• FlowScan and MRTG (Multi-Router Traffic

Grapher).

No Time For:• LookingGlass - run command-line device queries.• NetWatch - Find IP and MAC addresses on network

devices.• NetStats - Multitude of traffic graphs and statistics.• VLAN Finder - Discover VLAN config info.• MailByDevice - Contact users responsible for devices.• MailByVlan - Contact users responsible for VLANs.• PortTextSearch - Locate device/port combinations by

searching any user-entered port labeling.• Many more!

EdgeConf• Configure device ports.• Perform multiple port changes as one

transaction.• Label ports with user information• Work with port subsets.• Examine switch port configurations and

other switch information.• Users can only change devices/ports for

which they are authorized.

New Features

• Configure POE on ports.• Ability to lock ports to a specific MAC

address (security).• Display history of port changes.• EdgeConf for platform (6500 series)

devices.

MailByDevice• Select one or more network devices.• Find all VLANs on each device.• Get all technical and administrative contacts

for each VLAN from the WiscNIC database.• User can compose an email message.• Message will be mailed to all users.• Used to alert users when certain devices are

going to be affected by NS actions.

UPSManager• Select one or more UPS devices.• Display current device config.• View all technical device info:

– make/model/SN/IP/OS– Contact info– Building/room info, etc.

• Create/edit/delete maintenance records.• View/edit maintenance history.• Maintain list of associated components (e.g.

batteries, fans).

CodePusher• Push commands, operating code, or configuration

code to selected network devices.– Run command-line directives (e.g. ‘show int’).– Upgrade system software.– Modify device configurations.– Manage ACLs.

• Parallelized for maximum efficiency.• Can specify a delayed device restart date/time.• Parses results into log files which can be viewed

from the web browser .• Performs error-checking.• Reports results via email.

Usage - Past 365 Days

• MailByDevice - Used 130 times by DoIT net engineers and NOC staff to alert campus agents of potential network outages.

• ConfigPusher - 827 transactions by DoIT net engineers, tens/hundreds of devices per transaction.

• EdgeConf - 10,500 transactions, between 1 and 200 port changes per transaction.

Summary

• AANTS tools allow our customers to manage their network over the web, regardless of the user’s platform of choice.

• AANTS tool development is driven by user input and real-world needs.

• AANTS is built on a foundation of freely-available software.

• Local networking practices guide AANTS’ growth as a customized system.

Summary (cont.)• Day-to-day management tasks are handled more

quickly and easily for network services staff.• Improved Security Management

– Maintain common Access-Control-Lists across network gear.

– Locate and isolate compromised and abusive machines.

– Identify and block abusive traffic.

– Lock ports to individual MAC addresses

Summary (cont.)• These tools help us maintain good relations with

campus LAN admins by empowering them rather than moving responsibility away from them.

• This cooperative policy makes use of available campus IT talent to help network services staff manage the network.

Contact the AANTS Admin Team

aants-admin@net.doit.wisc.edu