close

Вход

Забыли?

вход по аккаунту

?

How To Understand and Configure Your Network for IntraVUE

код для вставки
How To Understand and Configure
Your Network for IntraVUE
Summary
This document attempts to standardize the methods used to configure Intrauve in situations where there is
little or no understanding of the existing network.
This document is targeted at a technical person who is somewhat familiar with network terms, running
programs from a DOS prompt, and who must install IntraVUE.
IntraVUE is designed to monitor and collect diagnostic data for Local Area Networks (LAN) - layer 2
switches and their associated edge or end devices. IntraVUE was not designed to provide layer 3 or
Wide Area Network (WAN) diagnostics but will work with them to get data from layer 2 switches and edge
devices.. To properly configure IntraVUE you must understand how the network addresses of the switches
relate to the edge devices and you must have the SNMP community of any managed switches/routers.
This document will progress through the following
�steps’.
Understanding the terms. Please spend some time reviewing the terms as their definitions include how
they are relevant to IntraVUE and your network.
• IntraVUE scanning requirements.
• Various types of networks from simple to very complex.
• Tools that are available to understand your network before using IntraVUE.
• Using IntraVUE in conjunction with tools to understand your network and properly configure IntraVUE.
• Configuring IntraVUE for long term monitoring and reporting.
Terms
Access Control List (ACL) - A set of rules configured in layer2 and 3 switches that limit what traffic can
move from one interface to another or that can be communicate with the switch. ACL’s are optional. If
enabled, the IP of any device needed to talk to the switch must have a rule that allows that IP. Cisco uses
ACL’s, other switch vendors have Management Station Lists or similarly named functions that similarly limit
who can talk to a switch/router.
ARP - Address Resolution Protocol. ARP is the method used to find hardware when only the IP address
is known. An ARP message is a broadcast message that requests receipts to tell the MAC address for the
provided IP address. Typically a device only knows its own MAC and stores the MACs of devices it talks
to. Some devices, like routers, store MAC addresses in large tables and provide the MAC address to other
devices. Devices keep a table of MAC addresses for IP addresses known as ARP Caches.
Broadcast - communications traffic that is sent to all devices in a subnet. A layer 2 switch will typically
send broadcast traffic to all ports of the switch. See VLAN which is a technology invented to limit broadcast
traffic to certain ports of a layer 2 switch.
Community - The equivalent of a password for SNMP communications. It is case sensitive. There are
read-only and read-write types. IntraVUE only uses read-only.
Firewall - A special purpose router with additional rules to prevent traffic from moving between subnets,
especially �inside’ versus �outside’ an area.
How To Understand and Configure Your Network for IntraVUE
1
Terms (cont’d)
Gateway - The router any traffic will be sent to if the destination IP address is not local (in the same
subnet) as the sender. If that gateway can not route the traffic, it sends the traffic to its gateway, and so on
until it reaches the destination.
IP Address - The (I)nternet (P)rotocol Address is the logical address of a device within a computer
network. It is internally a 32-bit number, typically expresses as 4 sets (octets) of numbers between 0 and
255, separated by periods, like 192.168.100.252. Routers route traffic from one subnet to another based
on IP address.
Layer 2 Switch - moves Ethernet packets based on the MAC address of the recipient. Connections are
made using �ports’. If a match on a port is found the packet is sent on that port only.
Layer 3 Switch - moves Ethernet packets based on IP address. The IP address is compared to the interfaces IP addresses and subnet masks. If a match is found the packet is forwarded to that interface. If not it
is sent to the routers gateway.
Local Devices - All other devices that are in the same subnet (based on the subnet mask and ip address)
as a device. Communication to these devices is sent directly to the devices without being forwarded to the
gateway, even if there is no response.
MAC Address - The unique physical address of a network adapter or network interface. It is usually
expressed as 6 sets of 2 hexadecimal numbers. The first 3 sets typically identify the vendor of the adapter
or piece of equipment having an adapter. Switches move data by knowing what port a mac address is on.
PING - A tool used to test if a particular host is reachable using an IP address. Pings use ICMP, �echo
request’, protocol. If the sending device does not have a MAC address for the IP address in its ARP
Cache, an ARP (broadcast) request will be issued before the ping.
Remote Devices - All devices that are in a different subnet (based on the subnet mask and ip address)
than the reference device. Communication to these devices is forwarded to the gateway if there is one,
and nowhere if there is not a gateway.
Router - A router is the same as a layer 3 Switch. Typical routers are not configured to do layer 2
switching, but may. Routers maintain very large tables of MAC addresses for IP addresses as a result of
moving/routing traffic between subnets.
Subnet - A set of Ethernet devices that share a common routing prefix, called a subnet mask. Subnets
break a network into smaller parts and are connected at the edges by/through routers. Devices in the
same subnet are Local to each other and traffic does not go thru a router. To determine what is local to
a particular IP Address, the IP Address is mathematically combined with the subnet mask to compute a
range of IP Addresses that is within that subnet. It is VERY IMPORTANT that all devices in a subnet have
the same subnet mask and that subnet mask agree with their gateway.
VLAN - A (V)irtual LAN is a group of devices configured to communicate as if they were in the same
broadcast domain. It allows edge/end devices to be grouped together even if not connected to the same
switch. VLANs make it possible to create multiple layer 3 networks on the same layer 2 switch. Broadcast
traffic from a VLAN’d port of a layer 2 switch will ONLY go to other ports in the same VLAN, NOT to all
ports of the switch as would be done without a VLAN.
IntraVUE Scanning Requirements
The host computer must be able to PING all the devices to be scanned.
• The devices storing the mac addresses of the devices must be in the scan range and must be configured
to respond to SNMP from the host. This requires at least the SNMP read only community and may
require additional permissions such as an entry in an Access Control List.
• The switches must provide timely responses to SNMP queries. Typical response times are less than 20
milliseconds but some switches are known to take 20 seconds (20000 millisends). IntraVUE will tolerate
a response as slow as 1000 milliseconds (1 second).
• Switch responses must conform to SNMP standards and managed switches must respond to the Bridge
Mib, RFC 1493 or one of its successors.
How To Understand and Configure Your Network for IntraVUE
2
Types of Networks
Networks are described in increasing order of complexity.
1. The simplest network is one in which all the edge devices and all the switches are in the same subnet.
To scan this type network you only have to enter the full scan range and proper SNMP communities. If
this is your network, you do not have to read the rest of this document. IntraVUE LITE was designed for
this type network when the subnet mask is 255.255.255.0 (Class C).
In figure 1 below, each blue �cloud’ represents a different subnet but you only need to scan devices in the
big cloud, �Plant Private Network’.
Figure 1
2. Another simple network is one in which all the edge devices are in one subnet and all the infrastructure
switches are in another subnet. The IntraVUE host computer should be in the subnet of the edge
devices and should be the top parent of the IntraVUE network. (In the images below imagine only ONE
LAN on the right side.)
In figure 2 the IntraVUE host is on the left. All the LOCAL edge devices communicate without going thru
a router, but the IntraVUE host must go through a router in order to get ping and SNMP data from the
switches. The router (which knows the macs of the switches) must be in the scan range of the same
IntraVUE network and respond to SNMP.
Figure 2
How To Understand and Configure Your Network for IntraVUE
3
In some cases, plant personnel are not allowed to know the SNMP community of the central router. In
figure 3, a NIC card has been added for each formerly remote LAN to solve this problem. Now those LANs
have local addresses on the host computer and communication does NOT go through the router. The MAC
addresses of all devices are in the host computers local ARP cache.
Figure 3
3. Similar to network #2 this network has devices in many different subnets, not just 2 (as shown in figures
2 and 3 with all the LANs on the right). For example, one router with subnets for office, building 1,
building 2, and switches.
You can configure IntraVUE to have all devices in one big IntraVUE network or have a separate IntraVUE
network for each LAN. If you do the later, the switches that are used in each LAN must also be in each
IntraVUE network.
4. Network #3 is made more complex by configuring the layer 2 switches in the network to have VLANs.
This is one of the most common plant floor network architectures.
In the figure 4 there are 5 VLANs. The layer 2 switches are in the center circle, Switch VLAN. Even though
they are connected by layer 2 switches, devices in one VLAN can not communicate with devices in
another VLAN without going through the router.
Figure 4
How To Understand and Configure Your Network for IntraVUE
4
For IntraVUE to provide the most diagnostics, each VLAN of edge devices should be a separate IntraVUE
network in the System Configure’s Scanner Tab. Each one of the �remote’ networks must also include the
interface (IP address) of the router leading to the edge devices (as determined by TRACERT) as the top
parent.
In figure 4, the IntraVUe network for VLAN 1 needs to have the local computer as top parent, all the local ip
addresses, the router, and the switch ips. VLANs 2, 3, and 4 each need to have the ip of the router as top
parent, the ips of the VLAN, the router, and switch ips all in the scan ranges of that IntraVUE network. (The
switch ips will be in all 4 IntraVUE networks.)
VLANs are configured in a layer 2 switch by assigning VLAN numbers to ports of the switch. Packets
arriving on a port of a switch having a VLAN(s) configured will only be sent to other ports having the same
VLAN(s) configured. This limits broadcast traffic to only the ports with the same VLAN number as the
originator.
Figure 5 illustrates this using different colored lines for each VLAN. If the destination MAC is on a port in
another VLAN, the message will be sent to the gateway and then back to the switch on the port having the
same VLAN number as the destination. If a port of a switch is not configured for a VLAN, it acts as if all
VLANs are configured for that port.
All traffic for a device in a different VLAN (differnt colored line) must go to the router to be redirected to the
switch.
Figure 5
5. Implementing Rapid Spanning Tree protocol (RSTP) in the switches creates a physical ring of communication where the last switch in a series of connected switches is connected to the first switch, thus
forming a ring. The last link is never �active’ unless there is a break between any other switches in the
ring. At that time, communication will start a new path and all switches will continue to be able to communicate, but using a different path.
Nothing special needs to be done to handle this situation. IntraVUE will discover the new path and redraw
the topology to reflect the change in the ring.
How To Understand and Configure Your Network for IntraVUE
5
6. Hot Standby Redundant protocol (HSRP) creates a connection between a pair of routers. In this
scenario 2 routers are configured so that either one can act for the other in the event the other router
fails. The routers �share’ a virtual IP address and a virtual mac address as well as having their own ip
and mac. In some cases, one router will respond to the virtual IP/mac, but the other can assume in
within milliseconds if necessary. In many cases, each router handles some VLANs. In figure 6, router A
will handle the even VLANs and router B will handle the odd VLANs.
Other devices are configured to use the �virtual’ IP address of the routers.
Additionally each �upper level’ layer 2 switch is connected to both routers, so that if a router failure
happens there is a connection to the other router using the same �virtual’ IP address.
Since the routers are connected and the upper switches are connected to each router, an alternate path is
created and the mac of the routers can be seen on two possible ports of the �upper level’ switches.
This arrangement is shown in figure 6.
Figure 6
Depending on different circumstances, such a VLANs, each switch above reports may report the virtual
mac on either of 2 ports depending on which VLAN last communicated with a router. Additionally there is a
path where the switch can see the �second’ router through the �first’ router.
To handle this situation, we normally configure IntraVUE to EXCLUDE the ip addresses of the upper level
switches. Typically no edge devices are connected to these switches and IntraVUE is a tool to manage the
communication to the edge devices. Additionally we configure the ports of the lower switches going to the
upper switches to be trunked. This is done in a configuration file and is explained in detail in IntraVUE help,
under �Handling Trunking’.
7. Within any network, multiple connections between layer 2 switches may exist. There are two common
reasons for this.
To increase bandwidth between two switches, 2 (or more) ports of one switch are directly connected to 2
(or more) ports of another switch. The switches than pick the best port to use at any time. The upper switch
will report a mac address on port A, then B, then A, and so on.
The traffic that arrives at a switch having several VLANS may take different paths through sets of switches.
This will cause the router and possible some of the upper level switches to be seen on different ports.
The IntraVUE scanner must be configured to treat ports that can lead the same mac address as �trunked
ports’. This is done in a configuration file and is explained in detail in IntraVUE help, under �Handling
Trunking’.
How To Understand and Configure Your Network for IntraVUE
6
Tools to Get Information
The following tools can be used to get more information about your network. The tools should typically be
run on the computer which is hosting IntraVUE.
PING - a DOS command line tool. Using PING tells whether a device can be reached
from the host computer.
Figure 7
TRACERT - a DOS command similar to PING, but each time the request passes
through a router, the router is listed.
This is an important tool because it will show you the last router in the path to a device. The last entry is
the target device. The last router is the second to last entry in the list and is the router which will know the
MAC addresses of the devices in the target subnet. In figure 7, the 10.1.1.3 router must be in the scan
range in order to get the MAC of the 10.2.2.5 edge device.
Figure 8
How To Understand and Configure Your Network for IntraVUE
7
SWITCHPROBE - This is a java application provided by IntraVUE. It is available on
the host PC by selecting “START / Programs / IntraVUE / Tools / Use Switchprobe”.
Figure 9
Switchprobe is useful to verify you have the proper SNMP community set for a switch because it provides
feedback in about 5 seconds. It tests a combination of IP address and SNMP community and provides the
results that the internal scanner will see.
Figure 10
Note that you may have the right community and IP address and this tool will still fail if the switch or router
being queried has implemented Access Control Lists (ACL), and the requesting IP address (the IntraVUE
host) is not in the list. Double check the spelling of the community you used, make sure SNMP is enabled in
the switch, make sure you can ping the switch, and check the community with network support personnel.
How To Understand and Configure Your Network for IntraVUE
8
Figure 11
Switchprobe is also useful for diagnosing why a switch does not respond as expected.
TrunkingFiles.zip is a collection of programs that finds duplicate paths between switches for networks that are entirely Cisco. If you need these
programs IntraVUE tech support will assist you in their use.
Switches - The switches can provide configuration information concerning their SNMP community, supported SNMP version, hosts that can get
data, and other data using either telnet and a command line interface or, sometimes, a web interface to the switch.
How To Understand and Configure Your Network for IntraVUE
9
Initial Scanning and Discovery
1. The first step is to select a good computer in which to install
IntraVUE.
• Windows XP and Windows Server 200X are preferred over
Windows Vista.
• Is it in the same subnet as the edge devices. It should be for best results. (Review the big blue cloud in figure 1)
• Is it directly connected to a managed switch and is that switch also connected to the devices in the scan range.
• If any devices are in a different subnet, you should be able to PING them and do a TRACERT to find the last router leading to the devices.
• Install the IntraVUE software.
2. If the layer 2 switches are in a different subnet from the host
computer complete a scan of only the layer 2 switches and
verify their arrangement.
• Clear the database.
• Add one network in the System Config Scanner tab.
• Select as top parent the interface (IP address) of the router which
was in the TRACERT to one of the switches.
• Add the full scan range of the switches.
Figure 12
5. Make sure the default SNMP community in the
Scanner tab is set to the community of the switches.
6. Set the scanner speed to either Ultra or Fast
7. �Apply and Close’ the System Configuration dialog.
8. There should be a hierarchy of switches showing
in the IntraVUE browser. All the switches should have
a green outline. There should be port numbers in the
hover text of lines between switches.
Using the IntraVUE export function, you can create a
document that lists the switches by IP and the switches
connected to them by port number.
Save the database, perhaps as Switches_Only. This will
serve as a good starting point for future scans.
Figure 13
How To Understand and Configure Your Network for IntraVUE
10
Complete a scan on one subnet/vlan of edge devices
and the switches.
• Restore the Switches_Only database if it is not the current database.
• Go into system Configure’s Scanner tab and Edit the switch network.
• Add the scan range of the edge devices to the same network as the switches.
• Say OK to the scan range, Ok to the Network, and Apply and Close System Config.
• Wait for all the devices to be discovered, move out of unresolved, and move to a port
of a switch.
• Save this database with an appropriate name for the switches and devices you just
scanned.
Investigate any auto-inserted nodes. Verify they are
ALL unmanaged switches, hubs, or switches not in
the scan range. If a managed switch should be at
the location of the auto inserted node, is the switch
in the scan range? If the IP of the switch appears
under the auto-inserted node and it does not have a
green outline, the SNMP community is probably not
configured correctly. Contact IntraVUE tech support
for questions.
Review the System Event Log. There should not
be any reports of devices continuously moving
between two locations. If there are, contact
IntraVUE Tech Support to discuss possible
trunking situations. There should not be any
messages from a switch reporting a mac address
was on one port and is now on another. Enable
Filters in the event log and uncheck �All Events’
and �connections’. You should not see any
repeating moves. Then check �All Events’ and look
for things anything unusual to your understanding
of the network.
Figure 16
How To Understand and Configure Your Network for IntraVUE
11
Before continuing, if you have Cisco VLANs you may configure IntraVUE to be more efficient by limiting the
VLANs being monitored to only the ones being scanned. See the Help file on ivserver.properties and set
�force.cisco.vlans’ to only those being scanned. In figure 16, only VLANs 1, 501, and 502 will be queried.
Separately scan any other subnets or VLANs and review them - ONE AT A TIME. This will be time
consuming but if the goal is �no surprises’ it is recommended. Repeat the following steps for each - only the
edge devices of one vlan, plus the switches, plus the appropriate top parent.
• Restore the Switches_Only saved backup file.
• Use the Scanner tab to add the devices for this vlan or subnet
• Check the results in the same way as the first scan.
Long Term Monitoring with IntraVUE
Typically, you will want one IntraVUE network for each VLAN.
1. Clear the database.
2. If you are scanning devices local to the IntraVUE host computer, add a network and make the IntraVUE
host the top parent. Add the scan range of the local devices. Add the scan range of switches used by the
local devices.
3. For EACH other VLAN add an additional IntraVUE network. The top parent of each will be the interface
of the router (as determined by TRACERT) for that VLAN.
4. As a result, for each �network’ defined in the System Configuration Scanner Tab, there will be a line
coming out of the center Scanner node.
Figure 17
Review the System Event log for devices moving that are not expected to move. Most of these issues
should have been dealt with as part of discovery, but it is possible something might not surface until you
scan all VLANs at once. If this happens it is probably wise to call tech support and email a copy of your
database.
IntraVUE Technical Support - 01-978-499-7800 or help@intravue.net
How To Understand and Configure Your Network for IntraVUE
12
Документ
Категория
Без категории
Просмотров
8
Размер файла
723 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа