Re: How to Manage VPN setup (263 Views)
Reply
Advisor
Giri Prathivadi
Posts: 27
Registered: ‎06-08-2000
Message 1 of 12 (263 Views)
Accepted Solution

How to Manage VPN setup

1) I would like to understand, how to manage a network (using NNM) when I have a
VPN setup.

2) How to indicate netmon not do discover network elements beyound VPN
Enteripse Network Management
Honored Contributor
Albert E. Whale, CISSP
Posts: 988
Registered: ‎04-24-2000
Message 2 of 12 (263 Views)

Re: How to Manage VPN setup

Giri,

Once NNM is running, there should be little maintenance, except for enable access through all of the gateways in your network, configuring SNMP Community strings (which are different than public), or implementing customized Map, and Data Collection.

To prevent NNM from probing beyond the border of you VPN, you can unmanage the Router at the VPN, or unmanage the connector on the Router for the VPN. This will prevent NNM from probing beyond your network.

Hope that helps.



Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Advisor
Giri Prathivadi
Posts: 27
Registered: ‎06-08-2000
Message 3 of 12 (263 Views)

Re: How to Manage VPN setup

Hi,

I thought, we could use combination of IP Address and Subnet Masks to filter
out those elements which are behind VPN. This will stop netmon from pining
all those systems which are not of our intereset. Don't you think, this would also
work.
Enteripse Network Management
Honored Contributor
Albert E. Whale, CISSP
Posts: 988
Registered: ‎04-24-2000
Message 4 of 12 (263 Views)

Re: How to Manage VPN setup

No this won't stop it because netmon is intelligent enough to get the ARP Cache and the Routes from each Router interface.

With this information, it doesn't matter what you change the Subnet Masks to, netmon already knows what it is, and how to get there.

The best bet is to either leave the newly discovered VPN network as unmanaged (all new devices and networks shown be discovered as unmanaged), and/or unmanage the connector for the VPN on the router itself.

Hope that helps.

Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Advisor
Giri Prathivadi
Posts: 27
Registered: ‎06-08-2000
Message 5 of 12 (263 Views)

Re: How to Manage VPN setup

Hi,

Let me illestrate my problem again, I hope this would give you some idea on what
I am trying to convay....


------------------------------ Network Backbone
| | |
n11 | n1i
|
VPN Switch
|
---------------
| | | |
n1 n2 n3 ni


I have my NNM installed in n11 system.
The systems n11,n1i and VPN Switch are with a network subnet mask 255.255.255.248
and n1,n2,n3 and ni are in a subnet 255.255.255.251,

Now, If we apply the filter which looks something like,

myElements { IPAddress ~ "XXX.XXX.XXX.X1-Xi" &&
SubnetMask == "255.255.255.248"),

Do this not prevent netmon from discovering nodes n1,n2...ni.

Enteripse Network Management
Honored Contributor
Albert E. Whale, CISSP
Posts: 988
Registered: ‎04-24-2000
Message 6 of 12 (263 Views)

Re: How to Manage VPN setup

No, it does not.

Doesn't your network include a router? Somewhere there's a device which includes an ARP Cache, and Route Cache for links to the various Network Segments.

Did you try what I sugested?

It will work, trust me!
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Respected Contributor
Rich Propst
Posts: 131
Registered: ‎05-10-2000
Message 7 of 12 (263 Views)

Re: How to Manage VPN setup

I agree with Albert that unmanaging at the router would be easiest, but wouldn't the filter idea work also? If it were applied as a discovery filter it should prevent netmon from picking up and monitoring the nodes outside the VPN switch. Even though NNM may be getting the addresses from ARP cache somewhere, they would not be added to the OV databases and would never be pinged. ANy VPN addresses already discovered would have to be removed from the DB using ovtopofix -f.

Incidentally, is the subnet mask for the VPN ( 255.255.255.251) you mentioned a typo. That's not a valid subnet mask.

Rich
Rich
Advisor
Giri Prathivadi
Posts: 27
Registered: ‎06-08-2000
Message 8 of 12 (263 Views)

Re: How to Manage VPN setup

Hi,

I am still confused.
What I feel is that, Even though netmon can pull out information from ARP cache
of a router to reach nodes behind VPN, since the IP and subnet does not match
the IP and subnet mask specified in discovery filter, those elements should get
dropped out.

The answer that you are suggesting, will work only after element has been discovered
and you don't want to manage it any longer.

What I am looking at is, automatically drop out nodes which does not satisfy my
filter condition.
Enteripse Network Management
Honored Contributor
Albert E. Whale, CISSP
Posts: 988
Registered: ‎04-24-2000
Message 9 of 12 (263 Views)

Re: How to Manage VPN setup

Ah Yes, I see said the Blind man as he picked up his hammer and saw .....


A Discovery Filter could contain netmon to the network segmnets that you want to poll.

There's a Great Manual discussing this topic at
http://docs.hp.com/dynaweb/hpux11/nwsmen1a/b1069/@Generic__BookView?DwebQuery=Discovery+Filter

Here's the decisive manual information:

Discovery Filtering
Discovery filters specify which devices an NNM station is actively discovering and monitoring. The purpose of discovery filtering is to reduce the discovery and monitoring effort of the station. Different stations have independent (though possibly identical) discovery filters.

Discovery filtering limits the scope of objects that netmon adds to the collection station topology database. To unmanage objects and limit the set of nodes that are polled at all, refer to Managing Your Network with HP OpenView Network Node Manager. The filter may be set to pass, for example:13

Gateways.

Bridges, routers, and hubs.

All devices.

Nodes based on their sysObjectID.

Objects inside or outside of a particular range of IP addresses.

By default, Segments and Networks pass the discovery filter.

Discovery filtering is achieved by configuring the netmon service 14; the filter is then applied to all newly discovered objects. Objects that are rejected by the discovery filter never appear in any topology or object database.

Discovery filters are data-stream filters; changes to a discovery filter affect new data only. All objects that previously passed the filter remain in the data stream, regardless of whether they would currently pass or not, and polling is still done on all previously discovered objects whether or not they would now pass the filter. You can, however, use the ovtopofix command to change the set of previously discovered objects.15

Implement any discovery filtering on an NNM station before you begin using it as a collection station; this will improve overall performance, by reducing the amount of synchronization effort.


--------------------------------------------------------------------------------

Hope this helps.

Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Advisor
Giri Prathivadi
Posts: 27
Registered: ‎06-08-2000
Message 10 of 12 (263 Views)

Re: How to Manage VPN setup

Hi Rich,

I did not see your mail earlier, What I have writen in previous mail is just what
you have put in your comments. The subnet mask which I had indicated was
just for the purpose of illestration only.

Thanx for you response,

Giri
Enteripse Network Management
Honored Contributor
Albert E. Whale, CISSP
Posts: 988
Registered: ‎04-24-2000
Message 11 of 12 (263 Views)

Re: How to Manage VPN setup

Please let me know if you need more information about applying discovery Filters.

Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Respected Contributor
Rich Propst
Posts: 131
Registered: ‎05-10-2000
Message 12 of 12 (263 Views)

Re: How to Manage VPN setup

Giri,

I've been bitten by discovery filters more than once. If you're not careful, you can filter out a lot more than you think or want to. I always define the filter, then aply it as a map filter just to make sure everything I want still shows up before I apply it as a discovery filter. Also, if your network is growing or changing a lot, your filter may be blocking some nodes you want to discover.

Good luck!
Rich
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.