Shulou(Shulou.com)06/01 Report--

Motivation of Network adaptation and self-Discovery

Avoid manual initial configuration and update network equipment discovery network infrastructure data fill data organization process assets maintain an accurate description of the network devices to be supported through regular data updates efficient network operations and planning asset inventory management (CMDB) accurate inventory of all hardware and software assets the core of the network management system accurately locates the automatic generation of network topologies and clear presentation of logical relationships

Target of output

Timely and effective accurate location and troubleshooting of safety risks and faults

"to know what we have, where and how to use it."

Device discovery

Through IP address discovery network devices scan IP address range (ping,snmp) to discover network devices, topology and IP address space start from the core switch Scan the subnetworks on each interface hop by hop using the next hop in the routing table through the network topology and find connected devices discover the IP address space using CDP or LLDPL3 network topology-subnets on each interface discover network devices through MAC addresses-each LAN / VLAN check the ARP table on each device interface match the IP and MAC addresses look for switches on the local area network query switch forwarding Publish an understanding of the DHCP pool L2 network topology in the network (forwarding tables STP)

Types of testing equipment routers, switches, UPS, host (Linux,Windows...) testing equipment vendor testing equipment model testing equipment resources (attributes) system name, model, serial number detection device components and their resource interface physical entities-modules, cards, CPU, memory. Logical entities-storage partitions, virtual memory, routing tables, connected users, BGP peers, QoS policies, etc. Software components-installed software, running process.

Ok, ladies and gentlemen, the outline has been listed. Let's go ahead and share the specific implementation logic. Otherwise, Daniel must say that they are all big and empty and impractical, so let's put the specific information into practice:

Using SNMP-CLI

Snmpwalk command

Snmpwalk-v 2c-c 1qaz@WSX 100.100.32.10

Standard MIBs

System (.1.3.6.1.2.1.1)

Name, description, uptime

Response bindings:

1: sysObjectID.0 (object identifier) enterprises.9.1.516

2: sysUpTimeInstance (timeticks) 42 days 23h:23m:48s.31th (371302831)

3: sysContact.0 (octet string) (zero-length)

SysName.0 (octet string) WS-C3750v2-48TS [57.53.2D.43.33.37.35.30.76.32.2D.34.38.54.53 (hex)]

5: sysLocation.0 (octet string) (zero-length)

6: sysServices.0 (integer) 6

7: sysORLastChange.0 (timeticks) 0 days 00h:00m:00s.00th (0)

8: sysORID.1 (object identifier) enterprises.9.7.129

9: sysORID.2 (object identifier) enterprises.9.7.115

10: sysORID.3 (object identifier) enterprises.9.7.265

Interfaces (IF-MIB)

IfTable (.1.3.6.1.2.1.2.2), IfXTable (.1.3.6.1.2.1.31.1)

IP (IP-MIB)

IpAddrTable (.1.3.6.1.2.1.4.20)-used IP addresses

IpRouteTable (.1.3.6.1.2.1.4.21)-Routing table

Some switches with routing functions reflect routing information such as cisco 3750 in (.1.3.6.1.2.1.4.24)

ICMP (IP-MIB)

IcmpStatsTable (.1.3.6.1.2.1.5.29)-statistics of ICMP packets

At present, this part is widely used in big data analysis, equipment condition monitoring and even in APM.

UDP (UDP-MIB)

UdpTable (.1.3.6.1.2.1.7.5)

TCP 1.3.6.1.2.1.6

How do I identify the type of device?

Discovery Test-retrieves unique values for a specific device type

Router

How do I identify the router?

Routing table? The host also has a routing table.

SysServices (.1.3.6.1.2.1.1.7)

The number of bits of the return value determines the number of layers of the OSI/TCP in which the device is located

For example: 6 (dec) = 0110 (bin)-layer 3 and layer 2 (L3 switch)

IpForwarding (.1.3.6.1.2.1.4.1) in IP-MIB

Forwarding (1)-for routing capable devices

Not-forwarding (2)-for all other devices

The way I have given the above examples is already very detailed, so I will not take screenshots and analyze them one by one. I will directly paste oid to you as follows:

BGP protocol (BPG4-MIB)

BgpPeerTable (.1.3.6.1.2.1.15.3)

OSPF protocol (OSPF-MIB)

OspfAreaTable (.1.3.6.1.2.1.14.2), ospfLsdbTabl (.1.3.6.1.2.1.14.4)

MPLS (MPLS-LSR-MIB, MPLS- × × ×-MIB)

MplsInSegmentTable (.1.3.6.1.3.96.1.3)

MplsOutSegmentTable (.1.3.6.1.3.96.1.6)

BRIDGE-MIB

Discovery test

Dot1dBaseBridgeAddress (.1.3.6.1.2.1.17.1.1)

Dot1dBasePortTable (.1.3.6.1.2.1.17.1.4)

Pairing switching ports with interfaces (ifTable)

HOST-RESOURCES-MIB

Discovery test

HrSystem (.1.3.6.1.2.1.25.1)

These (.1.3.6.1.2.1.25.1.1), hrSystemDate (.1.3.6.1.2.1.25.1.2)

HrStorageTable (.1.3.6.1.2.1.25.2.3)

HrDeviceTable (.1.3.6.1.2.1.25.3.2)

HrProcessorTable (.1.3.6.1.2.1.25.3.3)

Private.enterprises (.1.3.6.1.4.1) subtree

Cisco (.1.3.6.1.4.1.9)

Apc (.1.3.6.1.4.1.318)

Microsoft (.1.3.6.1.4.1.311)

JuniperMIB (.1.3.6.1.4.1.2636)

Vmware (.1.3.6.1.4.1.6876)

.

For more information, please see the complete manufacturer sharing that I shared earlier. If you support SNMP with unknown devices, you need to constantly update it in the library.

OID sysObjectID (.1.3.6.1.2.1.1.2)

Returns vendor specific OID which defines device model

Example:

SysObjectID = .1.3.6.1.4.1.9.1.283

CISCO-PRODUCTS-MIB (.1.3.6.1.4.1.9.1)

OID .1.3.6.1.4.1.9.1.283

Identifier

Type: name: Cat6509

Returns no date

The above is to find that Cisco frame devices will have different modules and plates.

It can be expected that through the topology discovery technology, we can constantly identify the network address space and explore the boundaries of the network; we can continuously conduct a general survey of terminal devices, which takes place in the core of the network and does not need to install terminals; at the same time, can continue to accumulate device metadata and behavior data.

These capabilities can find networks that are not recorded in files, rogue devices in the network, and even devices with threat characteristics, and so on. The cost of eliminating these network security risks is relatively small, which is an important reason why I prefer the application of topology technology in network security.

At present, many situational awareness devices and even soc need SNMP to obtain some device status information, log information, including process, and even application status monitoring, to grasp the real-time status of the network. With the development of SDN, some manufacturers do not pass opefew technology through network virtualization technology to detect fewtable in virtualized network devices and security devices. Traditional traffic detection still uses netfew technology. However, according to the survey, most of the virtualized devices still support SNMP, no matter which technology, it is nothing more than to complete the visualization of internal resources in the enterprise: "Topology visualization", "traffic visualization", "device configuration information visualization", "asset visualization and so on."

Specific is still in the continuous study and practice, but also hope that there are friends who study in this field to discuss together.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.