%text>
Netdisco 1.1 - README
Netdisco is maintained by a team of Open Source developers headed by Eric Miller, Bill Fenner, Oliver Gorwits, Jeroen van Ingen and Max Baker.
Netdisco is an Open Source web-based network management tool.
Designed for moderate to large networks, configuration information and connection data for network devices are retrieved and set by SNMP. With Netdisco you can locate the switch port of an end-user system by IP or MAC address. Data is stored using a SQL database for scalability and speed.
Cisco Discovery Protocol (CDP), Foundry Discovery Protocol (FDP), Link Layer Discovery Protocol (LLDP), and SynOptics Network Management Protocol (SONMP) optionally provide automatic discovery of the network topology.
The network is inventoried by both device model and operating system (like IOS). Netdisco uses router ARP tables and L2 switch MAC forwarding tables to locate nodes on physical ports and track them by their IP addresses.
For each node, a time stamped history of the ports it has visited and the IP addresses it has used is maintained. Netdisco gets all its data, including topology information, with SNMP polls and DNS queries. It does not use CLI access and has no need for privilege passwords. Security features include a wire-side Wireless Access Point (AP) locator.
Netdisco was created at the University of California, Santa Cruz (UCSC), Networking and Technology Services (NTS) department. UCSC continues to support the development of Netdisco by providing development servers and beer. The Netdisco project is hosted by Source Forge.
From the web interface devices connected to switch and router ports are listed by MAC address. A history of which switch ports a MAC address has been seen at is kept. With a click the you can browse a network device connected to an uplink port. With another click you can disable or enable the switch port, logging the reason, user and date.
Network administrators can disable and enable ports without having to know enable or privilege passwords. Reasons for switching on/off ports are logged for end-of-the-year auditing and reporting. Non-IOS savvy managers can control port access from a familiar browser interface. This feature was designed with a University Residential Networks (ResNet) in mind.
Only users you specify in Netdisco will have access to switch off a port. Netdisco will also not allow people to switch off uplink ports by accident.
public@101
)
Netdisco supports any Network device that talks SNMP and has basic information available through MIB-II (RFC 1213). Additional vendor-specific information is available for a number of devices, but especially for Cisco, Extreme, Foundry, HP, and Nortel/Bay devices.
Device support is handled through SNMP::Info
-- a Perl module that is
an integral part of Netdisco that handles device-specific code. See the
Device Matrix
at http://snmp-info.sourceforge.net for a list of
devices that have been tested against Netdisco. SNMP::Info can be extended
for new families of devices relatively easily with a little Perl knowledge.
Please use the netdisco-users
mailing list for all problems and comments.
http://lists.sourceforge.net/lists/listinfo/netdisco-users
In case of bugs, please use the Bug interface from SourceForge page at:
http://sourceforge.net/projects/netdisco
Any device connected to the network that contributes to the physical topology. Devices need to be accessible via SNMP. A device usually has multiple interfaces (ports) and can have multiple IP addresses.
A node is anything connected to a device. Nodes are uniquely identified by their MAC addresses. A node may or may not have IP addresses associated with it.
Technical Answer : The process in Netdisco that goes out to all Layer-2 devices and gets the Forwarding Tables / CAM Tables. Each row in the table maps a MAC address to a switch port. This process is what makes devices show up on switch ports.
Netdisco will attempt to detect uplink ports in case you are missing topology data during macsuck. Check the logs of the macsuck / macwalk for notifications of detected uplink ports, and add that data to your netdisco-topology.txt.
Fun Answer - From Douglas M. McKeown :
"This is where you go to a switch (Layer 2) and find all the MAC (or Ethernet Hardware) addresses which this device is connected to. So you plug your Dell into your HP Switch and that HP Switch is uplinked to your Core switch (not using the word router here. we're talking simple, physical network connections, sort of like electrical wires.) Well your Dell has a MAC address of let's say "A" and amazingly, your HP switch has a MAC address of "B" and your Core switch has an address of "1". Well if you Macsuck your Core switch, it doesn't have your Dell connected to it, but it does have "B" which is another switch. So you Macsuck "B" and it has MAC addresses for 1, B and A! You don't really Macsuck an end device (your Dell).
So what do we know?
- Core (1) knows about HP Switch "B". - HP Switch "B" knows about Core (1) and Dell "A". - Dell "A" knows about HP Switch "B".
Does "1" know about "A" ? If it's a router it does. Otherwise it asks who has "A" and switch "B" says, I know! So 1 goes to B which goes to A.
Got it?"
The process in Netdisco that goes out to every Layer-3 device and gets its ARP cache. Each entry in the ARP Cache maps a MAC address to an IP address.
This process is what lets Netdisco map an Ethernet address to an IP address. Combined with the Macsuck process, Netdisco can ultimately resolve an IP address to a switch port.
If you have a small network that only has layer-2 devices on it, and you use a Linux or BSD box as your router, you will need to install net-snmp on the machine, and then have netdisco discover that machine. Otherwise you will not be able to resolve a MAC address to an IP address.
Having topology information is crucial for Netdisco to function. So. if you network does not support one of the above Layer2 discover protocols, you must put the information in the netdisco-topology.txt file.
See Topology Information in this file.
From Douglas McKeown :
"CDP is the Cisco Discovery Protocol. Sort of an add-on for when switches talk to switches about who's connected to whom. CDP quickly tells other switches that it has switches connected. Netdisco really likes CDP a lot for mapping out the network and automatically discovering the topology. If your devices don't use CDP, then you need to work with the netdisco-topology.txt file to create a layout of your network."
Note that LLDP (IEEE Standard), FDP (Foundry), and SONMP (Nortel/Bay) are supported, and anywhere you see CDP you can assume we mean LLDP, FDP, and SONMP too.
WARNING! There is a potential community string exposure when Netdisco is auto-discovering
network equipment (netdisco
-r). If a malicious host were to implement CDP and Netdisco were
to discover that host, Netdisco would send all read-only community strings to
that device in an attempt to add it to the topology.
There are two main ways to avoid this exposure:
Use the discover_only and/or discover_no configuration keywords to
control what IP addresses netdisco will be permitted to visit.
discover_only
is inclusive, and discover_no
is exclusive;
it's recommended to use discover_only
if feasible.
When using this method, check the backend log for devices visible via CDP but not via SNMP. These may point out the need to expand the range that is discoverable, or may be instances of this class of attack.
Additionaly discover_no_type
can be used to prevent netdisco
from visiting certain devices based on the device_type returned by CDP.
This solution involves disabling CDP and other discovery protocols from your user-connection ports, and leaving it on on inter-device ports. Unfortunately, in some configurations, user-connection ports are inter-device ports, e.g., especially when you want to keep the ability to easily add a phone to a port that didn't have one previously.
Sample IOS
Code for above:
interface range fastethernet1/1-32 no cdp enable
Make sure you don't disable CDP on any ports that are connected to
other pieces of infrastructure.
Also make sure you don't use the global command no cdp run
, since that will
disable CDP entirely.
See the INSTALL document for instructions and requirements to install Netdisco.
Netdisco has three components :
The back-end talks to devices via SNMP. Contained in the back-end is the logic to create the topology, collect statistics and generate graphs.
Most of the back-end is controlled by cron jobs.
A background daemon is put resident to run maintenance tasks collected from the front-end. This keeps these sometimes memory intensive tasks and code out of the httpd processes.
Netdisco uses PostgreSQL to store all its information. Careful abstraction of the database calls means that Netdisco can be ported to another SQL platform easily. Hooks to use other databases are present.
The front-end operates on stored data only. This abstraction is both for speed and security.
Some front-end administration tasks are put in a queue in the database that a daemon running from the back-end picks up and processes.
The number of people using Netdisco can scale with the web server capacity, and will create no extra load on the devices.
Batch Mode. Redirect output to log file. Log file directory set in configuration file under datadir.
Set Config file. Default is netdisco.conf.
DEBUG. Sends copious information to STDOUT
No Log. This will not add entries to the log table.
Delete Nodes. Used with --expiredevice only.
New Only. On a network discovery -r, only discover found devices that aren't in the database.
Port. Specify Port for removal of nodes -e.
Debug. carp()
SQL commands. Sets $netdisco::SQLCARP to 1.
archiVe nodes. Used with -e only.
Arp Walk. ArpNip each device that has Layer 3 capabilities.
ArpNip. ArpNip's a single device. See ArpNipper in Design.
Devices listed in arpnip_no
in the config file are excluded.
If there is a arpnip_only
entry in the config file, devices
not listed are excluded.
See the entry below.
Backup and Nightly Maintenance.
Devices and nodes that are old using the expire_*
config file directives (see below).
Archive data files for node,node_ip,device, and device_ip tables.
Database cleanup routines (-K) as well.
NMIS config file if nmis_dump is set.
This routine should be run nightly.
For a full backup run sql/pg --back to backup the whole database.
Discover Device.
IP addresses and subnets listed in discover_no
in the config file
are excluded.
If there is a discover_only
entry in the config file, IP addresses
and subnets not listed are excluded.
See the entry below.
Expire Nodes for given device. Use -V to archiVe instead of delete. Specify a port with -P to delete or archive nodes on a per port basis.
Finds all devices in given subnet and runs expire nodes on each. Will display devices effected and then ask for confirmation.
Subnet is specified in CIDR format :
192.168.0.0/24
Delete a device. Use -n to delete nodes as well.
Discover Device from given File. Used to restore backed up info from -B, and to discover devices that are not available through topology information. Use -T to only import Topology Information.
Graph. Creates graph using GraphViz. Can create image output (png,gif) or vector output (svg).
NOTE: You can safely ignore all warnings about size too small for label
.
Make sure you have a relatively new version of GraphViz. You need a newer version of GraphViz if you get an error similar to:
Creating CMAP : /usr/share/netdisco/html/netmap.map warning, language cmap not recognized, use one of: ps hpgl pcl mif...
Prints out command line usage.
Change IP address of device. Creates new entry, removes old one and moves nodes over to the new one.
Expire IP Addresses from node_ip table. This will delete entries from the node_ip table that are not matching entries (MAC Addresses) found in the node or device_port tables.
alias klean-up. DANGEROUS. Deletes from the device table any IP address that is found as an alias in the alias table.
Database Node Klean-up. Permanently deletes nodes matching:
Mac Suck each device in the database that has Layer 2 capabilities.
Mac Suck given device only.
Devices listed in macsuck_no
in the config file are excluded.
If there is a macsuck_only
entry in the config file, devices
not listed are excluded.
See the entry below.
Import OUI information from oui.txt
Control the Admin Daemon. Takes arguments (start,stop,status,restart).
Walk the network with the given (comma-seperated) root(s). Use -N to discover new devices only. Given root devices will always be discovered.
Refresh devices. Will run a discover (-d) for each device in the database.
Import Topology Data. Will import manual topology data stored in file specified by configuration option topofile . Use -F to specify a different file from the command line.
It is not necessary to do this after every change. This is only a convenience switch.
Add or Change a User. Supply all four arguments (user pw port_control admin) for command-line control, or supply less for interactive prompts.
It's better to use interactive prompts so that the password doesn't get stored in your shell history file and exported to the process table.
The admin daemon is a copy of netdisco
that runs in the background. From the web Admin Panel
,
jobs are put in a queue in the database. The daemon picks up these jobs and executes them from the
back-end as user netdisco
. The daemon is restarted daily in a cron job, or can be manually started
as root :
su - netdisco -c "/usr/share/netdisco -p restart"
This feature integrates Netdisco with other databases that have port info.
Port Info was designed around data coming out of a Pinnacles database at UCSC, and might
prove to be site-specific. However, see port_info.html
for a good example of how to access other
databases using the netdisco.pm
SQL routines.
Enable this feature by setting port_info
to true in netdisco.conf
Port Control allows a user of Netdisco to administratively turn a port on or off.
To do this the back-end requires a read-write community string for the device in question. The admin daemon must also be enabled. Netdisco keeps a log for each port holding information about why a port was turned on or off.
A reason for turning switch the port is chosen from a list to provide future audits of admin activity.
The user and IP address of the request are stored. To change the default reasons, modify the
%PORT_CONTROL_REASONS
hash in netdisco.pm
Optionally if the portctl_email
setting is set in netdisco.conf
, an e-mail is sent out with a
notification of the switching. Locally at UCSC that e-mail is sent to an administrative mailing list.
To turn this feature off uncheck the Port Control
checkbox from all users in the Admin Panel
.
By default Netdisco will be allowed to shut off
- Switch Ports - IP Phones - Router Ports that are NOT uplinks
By setting certain config file directives you can allow Netdisco to shutoff uplink ports and VLAN interfaces. But this is REALLY NOT RECOMMENDED. See below for the required commands.
The Web Console allows netdisco to front-end the web interface of a switch or router. Traffic can then be routed over https, through Netdisco's web server. An additional security layer is added by requiring the user to be logged into Netdisco. The normal security measures used by the device's web server are still active.
The Web console is a reverse proxy that runs on Apache. You must enable it in netdisco_apache.conf
and
netdisco_apache_dir.conf
. The add devices and models to the configuration lines web_console_vendors
and
web_console_models
in netdisco.conf
.
To refresh or discover a device and its ports, use the -d command:
netdisco -d mydevice
It is not necessary to import the topology information after changing netdisco-topology.txt. You should however restart the admin daemon. The topology text file is re-parsed each time you run netdisco.
As a convenience you can use the topology file to quickly seed Netdisco with devices.
To import all the topology information at once make sure the topology filename is set in netdisco.conf
and use the -T command:
netdisco -T
Hit Ctrl-C if you are running a netdisco process, or send the job the INT signal. The job can cleanup after itself, write out its stats and log entries.
kill -INT jobpid
There is currently no way to stop a job inside the Admin daemon. Send the daemon an INT signal and it will terminate after its current job has completed.
If a device is being replaced with a different device and a different IP, see Deleting a Device below.
netdisco -i old-ip-address new-ip-address
Changing the IP address of a device will:
In order for Netdisco to be self-maintaining data has to be taken out of the database as well as put in. The following config file directives are used to auto-prune stuff from the database :
See each item's entry in the Config File Section below for more details.
The expire data routines are called from the -B/Backup routine, which should be running nightly via cron.
To delete a device use the -E command followed by the device name or IP. Set -n to delete all the nodes seen on that device as well
This is rather permanent. Make sure you run -Backup before you do this.
Nodes consist of two components -- the switch port to MAC address mapping in the node
table,
and the MAC address to IP mapping in the node_ip
table.
To remove nodes from a switch, use the Admin Panel on the web side and choose either
Delete Nodes
or Archive Nodes
. Archiving nodes will set the archive bit so that the
data will be available, but not always showing. You can also delete nodes from the command
line using the -e command with or without the -V flag.
Database Cleanup -K will delete nodes that seem to be extraneous. See -K for more details.
Once you have cleared out nodes from a switch, then run -I to remove unused node to IP mappings.
This is rather permanent. Make sure you run -Backup before you do this.
The easiest way to add a user is to use the Add User
form in the Admin Panel. After first installing
Netdisco you need to add an admin user by running -u.
If you are moving your Netdisco install over to another machine and you want to keep your users table, here is the process :
source$ pg_dump -a -d -U netdisco -t users netdisco > user_dump.sql source$ scp user_dump.sql dest:
dest$ cd /usr/share/netdisco/sql dest$ ./pg /path/to/user_dump.sql
See "How the Switch Selects the IP Address To Include in Outbound CDP Packets" in ftp://ftp.hp.com/pub/networking/software/59692375_e1.pdf
The device is probably newer than your Cisco MIBs. Redownload ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz and install these newest mibs into /usr/local/share/snmp/mibs.
For some reason over here at UCSC, things get real slow in Postgres after a while. Even though we are doing frequent VACUUM's on all the data, it seems to be dragging down after a while.
This turns out to be an INDEX bloat problem on Postgres versions less than 7.4. Recently doing this on a Postgres 7.3 install changed the amount of space that Netdisco's database was using from 16G to 400M !!!
In order to fix this we do a VACUUM FULL ANALYZE VERBOSE
and REINDEX
from pg
.
This command locks each table before it does the VACUUM, and therefore can be more thorough.
It's a good idea to take netdisco down temporarily while you do this. I do this about
once a month, or when I notice it dragging down. Use Netdisco Statistics
as a good metric
of things slowing down. This may get fixed with changes in VACUUM in Postgres 7.4 and above.
Procedure for doing a vacuum full (as root):
/usr/share/netdisco/bin/netdisco_daemon stop
crontab -u netdisco -r
/usr/local/apache/bin/apachectl graceful
ps killall netdisco
Before:
df -h /usr/share/netdisco/sql/pg # before comparison : select relname, relpages from pg_class order by relpages desc;
REINDEX TABLE node; REINDEX TABLE node_ip; REINDEX TABLE device; REINDEX TABLE device_port; REINDEX TABLE device_port_log; VACUUM FULL ANALYZE VERBOSE;
# after comparison : select relname, relpages from pg_class order by relpages desc; \q
After:
df -h
/usr/local/etc/rc.d/010.pgsql restart
OR
/etc/rc.d/init.d/pgsql restart
OR
/etc/rc.d/pgsql restart
/usr/local/apache/bin/apachectl graceful
crontab -u netdisco /usr/share/netdisco/netdisco.crontab
/usr/share/netdisco/bin/netdisco_daemon start
If your admin queue is just getting too long and you want to clear it you can do it by just dropping the table and readding it.
cd sql ./pg admin.sql
Topology information is crucial to Netdisco's performance. It allows the application to know which ports are uplink ports and which have connected nodes. Ports that are uplink ports that are not marked so in Netdisco will appear to steal MAC address entries from their rightful ports. So it is critical to use the topology file and CDP/FDP/SONMP to maintain a topology.
During macsuck if Netdisco finds the MAC address of a known device or switch port, then that port is marked as an uplink. Nodes will not collect at these switch ports, and a warning message will be printed. Check the logs of your macsuck and macwalk jobs in order to find and correct autodetected uplink ports. Add these ports to your netdisco-topology.txt file.
Netdisco will auto-discover the layer-two topology of a network using CDP. However, many networks have parts of the topology that are not covered by CDP.
Use the manual topology file netdisco-topology.txt
to supply the layout of
the network if your network has devices that don't talk CDP or misreport
information.
The manual topology file only requires one side of the data to be entered. Both directions of a link will be forced to the given data if one side is listed.
File Format
The format of the manual topology consists of four types of lines:
Comments are delimited with a #
They can happen on any line. Escape as \#
if
you need to use a literal pound sign.
Any line that does not start with link:
or alias:
is assumed to be a the DNS name or
IP address of a network device.
Lines that start with link:
connect two devices together. The format is
link:outgoing port,destination device,Destination port
The outgoing port belongs to the device listed above the link:
line.
The Destination Device and Port tell Netdisco who is on the other end of this link. The device can be a DNS name or an IP Address.
NOTE: The port names must match exactly how Netdisco sees it. Go to the
device and check it out. You might think of it as port 1
but Netdisco might
think of it as RMONPort26onunit1
.
Not implemented for output. The backup file will have these lines just for informations' sake. Alias IPs on a device are found during discovery.
Many network devices like routers have multiple IP addresses assigned to them. If the device cannot or does not supply this information to Netdisco in a standard way, you can add IP addresses used here.
White space in the file (except for line breaks) is ignored. Tabbing over before line:
lines
makes it easier to read, but is not required.
File Uses
Some reasons the manual topology file is used:
Let's say you have two CDP speaking devices with a non-CDP speaking device in between them
[Cisco] ---> [Bay] ---> [HP]
The Cisco and HP devices (CDP speakers) find each other and the Bay device never appears. You would then have to add these lines to the topology file:
ciscoswitch.my.company link:EtherNet0/1,bayswitch.my.company,25 bayswitch.my.company link:26,hpswitch.my.company,J3
This tells Netdisco that port Ethernet0/1
on ciscoswitch
is connected to Port 25
on bayswitch
.
Then in turn Port 26 on bayswitch
is connected to port J3
on hpswitch
.
A note about devices that are CDP Aware and that implement CDP:
CDP Aware devices are devices that probably do not speak CDP (probably for legal reasons) but that are smart enough not to forward CDP packets. Cisco devices that have CDP disabled are usually still CDP Aware and will not forward the packets. Man-in-the-middle situations occur when the device both does not speak CDP and is not CDP Aware.
If you have a segment of your network that is not connected directly, or connected through a non physical link like a VPN, then you might fudge an entry to connect that segment of the network with the main one.
Anywhere a device that does not supply topology information is connected to the network, an entry must be added in the manual topology file.
Netdisco is controlled via cron jobs. Jobs are run as user netdisco
.
Multiple jobs can be run at once.
The default jobs are :
The settings in netdisco.conf
are used both in the back-end and the front-end.
When you make a change in the config file that is used in the web front end, you must reload apache. The config information is shared between processes for speed and memory performance.
su - -c "/usr/local/apache/bin/apachectl restart"
Multiple config files can be used in the back-end by calling Netdisco with the
-C
option:
netdisco -C myotherfile.conf
STRING. Trimmed from all DNS names viewed. Leave blank to show all domain names. Add a dot in front of your value :
.ucsc.edu
PATH. Full path to where netdisco lives. Is the root path for all other files and paths.
STRING. Name added to page titles and heading.
STRING. URL,width,height - replaces discoball icon with custom logo.
New in version 0.93 these directives are included to help make Netdisco more self-maintaining.
Setting these will result in permanent data removal.
DAYS. Devices that have not been refreshed in this number of days will be removed. All nodes connected to this device will be removed as well.
DAYS. Nodes that have not been refreshed in this number of days will be removed from the database. Archived and non-archived nodes are removed. This includes SwitchPort/MAC and MAC/IP mappings.
DAYS. Archived data for switch-port/MAC and MAC/IP mappings older than this number of days will be removed.
SECONDS. Prevent a device from being arpnipped for this number of seconds after the last succesful run.
LIST:string. Devices that won't be arpnipped. See bulkwalk_no
for syntax.
If you have any layer-3 devices that have been discovered by netdisco
but are using proxy-ARP as a way to get to other devices, place them here.
Alternately, if you have many proxy-ARP clients but one (or a handful of)
central device with all of the proper ARP info, put that in arpnip_only
.
LIST:string. If present, only arpnip these devices. See bulkwalk_no
for syntax.
EXECUTABLE. Full path and command line arguments to the compression program used in compresslogs
BOOLEAN. Compress log files? See compress entry above.
PATH. Full or relative path to the directory that backups and logs will be stored in
SECONDS. Prevent a device from being refreshed for this number of seconds after the last succesful run.
LIST:string. IP addresses in this list will not be visited during discovery. See bulkwalk_no for syntax, except that only hostnames, IP addresses and subnets are valid.
REGEX:string. Place a pattern here to exclude the discovery of certain devices based on the CDP device type information. Good for excluding a whole device class like lightweight access points or IP phones that have CDP but don't talk SNMP.
LIST:string. If present, discovery will be limited to only IP addresses in this list. If you have a management VLAN, put that subnet here to avoid discovering user devices. See bulkwalk_no for syntax, except that only hostnames, IP addresses and subnets are valid.
LIST:STRING If present, device ports matching any of the items in this list will be ignored by the discovery process. Note this may have side effects - connected devices and nodes on those ports will in turn also not be discovered.
Each item in the list is separated by a comma and may be a Perl regular expression. A useful example for this option might be:
EOBC,unrouted VLAN,StackPort,Control Plane Interface,SPAN (S|R)P Interface,StackSub
Not fully implemented.
BOOLEAN. Set to true to ignore aliases that are part of private nets:
10.0.0.0/8 172.16.0.0/16 and 192.168.0.0/24
STRING. The extension to add to log files.
BOOLEAN. Set to true will let nodes accumulate on uplink ports without topology information. This is a debug option to help you figure out your topology and generally should not be set.
SECONDS. Prevent a device from being macsucked for this number of seconds after the last succesful run.
LIST:string. Don't macsuck these devices. See bulkwalk_no
for syntax.
LIST:string. If present, only macsuck these devices. See bulkwalk_no
for syntax.
LIST:Strings. Comma separated list of VLAN names not to visit when MACsucking.
This option was used to speed up MACsucking on certain Cisco Catalyst family devices where you have to connect to each VLAN with SNMP to get the forwarding tables. Certain default VLANs will not answer to SNMP, and Netdisco has to wait for them to timeout.
VLANs listed here are overrided regardless of macsuck_all_vlans value.
SECONDS. Timeout for devices when mac sucking.
BOOLEAN. Set to macsuck all VLANs, not just the ones that are being used on ports.
This is a debug option. Set this if you think that the option of not macsucking VLANs that aren't in use on device ports is some how interfering.
Setting this would revert macsuck to the same behavior as 0.93 and before.
Does not override macsuck_no_vlan.
INTEGER. The number of simultaneous processes to use when collecting data from devices. Using several processes speeds up data collection, but uses more database resources. Be careful of using up all of your database connection handles. Typical values are 15-25.
Note that the load average will be quite high with this option, very nearly the same as the value of max_procs. However, that's because each of these processes spends much of its time waiting for responses from the device, so is ready to run. The high load average doesn't affect the usability of the system in the same way that a high load average caused by cpu-bound jobs would.
DAYS. The maximum age of a node for it to be checked for NetBIOS information. Default 7.
FILENAME. Set this option to have nightly()
(-B) dump an NMIS http://www.sins.com.au/nmis
style Config file. Warning, this file will contain SNMP Community strings.
Optional Override options are :
STRING. Group to use with nmis_dump. Default Network
STRING. Role to use with nmis_dump. Default core
STRING. Collect option to use with nmis_dump. Default true
STRING. Active option for nmis_dump file. Default true
STRING. Net identifier to use. Default lan
INT. SNMP Port to list in nmis_dump file. Default 161
STRING. If set, consult the node_monitor table for MAC addresses that are being monitored after every macwalk. If any of the monitored MAC addresses appear or move, send an email to the node_monitor_email setting and any cc address listed in the database. Note that the node_monitor table must currently be maintained via raw sql access, there is no admin page for it.
BOOLEAN. Turn this on to have Netdisco do a reverse lookup of the sysName.0 field to use
as the management IP address for a device. See bug 810939 and device_root()
for more info.
Default false
BOOLEAN. Set to false to skip the module inventory on device discovery. The module inventory can double the device discovery time so if you aren't using the information you can skip it.
BOOLEAN. Set to false to skip the wireless client information gathering. This is captured at macsuck time, so if you aren't using the information you can skip it.
FILE. Full path of the file that contains manual topology information. Defaults to netdisco-topology.txt
SECONDS. Timeout for refreshing or discovering a device
BOOLEAN. Run daemon in the background?
FILE. Filename for the pid file used by admin daemon. Must be writable by daemon user.
SECONDS. Time to wait to check for new items in the queue.
The five database settings are db
, db_user
, db_pw
, db_opts
, and db_env
.
You can run multiple database types in Netdisco. See port_info
for an instance of this.
For each of the above settings, the database shortcut name (you choose) is inserted after db
.
Postgres is the required first database, and uses the short name Pg
.
The following lines must be added :
STRING. Database connect string to give to DBI.
Default : dbi:Pg:dbname=netdisco
STRING. Database user
STRING. Database Password
HASH. Options to add to the connect string.
Default : PrintError => 1, AutoCommit => 1
HASH. Environment variables to be set before running database calls. Separate multiple entries with commas.
Mainly used for Oracle.
Default : not set.
Example :
db_Oracle_env = ORACLE_HOME => /usr/local/oracle7, ORACLE_STUFF=>1
BOOLEAN. Set to true to use GETNEXT instead of BULKWALK for every device. This slows things down, but might be necessary for problem devices.
Set to false to use BULKWALK even if netdisco thinks you have a buggy version of Net-SNMP (e.g., because your installation is patched)
Other solutions include addding sub bulkwalk_off { 1; }
to the device
class that is misbehaving in SNMP::Info. This will turn off bulkwalk for a
class of devices, not all.
Also see bulkwalk_no to turn BULKWALK off on a per-device or device class level.
Default is on. SNMP::Info 1.0 or higher required.
LIST:STRING. A comma separated list of devices to not bulkwalk
This list can take five different inputs:
Simply put the device's name or IP address in the list.
switch1, switch2, switch3
Add an entire model type for excluding from bulkwalking.
This can be a simple string like 6500
or it could be a regular expression like
(2512|65\d\d)
. The regex must match the whole string (it's anchored).
Add an entire vendor type for excluding form bulkwalking.
This can be a simple string like hp
or it could be a regular expression like
(cisco|hp)
. The regex must match the whole string (it's anchored).
You can exclude a whole subnet of devices from bulkwalking. Use CIDR notation.
128.1.0.0/16
You can use a single asterix *
to specify that all devices not
be bulkwalked.
INT. Sets MaxRepeaters on BULKWALK operations. See perldoc SNMP
for more info.
Default is 20. SNMP::Info 1.0 or higher required.
LIST:STRING. A comma separated list of community strings to try on each device.
LIST:STRING. OPTIONAL. A comma separated list of Read-Write community strings.
This is only necessary if you turn on the port_control
command.
STRING. An external program to run to get the community string for a given
device. This is useful if, for example, you have you devices already configured
in another NMS and you want to use that information instead of configuring
community
and/or community_rw
in this file.
The strings %IP% and %HOST% are replaced by the IP address and the hostname (or IP address if no hostname is known) of the system being contacted.
The command must return output in the following form:
community=<list of readonly-communities> setCommunity=<list of write-communities>
If the community string is not known for the given system, the command should return no output and the community strings configured in netdisco will be used.
LIST:STRING. A comma separated list of directories to search for MIB files.
BOOLEAN. Setting this to true will allow the bulkwalk of devices that have tables with non-increasing OIDs. The default is to not allow this behavior to prevent problem devices from looping indefinitely. Requires Net-SNMP 5.3 or higher.
See patch # 1364650 in Net-SNMP or bug # 1176130.
LIST:STRING. A comma separated list of devices. Forces matching devices to use SNMPv1
See bulkwalk_no for syntax.
LIST:STRING. A comma separated list of devices. Forces matching devices to use SNMPv2c
See bulkwalk_no for syntax.
LIST:STRING. A comma separated list of devices. Forces matching devices to use SNMPv3.
See bulkwalk_no for syntax.
INT. Default version of SNMP protocol to connect with.
INT. Settings for 'Timeout' field passed to SNMP::Session. Micro-seconds before retry, Default 1000000 micro-seconds = 1 second.
INT. Settings for 'Retries' field passed to SNMP::Session
LIST. The users to try for SNMPv3 (like community for SNMPv1/SNMPv2)
LIST. The users to try for SNMPv3 read-write access.
user is the SNMPv3 username, as listed in v3_users or v3_users_rw.
auth/enc specifies what levels of authorization/privacy you are configuring. The possible values are:
only use noAuthNoPriv, the user has no authorization or privacy configured.
Use authNoPriv - authorization but no privacy.
Use authPriv - authorization and privacy for all requests.
Use authNoPriv for read and authPriv for write.
authproto is the authorization protocol, and can be any that the underlying library supports, e.g., SHA or MD5.
authpass is the authorization pass phrase.
privproto is the privacy proto, e.g., DES or AES.
privpass is the privacy pass phrase.
No support is currently provided for providing hexadecimal keys directly. Such support might use the prefix "0x" to identify a hex key, so be careful how you choose your pass phrases.
EMAIL. Address that reports of use of Port Control
are sent to.
BOOLEAN. Set to True to make sure an IP Phone port never can be turned off/on. Default false.
SECONDS. Amount of time to wait for a response from the admin daemon.
BOOLEAN. Set to True to allow Netdisco to be able to disable Uplinks. (Router Interfaces too)
Default False.
EXTREMELY VERY DANGEROUS - Turning off uplinks will take out chunks of your network.
BOOLEAN. Set to True to allow Netdisco to be able to disable VLAN interfaces.
Default False.
EXTREMELY VERY DANGEROUS - Turning off a VLAN could take out most of your network.
BOOLEAN. Set to True to allow Netdisco to be able to change the default VLAN on an interface.
BOOLEAN. Turns on the Port Info
and Jack Search
features.
BOOLEAN. If a secure server is present.
Requires web login, password changing and all admin functions to be run in secure space.
BOOLEAN. If the traceroute button should be present in the top bar. The L2 Traceroute function has limits and may be slow on large networks, so the link to it can be disabled.
LIST:STRING. Comma separated list of models that want to use the Web Console
LIST:STRING. Comma separated list of vendors that use the Web Console.
PATH. URL Path added to the beginning of links on the web front-end
MINUTES. Amount of time a session lasts before someone has to login again.
BOOLEAN. Whether to use Apache-based authentication. If this is configured both here and in netdisco_apache_dir.conf, then logins will trust the REMOTE_USER set by Apache. If the user is found in the user database, then the appropriate privileges are applied; if the user is not found then they have access but no port control or admin access. There is another link on the sidebar, "Netdisco Login" to log in using the netdisco user database.
LIST:STRING. Comma separated list of LDAP servers. If using Active Directory these would be domain controllers.
STRING. String to construct the user portion of the DN. %USER% is a variable which will be replaced at runtime with the logon name entered on the logon page of the application. Examples: cn=%USER%, uid=%USER%. Active Directory users may use DOMAIN\%USER% and skip all other options except ldap_server as this notation eliminates the need to construct the full distinguished name.
STRING. String which indicates where in the hierarchy to begin searches. If a proxy user is not defined and anonymous binds are not enabled this value will be appended to the ldap_user_string to construct the distinguished name for authentication.
STRING. User to bind with to perform searches. If defined as anonymous, then anonymous binds will be performed and ldap_proxy_pass will be ignored. For organizations with users in multiple OU's this option can be used to search for the user and construct the DN based upon the result.
STRING. Proxy user password. Ignored if proxy user defined as anonymous.
HASH. Options to add to the connect string. Normally only needed if server does not support LDAPv3.
HASH. If defined, the connection will use Transport Layer Security (TLS) which provides an encrypted connection. TLS is the preferred method of encryption, ldaps (port 636) is not supported. This is only possible if using LDAPv3 and the server supports it. These are the options for the TLS connection. See the Net::LDAP documentation under start_tls for options, but the defaults should work in most cases.
ldap_server = AD-Domain-Controller1,AD-Domain-Controller2 ldap_user_string = DOMAIN\%USER%
Note: Only one domain is currently supported in this configuration
ldap_server = LDAP-Server-1,LDAP-Server-2 ldap_user_string = cn=%USER% ldap_base = o=MYORGANIZATION ldap_proxy_user = anonymous
Note: This configuration will support users split across multiple containers as long as the containers exist below MYORGANIZATION
STRING. Default color for link between devices.
FILE. Full path and name to the GIF graph of the network. Path should be the same
as in the netmap.html
component.
STRING. Background color for the graph.
STRING. Text color for the graph
STRING. Default type of graph to view in NetMap (svg,gif,png). Optional,
defaults to svg
.
INT. Sets the epsilon
attribute in GraphViz
used to control the graph solver.
Set to an integer value. This will improve the mapping and visual quality of
them graph. Each integer step can mean an exponential time increase in the solving
of the graph.
BOOLEAN. Creates clusters of nodes based on their location field.
Best with graph_layout fdp
. Only use if all or most
devices in a given location have the same location string.
STRING. Choose program to render graph with. Valid options are neato
, twopi
, circo
and fdp
.
STRING. Path for graphviz to find font files to be used for node_font. Defaults to home.
FILE. Set to Full path and name to the ISMAP data for the network. Path should be the
same as in the netmap.html
component.
FLOAT. Node Separation (in inches) of nodes in graph.
BOOLEAN. Parameter passed to GraphViz
for the overlap=""
feature.
FILE. Full path and name to the PNG graph of the network. Path should be the same
as in the netmap.html
component. Use this if you prefer not to use GIF, or if
your graphviz binary doesn't support GIF, reporting an error similar to
Renderer type: "gif" not recognized. Use one of: [...png...]
.
FLOAT. Rank Separation of elements in graph.
FLOAT or STRING. Graph's aspect ratio, may be a floating point number, or one of the keywords fill, compress, or auto.
FILE. Set to create the raw (.dot) graph file as well.
BOOLEAN. Turn on GraphViz's spline engine? (Is very processor intensive).
FILE. Set to create an SVG version of the graph. Requires GraphViz 0.8 or greater.
MINUTES. Time to allow neato
to try and solve the graph. Default 60min.
FLOAT. The X and Y dimensions of the graph in inches. To convert to pixels, times by 100 (96 actually). So the default values of 30x30 will give you a graph that is about 3000x3000 pixels wide.
STRING. Default background color for device
BOOLEAN. True keeps the box size small and fixed (for huge graphs); false allows the box to be sized to fit the text inside. Default TRUE.
FILE. Name of the True Type Font used for label of node. Exclude .ttf in name.
STRING. Color of text
FLOAT. Size of text in Pixels. Note that for the graph_overlap=scale option, the font gets scaled down and so an oversized font is used.
STRING. Colon separated list of values. Multiple node_map entries can exist. Entry is in format:
Variable:Regular Expression:Attribute:Value:Key String:Key Title
Variables that you can use include : label,ip
Attributes can be any node attribute usable in GraphViz, such as fillcolor and color
Examples:
label:cat(?!-g):fillcolor:blue:cat:Blue Box - Catalyst Switch
If the label (dns name) matches cat, but not cat-g, make it blue,
with an entry in the key like [cat] Blue Box - Catalyst Switch
ip:^169\.233:color:yellow:node:Yellow Border - ResNet
If the IP address of the device starts with 169.233, then make the border around the
device yellow, with an entry in the key like [node] Yellow Border - ResNet
.
You may leave off Key String and Key Title to get no entry in the key for this color combination. This can be useful to get only one key entry when using multiple node_map entries with the same attribute/value.
STRING. Color to use for devices that are not accessible
STRING. Default shape for device, normally box.
STRING. Default style of device, normally filled.
STRING. IP address of a device to be used as the "center" of the graph.
BOOLEAN. Customize which columns are shown by default in de Device View page. The "xxx" part indicates the (internal) column name. Valid options are: "port", "descr", "type", "duplex", "lastchange", "name", "speed", "mac", "mtu", "vlan", "vmember", "connected", "stp", "up", "control", "graphs", "poe_admin", "poe_status", "poe_class" and "poe_power".
Examples:
col_lastchange_show = 1 # Show the Last Change column by default col_vmember_show = 0 # Hide the VLAN Membership column by default col_graphs_show = 1 # Show the Graphs column by default
(note: Netdisco doesn't offer port graphs by itself, but the Graphs column can be used to link against external graphing tools)
FILE. Should resolve to a Mason component which provides output for the Graphs column. An example component named "col_graphs" is included in html/graphs_sample.mas.
Example: col_graphs_data = graphs_sample.mas:col_graphs
Linking Netdisco against external graphing tools requires a small amount of programming. This is not in the scope of this manual.
Perl Module that holds all the SQL interaction routines as well as some helper routines. Used by both the back-end and front-end.
Perl Modules created for this project that are used to provide the interaction between the device and Netdisco over SNMP. All device-specific changes are done in these modules.
Using a device as a starting point (root), the walker then tries to visit every device directly connected to the starting point. Neighboring devices are found with CDP.
The ArpNipper is visits each discovered device with Layer 3 capabilities. Each device's ARP Cache is read and the IP address to MAC address translation is stored in the node_ip table.
The original ArpNipper was written by Jim Warner at UCSC.
The MacSucker visits each device with Layer 2 capabilities. Each device's Forwarding Table is read. MAC addresses that are on ports without a physical mapping (virtual ports) are skipped. MAC Addresses on ports with a neighbor recorded are skipped (uplink ports). MAC Addresses that are actually switch ports are skipped. The remaining MAC addresses are recorded as nodes in the nodes table.
If the device supports the v_name()
call, and has VLANs, then the MacSucker tries to
connect to each VLAN and macksuck()
each VLAN. This is required for some devices like
the Cisco Catalyst 5000, 3500, 1900, 6500 series.
A few speedups are implemented for the devices that require each VLAN to visited:
This config file directive lists VLANs that exist in every device by default but do not ever have MAC addresses attached to them.
Use this config file directive to exclude problem devices.
(New 0.94) Many VLANs may be on the device or in the vtpdomain, but only a few of them may be in use on device_ports. Macsuck will not try to visit the VLANs that are not in use on device ports. See macsuck_all_vlans to override this.
The original MacSucker was written by Mark Boolootian at UCSC.
The 40+ routines for creating backups, logging, etc.
Browse the source code or check out netdisco-api for more info.
Netdisco uses PostgreSQL as its database store. Indexing is used heavily to speed up
queries and facilitate large data sets. See the sql/
directory and INSTALL
for more information.
Queue for admin control panel tasks to be sent back and forth from the front-end.
Holds device information. Each device is identified by unique IP Address.
Holds alias IP Addresses for devices. Each device can have multiple IP's stored in this table. The master IP address is either taken from SNMP information or from the reverse DNS entry of the device name. Also used to link a certain alias to a port.
Holds the interface (port) information for each device. One row for each interface exists with information about the port status.
Holds PoE-related information for interfaces (ports) on each device capable of acting as Power Sourcing Equipment (PSE). One row for each power-capable interface exists with information about the PoE status.
Contains log entries for port_control, tool used for administratively enabling and disabling ports.
Holds SSID information for wireless access points.
Holds channel and power information for wireless access points.
Holds log entries for human use.
Holds an entry for each MAC address connected to the network that isn't a device. Tells on which switch port the node was seen, and when it was seen there. Also holds the archived data on node location. Archived data has the column ''active'' set to false. Data comes from MacSucker
Maps a MAC Address to an IP address. Has no notion of where this node was seen. Keeps time stamps of when this is from. Data comes from ArpNipper. Archived data is similar to the node table, where ``active'' is set to false for archived data.
Lists MAC addresses that are to be monitored for presence on the network; if one appears or moves at the end of a macwalk, send email to node_monitor_email and the CC field in the node_monitor_table, if set.
Maps a MAC address to an IP address and its NetBIOS information, including NBT name, domain, and user. Archived data is similar to the node table, where ``active'' is set to false for archived data.
Holds information about the a wireless station's radio -- maximum possible rate, current transmit rate, signal strength and quality, and rx/tx packets and bytes. This table has no archived data; it only contains the most recent sample for a given MAC address.
This table is used to coordinate the work of multiple child processes when performing parallel work.
Web sessions created by MasonX::Request::WithApacheSessions. Stores information about a current session in the global $m->session hash under mason.
Populated with data from oui.txt Oui.txt contains the Organizationally Unique Identifiers (OUI) that map a MAC address to a vendor. The database is controlled by the IEEE. See INSTALL for more information.
User information for web front end.
I would like to thank the following people for their contributions to Netdisco :
Mark Boolootian and Jim Warner (Through who's ideas Netdisco was born and shaped) (UCSC) , Mike Hunter (UCB), Brian Wilson (NCSU), Bradley Baetz (bbaetz), David Temkin (sig.com), Edson Manners (FSU), Dmitry Sergienko (Trifle Co, .ua), Remo Rickli (PSI, Switzerland), Jean-Philippe Luiggi (sagem.com), A.L.M Buxey (Loughborough University, UK), Kevin Cheek (UMICH), John Bigrow (bnl.gov), George Pavel (llnl.gov), Charles Goldsmith (wokka.org), Douglas M. McKeown (saintmarys.edu), Revital Shvarzman (York U, Ontario), Walter Gould (Auburn U), Lindsay Druet and Colin Palmer (U of Waikato, Hamilton NZ), Dusty Hall (Auburn U), Jon Monroe (center pointe), Eric Miller (jeneric), Bill Fenner, Oliver Gorwits (Oxford U), Alexander Barthel (http://archiv.tu-chemnitz.de/pub/2005/0045/), Bill Anderson, Carlos Vicente (U Oregon), Alexander Hartmaier (t-systems.at), Justin Hunter (Arizona State U), Jethro Binks (U of Strathclyde, Glasgow), Jordi Guijarro (UAB.es), Sam Stickland (spacething.org), Stefan Radman (CTBTO.org), Clint Wise, Max Kosmach, Bernhard Augenstein.
And probably lots of other people I forgot to put in here. Not to mention the authors and communities of all the other software that Netdisco is built upon.
%text>