Re: NetView & MLM in firewall scenario

[Jane Curry <jane.curry@skills-1st.co.uk>]

Hi Chris,
Thanks for this comment.  Can I just clarify - did thye MLM discovery
work at all through the firewall, albeit only for nodes on the same
network as the MLM?  And did thyose nodes appear in the NetView
database?  I can also live with MLM ping-polling if necessary.

Many thanks,
Jane

"Cowan, Chris" wrote:

>
>
> I tried it.
>
> I don't think it will fly, there appears to be no easy way to get the
> discovery to happen via a proxy.
> (That's what I wanted, and that's what I think you're asking for).   I
> had the NV Server able to talk SNMP and ICMP to one or more MLMs,
> where the MLMs were on the other side of a FW (actually it was a
> private VLAN with ACLs, but close enough!).   The MLM, then had
> complete access to the desired Managed Objects spread across multiple
> subnets.
>
> I soon discovered that the MLMs rely on the NV server far more than I
> realized for discovery.  There were a couple of problems that I ran
> into:
>
> 1. The discovery engine on the MLM only finds things on subnets that
> it is directly connect to.  The MLM discovery is far more simplistic
> than what netmon is capable of.   (Yes, you can change the scope of
> what it's polling using by change the rules for the MLM domain smart
> sets, but there's no easy way to do that until the objects are
> actually in the object database).  In other words, there's not really
> a seed file for the MLM.
>
> 2. The MLM does not have the capability to do anything other than ICMP
> echo (ping) discoveries.   (Unless there's an undocumented feature).
>
> The only way I could possibly see doing this, is to manually prime the
> MLM tables with a script, explicitly entering nodes.   But this could
> get very ugly from maintenance and scalability standpoint.
>
> I would love to find out that I'm in left field on this, and that
> there is an elegant solution.   But, I haven't found it with my own
> experimentation.
>
> PS. Yes, I do realize that things are little different with an
> Attended MLM running on NT NV.
> As time goes on, I'm more and more convinced that using 2 NetView
> Servers instead of one server and an MLM is the only way to solve this
> problem.
>
> -----Original Message-----
> From: Jane Curry [mailto:jane.curry@skills-1st.co.uk]
> Sent: Sunday, March 11, 2001 7:57 AM
> To: NetView mailing list
> Subject: [NV-L] NetView & MLM in firewall scenario
>
> Has anyone tried the following????  I want to use an MLM to do
> discovery
> and status polling beyond a packet-filtering firewall.
>
>     NetView ------>  Firewall ------> MLM -------> Managed Devices
>
> The firewall ONLY permits UDP/162  NetView <-> MLM, and UDP/161
> NetView
> <-> MLM;  there is no SNMP/161 or ping allowed to the managed devices.
>
> I also have UDP/162 (traps) from the Managed Devices to MLM and/or
> NetView.
>
> At this stage, I don't have ping to the MLM either but I can tell
> netmon
> to poll the MLM using SNMP in the seedfile.  I have no firewall
> between
> MLM and the managed devices so ping and SNMP traffic is fine.
>
> If I tell netmon to use MLM for both discovery and polling, I should
> have full comms to the MLM - no problem.  I hope that the MLM will
> then
> discover the Managed Devices, pass them back to NetView, and also add
> them to his MLM status polling table.  WILL THIS WORK?????  - even
> though NetView himself cannot ping or demand poll the devices?  I want
>
> the Managed Devices to appear in the NetView topology as managed by
> the
> MLM.  I don't care if NetView thinks they don't support SNMP, so long
> as
> the box is there and it goes red/green depending on the Node Up/Down
> traps passed from the MLM.
>
> I would much appreciate any feedback from anyone who has been down
> this
> route.
> Kind regards,
> Jane
> --
> Tivoli Certified Enterprise Consultant & Instructor
> Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
> Tel: +44 (0)1628 782565
> Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All
> rights
> reserved.
>
>
> ________________________________________________________________________
>
> NV-L List information and Archives: http://www.tkg.com/nv-l

--
Tivoli Certified Enterprise Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
reserved.


Hi Chris,
Thanks for this comment.  Can I just clarify - did thye MLM discovery
work at all through the firewall, albeit only for nodes on the same network
as the MLM?  And did thyose nodes appear in the NetView database? 
I can also live with MLM ping-polling if necessary.

Many thanks,
Jane

"Cowan, Chris" wrote:

 

I tried it.

I don't think it will fly, there appears to be no easy way to get the discovery to happen via a proxy.
(That's what I wanted, and that's what I think you're asking for).   I had the NV Server able to talk SNMP and ICMP to one or more MLMs, where the MLMs were on the other side of a FW (actually it was a private VLAN with ACLs, but close enough!).   The MLM, then had complete access to the desired Managed Objects spread across multiple subnets.

I soon discovered that the MLMs rely on the NV server far more than I realized for discovery.  There were a couple of problems that I ran into:

1. The discovery engine on the MLM only finds things on subnets that it is directly connect to.  The MLM discovery is far more simplistic than what netmon is capable of.   (Yes, you can change the scope of what it's polling using by change the rules for the MLM domain smart sets, but there's no easy way to do that until the objects are actually in the object database).  In other words, there's not really a seed file for the MLM.

2. The MLM does not have the capability to do anything other than ICMP echo (ping) discoveries.   (Unless there's an undocumented feature).

The only way I could possibly see doing this, is to manually prime the MLM tables with a script, explicitly entering nodes.   But this could get very ugly from maintenance and scalability standpoint.

I would love to find out that I'm in left field on this, and that there is an elegant solution.   But, I haven't found it with my own experimentation.

PS. Yes, I do realize that things are little different with an Attended MLM running on NT NV.
As time goes on, I'm more and more convinced that using 2 NetView Servers instead of one server and an MLM is the only way to solve this problem.

-----Original Message-----
From: Jane Curry [mailto:jane.curry@skills-1st.co.uk]
Sent: Sunday, March 11, 2001 7:57 AM
To: NetView mailing list
Subject: [NV-L] NetView & MLM in firewall scenario

Has anyone tried the following????  I want to use an MLM to do discovery
and status polling beyond a packet-filtering firewall.

    NetView ------>  Firewall ------> MLM -------> Managed Devices

The firewall ONLY permits UDP/162  NetView <-> MLM, and UDP/161 NetView
<-> MLM;  there is no SNMP/161 or ping allowed to the managed devices.
I also have UDP/162 (traps) from the Managed Devices to MLM and/or
NetView.

At this stage, I don't have ping to the MLM either but I can tell netmon
to poll the MLM using SNMP in the seedfile.  I have no firewall between
MLM and the managed devices so ping and SNMP traffic is fine.

If I tell netmon to use MLM for both discovery and polling, I should
have full comms to the MLM - no problem.  I hope that the MLM will then
discover the Managed Devices, pass them back to NetView, and also add
them to his MLM status polling table.  WILL THIS WORK?????  - even
though NetView himself cannot ping or demand poll the devices?  I want
the Managed Devices to appear in the NetView topology as managed by the
MLM.  I don't care if NetView thinks they don't support SNMP, so long as
the box is there and it goes red/green depending on the Node Up/Down
traps passed from the MLM.

I would much appreciate any feedback from anyone who has been down this
route.
Kind regards,
Jane
--
Tivoli Certified Enterprise Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
reserved.

_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l

--
Tivoli Certified Enterprise Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights reserved.