RE: NetView & MLM in firewall scenario

["Cowan, Chris" <Chris.Cowan@2ndwaveinc.com>]

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

 
That is how it should work, according to my understanding of the product.   
 
Unfortunately,  I needed distributed discovery, across multiple subnets.
So my real answer is that I didn't really test that case fully, I needed
more functionality.
 
As was mentioned in other posts, it appears that Tavve eProbe is capable of
this.
 
 -----Original Message-----
From: Jane Curry [mailto:jane.curry@skills-1st.co.uk]
Sent: Wednesday, March 14, 2001 1:04 AM
To: IBM NetView Discussion
Subject: Re: [NV-L] NetView & MLM in firewall scenario


Hi Chris, 
Thanks for this comment.  Can I just clarify - did thye MLM discovery work
at all through the firewall, albeit only for nodes on the same network as
the MLM?  And did thyose nodes appear in the NetView database?  I can also
live with MLM ping-polling if necessary. 

Many thanks, 
Jane 


"Cowan, Chris" wrote: 


  

I tried it. 


I don't think it will fly, there appears to be no easy way to get the
discovery to happen via a proxy. 
(That's what I wanted, and that's what I think you're asking for).   I had
the NV Server able to talk SNMP and ICMP to one or more MLMs, where the MLMs
were on the other side of a FW (actually it was a private VLAN with ACLs,
but close enough!).   The MLM, then had complete access to the desired
Managed Objects spread across multiple subnets. 


I soon discovered that the MLMs rely on the NV server far more than I
realized for discovery.  There were a couple of problems that I ran into: 


1. The discovery engine on the MLM only finds things on subnets that it is
directly connect to.  The MLM discovery is far more simplistic than what
netmon is capable of.   (Yes, you can change the scope of what it's polling
using by change the rules for the MLM domain smart sets, but there's no easy
way to do that until the objects are actually in the object database).  In
other words, there's not really a seed file for the MLM. 


2. The MLM does not have the capability to do anything other than ICMP echo
(ping) discoveries.   (Unless there's an undocumented feature). 


The only way I could possibly see doing this, is to manually prime the MLM
tables with a script, explicitly entering nodes.   But this could get very
ugly from maintenance and scalability standpoint. 


I would love to find out that I'm in left field on this, and that there is
an elegant solution.   But, I haven't found it with my own experimentation. 


PS. Yes, I do realize that things are little different with an Attended MLM
running on NT NV. 
As time goes on, I'm more and more convinced that using 2 NetView Servers
instead of one server and an MLM is the only way to solve this problem. 


-----Original Message----- 
From: Jane Curry [ mailto:jane.curry@skills-1st.co.uk
<mailto:jane.curry@skills-1st.co.uk> ] 
Sent: Sunday, March 11, 2001 7:57 AM 
To: NetView mailing list 
Subject: [NV-L] NetView & MLM in firewall scenario 


Has anyone tried the following????  I want to use an MLM to do discovery 
and status polling beyond a packet-filtering firewall. 


    NetView ------>  Firewall ------> MLM -------> Managed Devices 


The firewall ONLY permits UDP/162  NetView <-> MLM, and UDP/161 NetView 
<-> MLM;  there is no SNMP/161 or ping allowed to the managed devices. 
I also have UDP/162 (traps) from the Managed Devices to MLM and/or 
NetView. 


At this stage, I don't have ping to the MLM either but I can tell netmon 
to poll the MLM using SNMP in the seedfile.  I have no firewall between 
MLM and the managed devices so ping and SNMP traffic is fine. 


If I tell netmon to use MLM for both discovery and polling, I should 
have full comms to the MLM - no problem.  I hope that the MLM will then 
discover the Managed Devices, pass them back to NetView, and also add 
them to his MLM status polling table.  WILL THIS WORK?????  - even 
though NetView himself cannot ping or demand poll the devices?  I want 
the Managed Devices to appear in the NetView topology as managed by the 
MLM.  I don't care if NetView thinks they don't support SNMP, so long as 
the box is there and it goes red/green depending on the Node Up/Down 
traps passed from the MLM. 


I would much appreciate any feedback from anyone who has been down this 
route. 
Kind regards, 
Jane 
-- 
Tivoli Certified Enterprise Consultant & Instructor 
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK 
Tel: +44 (0)1628 782565 
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights 
reserved. 


_________________________________________________________________________ 
NV-L List information and Archives: http://www.tkg.com/nv-l
<http://www.tkg.com/nv-l> 

-- 
Tivoli Certified Enterprise Consultant & Instructor 
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK 
Tel: +44 (0)1628 782565 
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
reserved.

 

That is how it should work, according to my understanding of the product.  

 

Unfortunately,  I needed distributed discovery, across multiple subnets.   So my real answer is that I didn't really test that case fully, I needed more functionality.

 

As was mentioned in other posts, it appears that Tavve eProbe is capable of this.

 

 -----Original Message-----
From: Jane Curry [mailto:jane.curry@skills-1st.co.uk]
Sent: Wednesday, March 14, 2001 1:04 AM
To: IBM NetView Discussion
Subject: Re: [NV-L] NetView & MLM in firewall scenario

Hi Chris, 
Thanks for this comment.  Can I just clarify - did thye MLM discovery 
work at all through the firewall, albeit only for nodes on the same network as 
the MLM?  And did thyose nodes appear in the NetView database?  I can 
also live with MLM ping-polling if necessary.

Many thanks,
Jane

"Cowan, Chris" wrote:

 

I tried it.

I don't think it will fly, there appears to be no easy way to get the discovery to happen via a proxy.
(That's what I wanted, and that's what I think you're asking for).   I had the NV Server able to talk SNMP and ICMP to one or more MLMs, where the MLMs were on the other side of a FW (actually it was a private VLAN with ACLs, but close enough!).   The MLM, then had complete access to the desired Managed Objects spread across multiple subnets.

I soon discovered that the MLMs rely on the NV server far more than I realized for discovery.  There were a couple of problems that I ran into:

1. The discovery engine on the MLM only finds things on subnets that it is directly connect to.  The MLM discovery is far more simplistic than what netmon is capable of.   (Yes, you can change the scope of what it's polling using by change the rules for the MLM domain smart sets, but there's no easy way to do that until the objects are actually in the object database).  In other words, there's not really a seed file for the MLM.

2. The MLM does not have the capability to do anything other than ICMP echo (ping) discoveries.   (Unless there's an undocumented feature).

The only way I could possibly see doing this, is to manually prime the MLM tables with a script, explicitly entering nodes.   But this could get very ugly from maintenance and scalability standpoint.

I would love to find out that I'm in left field on this, and that there is an elegant solution.   But, I haven't found it with my own experimentation.

PS. Yes, I do realize that things are little different with an Attended MLM running on NT NV.
As time goes on, I'm more and more convinced that using 2 NetView Servers instead of one server and an MLM is the only way to solve this problem.

-----Original Message-----
From: Jane Curry [mailto:jane.curry@skills-1st.co.uk]
Sent: Sunday, March 11, 2001 7:57 AM
To: NetView mailing list
Subject: [NV-L] NetView & MLM in firewall scenario

Has anyone tried the following????  I want to use an MLM to do discovery
and status polling beyond a packet-filtering firewall.

    NetView ------>  Firewall ------> MLM -------> Managed Devices

The firewall ONLY permits UDP/162  NetView <-> MLM, and UDP/161 NetView
<-> MLM;  there is no SNMP/161 or ping allowed to the managed devices.
I also have UDP/162 (traps) from the Managed Devices to MLM and/or
NetView.

At this stage, I don't have ping to the MLM either but I can tell netmon
to poll the MLM using SNMP in the seedfile.  I have no firewall between
MLM and the managed devices so ping and SNMP traffic is fine.

If I tell netmon to use MLM for both discovery and polling, I should
have full comms to the MLM - no problem.  I hope that the MLM will then
discover the Managed Devices, pass them back to NetView, and also add
them to his MLM status polling table.  WILL THIS WORK?????  - even
though NetView himself cannot ping or demand poll the devices?  I want
the Managed Devices to appear in the NetView topology as managed by the
MLM.  I don't care if NetView thinks they don't support SNMP, so long as
the box is there and it goes red/green depending on the Node Up/Down
traps passed from the MLM.

I would much appreciate any feedback from anyone who has been down this
route.
Kind regards,
Jane
--
Tivoli Certified Enterprise Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
reserved.

_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l

--
Tivoli Certified Enterprise Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2001 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights reserved.