From: Giff H. <gh...@at...> - 2002-05-30 04:55:05
|
George, Ian pretty much hit the nail on the head. In the scenario that you describe, there are three basic options: 1) deploy a local management station, 2) use a VPN or 3) set a static IP for the managed node in the firewall. If options 1 & 2 are not permissible, the only option available is to set static IP's for the systems and use that for management purposes. Using something other than an IP address as an identifier probably won't work because all naming services (DNS, WINS, etc.) at some point resolve a name to an IP and then a MAC so that the packet can be correctly routed through the internet. That isn't too much of a problem in and of itself, but the real trouble begins if you have more than one host assigned to a legal IP address. Let's say that you have OpenNMS on Host A and you want to monitor Host B and C on a remote network. B and C use the same valid IP address. Each can go out to the internet through their firewall without any trouble because the firewall inspects every packet it sends out and keeps track of which host sent it. When the host at the other end responds, the firewall routes it the correct host. Now, Host A sends an SNMP request to Host B. The request goes to the firewall and it has a choice. Since the query is ambiguous, the firewall will drop the request. If the firewall wasn't there, B and C could respond and really confuse OpenNMS. With the scenario you presented, about the only way to make this work for any management station, you would need to assign static IP addresses for the hosts you wanted to monitor across the net. This, of course, would open you up to spoofing with potentially disasterous results, unless you're using an encrypted SNMP, which I believe is v3. Sorry it's a long-winded answer, but I hope it gives you the ammo you need to help your cause. If you have to stay with a central management server, a VPN is your most effective solution. Giff -----Original Message----- From: dis...@op... [mailto:dis...@op...]On Behalf Of Ian Wallace Sent: Wednesday, May 29, 2002 5:52 PM To: Discuss OpenNMS Subject: Re: [opennms-discuss] General Question - SNMP, Remote Sites, DHCP,and Port Stacking George - I am no networking expert at all but this problem seems to be impossible for any network management tool to work with. The real issue is how do I target a single system to monitor? From what I have seen in the OpenNMS source we use IP's and since you can't provide a 1-to-1 mapping with the information you provided below it would seem that you can't monitor such systems. Are people envisioning such systems as being dynamic DNS type systems? Meaning the they are connected periodically say through DSL and then disconnect? I guess one method around this is to change how things are discovered, and add in the ability to discover a node via DNS, rather then IP - a little extra overhead but basically we'd have to associate the services with a hostname rather then an IP. Is this the type of problem you are talking about? Or is it something completely different? At first I thought you were talking about NAT'ing a bunch of machines behind a single IP at the router. If you are talking NAT'ing I don't really see how that would work. Stopping now, I realize I'm rambling. cheers ian On Wed, 2002-05-29 at 14:12, George D. Nincehelser wrote: > This question came up during a demonstration of OpenNMS, and I came > across some resistance for those familiar with UniCenter. > > Here is the problem: > We want to monitor many remote unix systems. These systems are spread > across the country, on many different LANs. These LANs are connected to > various local ISPs using single, dynamic IP numbers assigned to a > router. It is likely that many of these unix systems will be stacked on > a single IP from the Internet's perspective. > > Assumptions: > 1) There is only one central monitoring point > 2) A sub-nms can't be deployed at each site > 3) Can't use VPNs > > Obviously, the issue here is how do you address multiple systems behind > single dynamic IP addresses assigned by many third parties. I can't > think of any obvious out-of-the-box solution. I realize that OpenNMS > probably can't address this...I can't think of any NMS product that can. > > Does anyone know of any? The UniCenter proponents seem to think this is > easy, but couldn't tell me how other than DHCP is used. My response was > we don't have access to the ISP's DHCP information, so that won't help. > (Even if we could get it, it doesn't get around the port stacking > problem) > > Any thoughts? > > Thanks > George _______________________________________________ discuss mailing list (di...@op...) To subscribe, unsubscribe, or change your list options, go to: http://www.opennms.org/mailman/listinfo/discuss |