RE: [opennms-discuss] General Question - SNMP, Remote Sites, DHCP,and Port Stacking

[Giff H. <gh...@at...>]

George,

Ian pretty much hit the nail on the head. In the scenario that you
describe, there are three basic options: 1) deploy a local management
station, 2) use a VPN or 3) set a static IP for the managed node in
the firewall. If options 1 & 2 are not permissible, the only option
available is to set static IP's for the systems and use that for
management purposes. Using something other than an IP address as
an identifier probably won't work because all naming services (DNS,
WINS, etc.) at some point resolve a name to an IP and then a MAC
so that the packet can be correctly routed through the internet.

That isn't too much of a problem in and of itself, but the real
trouble begins if you have more than one host assigned to a legal
IP address. Let's say that you have OpenNMS on Host A and you want
to monitor Host B and C on a remote network. B and C use the same
valid IP address. Each can go out to the internet through their 
firewall without any trouble because the firewall inspects every 
packet it sends out and keeps track of which host sent it. When 
the host at the other end responds, the firewall routes it the 
correct host. Now, Host A sends an SNMP request to Host B. The 
request goes to the firewall and it has a choice. Since the query
is ambiguous, the firewall will drop the request. If the firewall
wasn't there, B and C could respond and really confuse OpenNMS.

With the scenario you presented, about the only way to make this
work for any management station, you would need to assign static
IP addresses for the hosts you wanted to monitor across the net.
This, of course, would open you up to spoofing with potentially
disasterous results, unless you're using an encrypted SNMP, which
I believe is v3.

Sorry it's a long-winded answer, but I hope it gives you the ammo
you need to help your cause. If you have to stay with a central
management server, a VPN is your most effective solution.

Giff

-----Original Message-----
From: dis...@op... [mailto:dis...@op...]On
Behalf Of Ian Wallace
Sent: Wednesday, May 29, 2002 5:52 PM
To: Discuss OpenNMS
Subject: Re: [opennms-discuss] General Question - SNMP, Remote Sites,
DHCP,and Port Stacking


George - I am no networking expert at all but this problem seems to be
impossible for any network management tool to work with.  The real issue
is how do I target a single system to monitor?  From what I have seen in
the OpenNMS source we use IP's and since you can't provide a 1-to-1
mapping with the information you provided below it would seem that you
can't monitor such systems.

Are people envisioning such systems as being dynamic DNS type systems? 
Meaning the they are connected periodically say through DSL and then
disconnect?  I guess one method around this is to change how things are
discovered, and add in the ability to discover a node via DNS, rather
then IP - a little extra overhead but basically we'd have to associate
the services with a hostname rather then an IP.

Is this the type of problem you are talking about?  Or is it something
completely different?  At first I thought you were talking about NAT'ing
a bunch of machines behind a single IP at the router.  If you are
talking NAT'ing I don't really see how that would work.

Stopping now, I realize I'm rambling.
cheers
ian

On Wed, 2002-05-29 at 14:12, George D. Nincehelser wrote:
> This question came up during a demonstration of OpenNMS, and I came
> across some resistance for those familiar with UniCenter.  
>  
> Here is the problem:
> We want to monitor many remote unix systems.  These systems are spread
> across the country, on many different LANs.  These LANs are connected to
> various local ISPs using single, dynamic IP numbers assigned to a
> router.  It is likely that many of these unix systems will be stacked on
> a single IP from the Internet's perspective.
>  
> Assumptions:
> 1) There is only one central monitoring point
> 2) A sub-nms can't be deployed at each site
> 3) Can't use VPNs 
>  
> Obviously, the issue here is how do you address multiple systems behind
> single dynamic IP addresses assigned by many third parties.  I can't
> think of any obvious out-of-the-box solution.  I realize that OpenNMS
> probably can't address this...I can't think of any NMS product that can.
>  
> Does anyone know of any?  The UniCenter proponents seem to think this is
> easy, but couldn't tell me how other than DHCP is used.  My response was
> we don't have access to the ISP's DHCP information, so that won't help.
> (Even if we could get it, it doesn't get around the port stacking
> problem)
>  
> Any thoughts?
>  
> Thanks
> George 

_______________________________________________
discuss mailing list (di...@op...)
To subscribe, unsubscribe, or change your list options, go to:
http://www.opennms.org/mailman/listinfo/discuss