...
Device Groups and Interface Groups are the primary organizational units in NetMRI. You can create device groups in a nested structure, with some device groups subordinate to other device groups. You can apply device group membership criteria in the same ways with nested device groups as for device groups from earlier releases of NetMRI, which used a flat data structure and enforced all device groups as existing on the same peer level. You can now create a hierarchical list of device groups, comprised of top-level groups, with child device groups subordinate to them, and with child device groups further subordinate to their parent groups. For more information, see Creating Device Groups.
NetMRI uses device groups to organize device discovery results, generate separate scorecards, filter issues, and manage polling and processing for each device in the network. Device groups also offer control of Switch Port Management processes, including the ability to immediately carry out Switch Port polling in a device group.
...
For example, you might create a collection of groups named North, South, East, and West that organize devices geographically, while creating another set of groups named Accounting, Sales, and Engineering that organize devices along departmental lines. This allows you to manage devices across different dimensions, using similar mechanisms. With the groups described above, for instance, you can generate separate scorecards for all devices in the West or all devices used by Engineering. You decide on the organization, and NetMRI properly sorts everything.
...
The Device Shortcut Menu
...
...
Anywhere an IP address appears as a hyperlink in the NetMRI appliance, you can right-click that hyperlink to open a useful shortcut menu.
- Device Viewer: Opens the Device Viewer for the selected device associated with the hyperlink.
- Config Explorer: Opens the Config Explorer for the device associated with the hyperlink.
- View Running Config: Queries the chosen device and displays the contents of its currently running configuration file.
- Changes: Displays the device's Network Analysis > Changes page in the Device Viewer.
- Issue List: Displays the chosen device's Network Analysis > Issues page in the Device Viewer. For more information, see Evaluating Issues in NetMRI.
- Policy Compliance: Opens the chosen device's Network Analysis > Policy Compliance page in the Device Viewer, which shows the status of any Policies deployed against the chosen device.
- Topology Viewer: Opens the NetMRI Topology Viewer with the selected device as the central device shown in the map.
- Schedule Job: Opens the Job Details window, to set up a job script to run against the chosen device. For more information, see Job Management and Automation Change Manager.
- Execute Command: Similar to Schedule Job, this option opens an Ad Hoc Command function to allow entry of a single command string to the chosen device. The command syntax needs to be compatible with the selected device like JunOS for Juniper, IOS or CatOS for Cisco, and so on.
- Open Telnet Session: Activates the Telnet/SSH proxy to start a new Telnet session with the chosen device.
- Open SSH Session: Activates the Telnet/SSH proxy to start a new SSH session with the chosen device.
...
Telnet and SSH Proxy Operation
...
The NetMRI appliance functions as a Telnet and SSH session proxy for users to communicate by command line with devices on the network, including devices that the system sees and can reach, but does not manage. This functionality extends to Telnet or SSH sessions with NetMRI devices themselves.
...
All session activity is logged. For more information, see User Audit Logs.
| Note | ||
|---|---|---|
| ||
All Telnet/SSH proxy sessions have an inactivity timeout of five minutes. This value cannot be changed. NetMRI allows only one session to a device from the same NetMRI instance. |
...
| Note | ||
|---|---|---|
| ||
Before typing, click in the browser-based Telnet or SSH session window after you open a session. |
...
Using CLI Proxy
In addition to using Telnet and SSH sessions as proxies, you can connect to network devices using the CLI proxy. This feature allows users with valid privileges to proxy a connection to network devices through NetMRI. Superusers can grant the following privileges to control user access to the CLI proxy feature:
...
For information about specifying privileges, see Defining and Editing Roles.
To connect to specific devices, users must also have permissions to the corresponding device groups to which the devices belong. Authorized users can use any SSH client to gain proxy connection using their NetMRI credentials, without the need to acquire the credentials for individual devices. With valid privileges, users can use the Connect command to connect to the devices from any SSH client. For information about the command, see Using the Connect Command. The CLI proxy feature connects only through the management interface on the NetMRI appliance. This helps eliminate the need to gain access to the user's computer through various networks, VRFs, and VLANs. Note that all connections and commands issued to any network devices through the CLI proxy are audited and logged. For information about audit logs, see User Audit Logs.
...
Using the Connect Command
Use the Connect command to connect to network devices from any SSH client. Users only need a connection to the NetMRI Management interface to connect to any managed devices. Users can connect to devices in groups to which they have valid permissions. You can view the audit logs for all events when the users use the Connect command to access network devices.
...
- Start a PuTTy session.
- In the PuTTy Configuration window, go to the Connection –> Data –> Category section.
- As illustrated in Figure 14.1below, perform the following in the Environment variables section:
...
- enter CLI_PROXY_HOST 210.20.20.5.
...
- Click Open.
Figure 14.1 Configuring Environment Variables in PuTTy Session
5. Click Open.
...
User Audit Logs
| Note | ||
|---|---|---|
| ||
If the contents of an audit log are of interest and must be kept for a longer term, save the log contents into a separate text file, as the log will drop off of the system 30 days after it appears. Audit logs are unique to each device. |
...
To view a device's user audit log, go to Device Viewer –> Settings & Status –> User Audit Log. The audit log appears as a cumulative list for all Telnet/SSH sessions for the individual network device or end host for the last 30 days.
...
Using the Device Audit Log
...
| Note | title | Note|
|---|---|---|
| Note | ||
| ||
The System Administrator and View Audit Log privileges are required in order to view the Device Audit Log. |
...
When devices are removed from the license count for NetMRI or ACM, related event messages will appear.
...
Introducing Device Groups
...
...
Device
...
Device groups are a fundamental organizing tool in NetMRI. You use device groups to gather devices with similar attributes and similar categories together, to perform device management tasks, or because you want to organize a set of devices into a group to perform specific processing tasks, or to prevent processing tasks from being performed.
...
For more information, see Controlling NetMRI with Device Groups.
...
Default Device Groups
Default
...
Default device groups serve as good examples of how selection criteria and process settings can be defined to organize your network devices, but you should learn how to create your own device groups to gain all of the benefits of the device groups feature.
...
| Note | ||
|---|---|---|
| ||
Use caution when deleting default device groups. The Routing, Switching, NIOS, Optimizers, Security, and many other groups are groups built-in with NetMRI and should never be removed without first having developed new groups with the desired functionality to take their place. |
...
Using the Device Group Selector
...
The main Dashboard, Network Analysis, and Network Explorer pages show the Device Group Selector control on the right. Simply click a device group name in the selector to filter the contents of the main display pane. To edit a device group, right-click any device group name and select Edit Device Group, or click the Edit Device Group icon.
All top-level device groups can act as top-level device groups for nested device groups. Nested device groups can only contain devices from the parent device group. You can nest child device groups up to five levels deep in the tree. By default, child device groups automatically appear in the tree but can be hidden by clicking the (-) symbol next to the parent group.
...
Controlling NetMRI with Device Groups
...
Basic device groups limit their processing options to a minimum. Basic device groups do not contribute to NetMRI Network Scorecard calculations and significantly reduce back-end processing. You can define group membership criteria. For more information, see Understanding Device Group Membership Criteria.
...
- Include non-network devices: Enables collecting end-host network segments into a basic device group to avoid expanding system processing cycles on network devices that do not require them.
- Rank: For more information, see Ranking Device Groups.
- Polling Frequency: Allows you to modify the default polling frequency for all devices or for specific device groups. For more information, see Creating Extended Device Groups.
- Switch Port data collection: Enable this only for device groups with L2/L3 Ethernet switching devices as members. This allows you to enforce custom periodic or scheduled polling settings for specific groups. For more information, see Device Groups and Switch Port Management.
- Collect performance and environmental data: Enable or disable device performance and environmental information. For more information, see Changing Performance Data Collection Settings.
- Probe for open ports: Allows NetMRI to probe for open TCP/UDP ports on member devices.
- Identify device using fingerprinting: For more information, see Defining Group Data Collection Settings.
- Probe for NetBIOS name: For more information, see Defining Group Data Collection Settings.
- Analyze for Issues: For more information, see Evaluating Issues in NetMRI and Viewing Device Issues, Configurations, and Changes.
- Test for default credentials: Allows NetMRI to test all devices in the group for the presence of vendor default SNMP credentials, which are a potential element for security breaches, but are also used for assistance in collecting device configurations. Credential default testing is also a compliance measure.
- Collect config files: For more information, see beginning with Configuration Management.
- Regard configurations as 'Locked': Disallows editing of any collection configuration files for members of the device group.
- Allow script execution: Allows the execution of Perl and CCS scripts on group member devices.
- Enable Discovery Blackout: Define time periods when NetMRI will not communicate with devices or networks for discovery.
- Enable Change Blackout: Define blackouts for CLI interaction, scheduled or run-now job executions, Telnet/SSH proxy, and port control UI features for all devices in the group. For more information, see Defining Blackout Periods.
All settings are further described in the topic Creating Device Groups.
You can convert basic device groups to extended device groups, and also the reverse, at any time.
...
| Note | ||
|---|---|---|
| ||
For efficient system operation, NetMRI provides a limit of 250 Extended device groups and 250 Basic device groups. Use Extended groups sparingly to avoid significant load on the system. |
...
Device Groups and Switch Port Management
Through device groups, switch port management enables you to monitor and analyze the complement of Ethernet trunks and switch ports in their network. Switch port information gathering, or polling, is the key tool for doing this. Device groups can specify unique switch port management polling settings. Polling settings that are located under Settings icon –> Setup –> Collection and Groups –> Groups tab take precedence over the global settings defined in Settings icon –> Setup –> Collection and Groups –> Global –> Switch Port Management.
...
The settings you define here apply only to the chosen device group.
...
Ranking Device Groups
...
...
For device groups, NetMRI uses the Rank setting to determine how and when each device is processed after it is discovered on the network. Also, device groups use Rank as a way of determining the actions to take on a device that is a member of more than one group. If a device is a member of two groups, one that is enabled for config collection, and in another that is not, the group with the highest rank determines if the configs should be collected for that device. Ranking for child device groups in the device group tree is hierarchical. Child groups ranking is always higher than the ranking of its parent. Group Ranking is also used as the default sort order for all group-related tables, with the highest rank shown first.
...
| Note | ||
|---|---|---|
| ||
In the device groups tree, the Rank is displayed only for Extended groups. |
...
The Group Processing Hierarchy
...
...
NetMRI controls processing within device groups by a hierarchical collection of settings in the following order:
...
If you disable a specific process (such as SNMP collection) at a higher level, then all lower level settings are ignored. This allows administrators to quickly disable all processing of a given type, such as SNMP, without being forced to change individual settings.
...
Filtering by Device Group
...
When the Select Device Group panel is available (in the right panel), you can filter the contents of the center panel by device group.
...
| Note | ||
|---|---|---|
| ||
The number in parentheses after a device group name is the number of devices in the group. |
...
...
Creating Device Groups
To create and manage device groups, click the Settings icon > Setup > Collection and Groups > Groups > Device Groups side tab.
Both Basic and Extended groups can be created as either top-level, sibling, or child groups. NetMRI automatically assigns a parent group ID to the group you create. You can drag and drop a group in the tree for the desired position. For more information, see the following sections:
...
| Child pages (Children Display) |
|---|
The table in the Device Groups side tab lists all device groups, with default sorting by Rank. Each row shows group configuration settings. Parent groups appear as folder icons indicating that child device groups exist beneath them in the tree. The device groups table provides a series of columns showing the status of various discovery and monitoring features that are enabled or disabled for each group.
...
ARP (Refresh device caches) | Indicates whether member devices in the group will have their ARP caches refreshed before collecting discovery data. NetMRI uses ARP cache refresh to control LAN switches from which switch-forwarding data is collected. For more information, see Notes on ARP, Switch Data Collection, and End Hosts. |
SNMP | Indicates whether the device group is set to enable SNMP data collection for member devices. SNMP collection can also be enabled/disabled for groups and devices. |
PS (Port Scan) | Indicates whether members of the device group will be scanned for open protocol ports. If enabled, NetMRI probes the TCP and UDP ports listed at Settings icon –> Setup –> Port List, to determine whether they are open. For more information, see Defining Group Data Collection Settings. |
FP (Fingerprint) | Indicates the device group setting to use the Identify device using fingerprinting setting for member devices. (This setting is dependent on the Probe for Open ports feature.) A polling technique to identify each network device based on the response characteristics of its TCP stack. This information is used to determine the device type. In the absence of SNMP access, fingerprinting is usually the only way to identify non-network devices. For more information, see Defining Group Data Collection Settings. |
C (Collect configs) | Indicates the device group setting to allow config file collection for all members in the group (Collect config files). |
CCS (CCS scripting) | Indicates the device group setting to allow CCS script file execution for all members in the group (Allow Script Execution). |
| PP (Privileged Polling) | Indicates whether the option CLI polling in privileged mode (i.e. privileged exec (enable) mode) is enabled for the group the device belongs to. You can override this setting for an individual device in the Device Viewer. |
DC (Default Credentials) | Indicates the device group setting for Test for Default Credentials, used to scan for the presence of vendor default credentials for all members in the group. |
A (Issue Analysis) | Indicates the device group setting to allow Issue analysis for all members in the group (Analyze for Issues). For more information about Issue analysis, see Viewing Issues in the Network. |
CL (Config Lock) | Indicates the device group setting to collect config data but to consider all member device configs locked and not to be changed through NetMRI (Regard configurations as 'locked'). For more information, see Defining Group Data Collection Settings. |
| UGPF (Use Global Polling Frequency) | Indicates whether the device group uses the global polling frequency value. For more information, see Setting Polling Frequency for a Device Group. |
| PF (Polling Frequency) | Indicates whether the device group uses a custom polling frequency value. For more information, see Setting Polling Frequency for a Device Group. |
NB (NetBIOS Scan) | Device polling method to collect the NetBIOS name for endpoint devices in the network. Device groups also enable NetBIOS scanning. For more information, see Defining Group Data Collection Settings. |
DB (Discovery Blackout) | Indicates the device group setting to impose discovery blackouts. For more information, see Defining Blackout Periods. |
CB (Change Blackout) | Indicates the device group setting to impose configuration change blackouts. For more information, see Defining Blackout Periods. |
SPMC (SPM | Indicates the device group setting to allow switch port data collection (Switch port data Collection). For more information, see Device Groups and Switch Port Management. |
SPMS (Polling Schedule) | Indicates whether the device group provides a polling interval or scheduling for switch port data collection. This setting is dependent on an enabled Switch port data Collection setting for the device group. |
MC (Membership Criteria) | Hovering the mouse over the check box in this column shows the complete regular expression for the selected device group. For more information, see Understanding Device Group Membership Criteria. |
...
- Click the Settings icon > Setup > Collection and Groups > Groups.
- Click Add to create a top-level, sibling, or child extended group.
- In the Parent ID field, NetMRI automatically sets the ID of the parent group. It is "0" for a top-level or sibling group.
- Enter a Name for the group. The group name is shown in all group-related displays and reports, so the group name should be meaningful without being too long.
Define a Membership Criteria regular expression.
Note title Note Infoblox recommends using regular expressions for refining the membership in device groups. The topic Understanding Device Group Membership Criteria provides the information you need to understand and define regular expressions for device groups.
- If you want the device group to include collections of discovered non-network devices, select Include non-network devices. Leaving this setting unselected prevents non-network devices from occupying valuable licensing space.
- Next to Type, click Extended.
- Rank: Displays the Ranking value as the default sort order. For more information, see Ranking Device Groups. Ranking value is used as the default sort order for all group-related tables, with the highest rank shown first. Rank is also used to determine the individual device settings controlling processing for each device.
Polling Frequency: Allows you to slow down or speed up the device polling frequency. For more information, see the following section, Setting Polling Frequency for a Device Group.
For Switch Port data Collection, choose from the following:
- Use Global Settings: Select this to enable the device group to inherit global settings for switch port data collections. To find the global settings, click the Settings icon > Setup > Collection and Groups > Global > Switch Port Management. For more information, see Global Switch Port Management Polling Settings.
- Specify Polling Interval: Overrides the global polling interval with a custom polling interval for the current device group. You can define an interval of 1-60 Minutes or 1-24 Hours in the fields that appear.
- Specify Schedule: Overrides the global scheduled polling setting with a custom schedule for the current device group. Existing schedules may appear in the list or, click Add New Schedule to create a new polling schedule instance. Choose a Recurrence Pattern of Once, Hourly, Daily, Weekly, or Monthly. In all cases, you must choose an Execution Time and select at least one day of the week check box.
- Poll Now: Click to execute switch port polling on the device group right after it is created.
Disable: Completely disables switch port polling for the device group.
Note title Note The polling frequency modifier described in the previous step does not affect settings for switch port data collection frequency.
- Activate the processing options for the new Extended group:
...