This chapter describes how to manage your network resources after they have been configured. To perform these tasks, you use panels to enter the necessary information.
The Alert Table option is only available for agents and allows you to disable or enable the traps sent by the agent.
To select the Alert Table option, click MB3 on an agent module icon and select Control -> Alert Table from the context menu. A panel is displayed.
You can set the following alerts:
To select the Reset Mastership option, do one of the following:
This option initiates the election of a Master Management module based on the mastership priority allocated to each Management module. The module with the highest priority (in the range from 1 to 10 where 10 is maximum) is elected master and becomes responsible for box management of the Hub. If two or more management modules have the same priority, mastership election is arbitrary.
Nways Manager-LAN detects that a mastership reelection has occurred and that a new agent is now master in a hub when:
One side effect of this change is that the object representing the hub in the generic topology database that was merged with the object representing the master agent is split and merged with the new master agent.
Some modules can be accessed remotely from a workstation that supports the Telnet protocol. When you remotely log on to a module, a text interface is used. This interface is similar to the interface of the out-of-band ASCII console connected to the RS-232 or RS-423 serial port on the module.
You can select the Telnet option in the following ways:
A panel is displayed containing a list of all modules in the hub that support Telnet. To start a Telnet session, select one of the lines in the list and click on the Telnet pushbutton.
| Note: | The Master Management module is preceded by an asterisk (*). |
If a selected module or device does not support Telnet, the Telnet option is displayed in reduced highlight and cannot be selected. Only modules or devices that support Telnet allow you to start a Telnet session.
If no modules support Telnet, this panel will be empty. To use the autodiscovery process to check if any modules have been connected since this panel was displayed, click on the Refresh pushbutton.
When you select one of the modules in the list, additional information is displayed in the System Table section.
To start a Telnet session, select a module and click on the Telnet pushbutton.
To remotely access and manage bridges and routers, you use the Router and Bridge Manager component of Nways Manager-LAN. You start by performing one of the following tasks:
The Router and Bridge Manager Function Panel is then displayed. The panel displays no information if:
To use the autodiscovery process to check if any devices have been connected since this panel was displayed, click on the Refresh pushbutton.
When you select one of the modules listed, the additional information is displayed in the System Table section.
To start Router and Bridge Manager, select one of the routers in the list and click on the RandB Man pushbutton. To start a Telnet session, click on the Telnet pushbutton.
A Download operation (inband download) sends software to hub modules that support TFTP. Microcode is downloaded with parameters that specify the modules that receive microcode and the characteristics of the file to be downloaded.
To download microcode, click MB3 on a module icon in a Hub Level view and select Control -> Download from the context menu. The Download panel is displayed.
The following read-write fields can be changed:
| Note: | For 8260 modules, the software download is performed using TFTP first to the DMM, and then from the DMM to the other modules in the hub. All 8260 modules support the download operation; only certain 8250 modules, however, support it. |
When the download operation finishes, the results of the operation and the date and time of the last successful download are displayed.
When there are two or more DMM modules in a hub and you download software to the master DMM module, the results displayed in the Download panel do not reflect the results of the download operation. This is because the master DMM is reset after the microcode is downloaded and during the reset, the slave DMM becomes master. The results that are displayed are the results of the last microcode download performed to the slave DMM (that is now master).
If the Download function is not available, you can configure the AIX for TFTP inband download by following these steps:
Select TFTP from the list. The command is: startsrc -t'tftp'. You must be a root user to able to do this.
BootP is a protocol that allows a client to discover its IP address and the location of a file to execute on startup. The BootP protocol is only used by Token-Ring Management modules (TRMM V3.0).
To configure BootP parameters, click MB3 on a Token-Ring Management module icon in a Hub Level view and select BootP from the context menu. The BootP Panel is displayed.
From the BootP panel, you can change the following settings:
The result of the last BootP operation is displayed in the Last BootP Result field.
The FDDI_SMT function allows you to view and modify FDDI management station information and to customize your FDDI network. The FDDI Station Management panel is only accessible from the context menu of an FDDI Management module.
The FDDI_MAC_Timers function allows you to view or modify FDDI MAC-related timer information. The FDDI MAC Timer panel is only accessible from the context menu of an FDDI Management module.
The Snapshot option saves a backup of the current hub configuration, including all customizable MIB variables for a given Hub Level view.
To save the configuration parameters for a hub, open the Hub Level view and select Hub -> Control -> Snapshot. The Snapshot panel is displayed.
The following information from the snapshot is saved in the file and directory specified in the Snapshot panel and can be printed:
You can build secure Ethernet and Token-Ring LANs by giving access only to authorized LAN stations. Nways Manager-LAN provides intrusion protection by controlling access to the LAN through a MAC access list that is maintained on a port basis.
Intrusion protection is available for the following modules:
The Intrusion function allows you to define a list of authorized MAC Addresses for a given port. You configure a port so that when a security violation occurs, the port is disabled and a trap is sent.
Notes:
To configure Intrusion protection for a port, open a Hub Level or Module Level view and click MB3 on the port icon. Then select Intrusion from the context menu. The Port Intrusion panel is displayed.
Nways Manager-LAN allows you to configure security for 8260 Ethernet modules which are assigned to Ethernet and isolated networks. This is necessary because in a standard Ethernet network, packets transmitted from one node to another node are also transmitted to all nodes in the network. Each node examines the packet to see if its destination address matches the physical MAC address of the node. If the addresses do not match, the packet is discarded.
Without security protection, the following situations can occur:
By configuring Ethernet security, you can prevent eavesdropping and intrusion in the network.
You can configure Ethernet security so that:
In order to secure an Ethernet or isolated network, you must use one Ethernet Security Card (ESC) for each network segment in an 8260 hub. The ESC card is a daughter card that you install on an 8260 Ethernet module or Distributed Management Module (DMM). The module in which you install the ESC card is called the securing module for the network.
Each ESC card manages the ports in a hub that are assigned to the same Ethernet or isolated network segment. This means that if you have four Ethernet segments in an 8260 hub and want to secure each segment, you must install four ESC cards (one for each network segment).
To secure an Ethernet or isolated network, follow these steps:
When configuring MAC addresses, you may want to define groups of MAC addresses that correspond to groups of users. This procedure is described in Defining Security Groups.
| Note: | The 8260 Ethernet security function uses an address table that contains the
MAC addresses and associated ports of nodes in a secure network.
Although there is no limit to the number of allowable MAC addresses that you
can configure for each port, the maximum number of MAC address --
port entries that can be made in the table is 1000. Once this
limit is reached, older entries are automatically deleted.
To see how many entries have already been made in the security address table, follow these steps:
For more information on using the security address table, refer to the IBM Ethernet Security Card User's Guide (SA33-0262). |
When configuring Ethernet security, be sure to check the default settings that exist at port level. These defaults refer to Ethernet ports on all 8260 hubs in the IBM Hubs Topology. It may be easier to load the default settings and modify the ones you want to change rather than to manually enter each value.
To display the default security settings for 8260 Ethernet ports, follow these steps:
The default settings (enable or disable) for the following parameters are contained on the panel:
Eavesdropping protection means that packet transmission is jammed on all ports, except when a packet's destination address matches one of a port's allowable MAC addresses. To enable eavesdropping in a secure network, you must also enable the Eavesdrop Protection parameter at the network level.
Intruder protection means that a packet's source address is checked against the list of allowable MAC addresses for the port. If the source address does not match an allowable MAC address, the packet is treated as an intruder and is jammed. To enable intruder protection in a secure network, you must also enable the Intruder Jamming parameter at the network level.
All modules in the network are set to receive a security message with each packet. The message contains information about whether or not to jam the packet. If there is a failure in the security function and if the Fail Safe and Jamming parameters are enabled, all outgoing packets are jammed at port level.
To change any of the default settings for port security, follow these steps:
When configuring Ethernet security at the network level, remember that:
To display the default security settings for Ethernet and isolated networks, follow these steps:
The default settings (enable or disable) for the following parameters are contained on the panel:
When enabled, be sure to set all other network security parameters in the panel before you save your selections by clicking on OK.
If you enable autolearning at the network level, you must also enable the Autolearn parameter at port level.
In order for intruder packets to be detected, you must also enable the Source Address Checking or Source Port Checking parameter at network level.
If you enable source address checking, source addresses of transmitted packets are checked only for ports that have the Intruder Check parameter enabled.
If you enable intruder port checking, the source port number of transmitted packets is checked only for ports that have the Intruder Check parameter enabled.
| Note: | Intruder port checking is an optional parameter. If you enable both intruder address and intruder port checking, both the MAC address and port number of a transmitted packet are checked in the list of allowable MAC addresses. If either one (or both) does not match an entry in the table, the packet is treated as an intruder. |
| Note: | Only 100 intrusion entries can be stored in the intruder table. Once this limit is reached, older entries are erased. |
In order for intruder packets to be detected, you must enable the Source Address Checking parameter at the network level.
To change any of the default settings for network security, follow these steps:
To configure Ethernet security, you must specify the valid MAC addresses of the network stations that are allowed to transmit data through each port. A quick way to do this is by defining groups of allowable MAC addresses. You can then enter the number of a security group instead of manually entering one MAC address at a time.
When defining a security group, remember the following guidelines:
To define a security group, follow these steps:
To display the list of MAC addresses assigned to a security group, enter the group's number in the Security Group field and click on List. You can modify the list of MAC addresses in the following ways:
Before configuring security for ports in an Ethernet or isolated network, be sure to:
To configure security for Ethernet ports, you must specify allowable MAC addresses. These are used to check the source and destination addresses in packets to determine the nodes from which a port can receive packets and to which it can send packets.
For example, if you want to prevent a port from receiving intruder packets, you must configure the MAC addresses for the source nodes from which the port can receive packets. Similarly, if you want to prevent unwanted eavesdropping, you must configure the MAC addresses for the destination nodes to which the port can send packets.
To set the security for an Ethernet port, follow these steps:
To delete an address from the list, click MB1 to select it and click on Delete. To delete all addresses from the list, click on Delete All.
To add the MAC addresses contained in a security group, enter the group's number in the First Group or Second Group field.
To display the contents of a security group, click on MAC Addresses. The Security Group panel is displayed. To add or delete the MAC addresses assigned to the group, follow the procedure in Defining Security Groups.
The Port Security Parameters panel is displayed with the current security settings. If necessary, modify these parameters according to the procedure in Using Default Settings for Port Security.
To reset port security to the default parameters, select Defaults -> Load Defaults from the menu bar.
To configure security for other Ethernet ports in the hub, click on << Port >>.
Because port security is not activated unless the corresponding network security parameters are enabled, you may need to set or modify some of these parameters. To do so, follow the procedure in Configuring Security for Ethernet and Isolated Networks.
To set the security settings for an Ethernet or isolated network, follow these steps:
To display a list of isolated networks, first click on the icon of the module that contains ports connected to network devices. Then click on the icon for Isolated networks.
If no ESC card has been assigned to the network, an error message is displayed: No securing module has been assigned to current network. To configure a ESC card, follow the procedure in Configuring Daughter Cards.
To reset network security to the default parameters, select Defaults -> Load Defaults from the menu bar.
To save the security settings in the panel as the new default values for network security, select Defaults -> Save Defaults from the menu bar.
The Power Management panel is only available for IBM 8260 hubs. It lets you specify whether or not the Hub Power Management Mode is fault tolerant. When this mode is enabled, one power supply is held in reserve and will be used during failure of one of the other power supplies in the hub.
To display the Power Management panel from a Hub Level View, select Hub -> Control -> Power Management.
Modules that have a higher power class receive power first. 10 is the highest power class; 1 is the lowest.
| Note: | The modules which are powered off are identified by a Power Off icon overlayed on top of an empty module icon that has no icon above it. This indicates that there is a module plugged into the slot but that there is insufficient power in the hub. |
You must calculate the power requirements of all the modules in the selected hub to ensure that sufficient power supplies are available. An extra power supply, above that needed for normal operation, is required if you want to set fault tolerant mode on.
| Important: | The Power Admin State cannot be set on the Master Management module. |
A question mark (?) in the operating status column in the Module Power Management list box means that a refresh is needed to know the value set by the agent. Click on the Refresh pushbutton to display the new value set by the agent in the Operating Status column.
The Set Port All function enables you to use one panel to manage all ports of a selected module by setting the following parameters on a per-port basis:
To manage all ports from the context menu of a module, select Control -> Set Port All. The Set Port All panel is displayed.
When using the Set Port All panel, you must perform the actions in the following order:
The current values of all ports on the module for the selected operation are displayed in the Port List area.
To choose more than one port, click on the Set pushbutton and then select the line for each individual port.
| Note: | You cannot select a parameter from the Value to Set column if it is the currently set value. For example, you cannot select enable for a port that is currently enabled. |
Notes:
To reset a hub and the modules in the hub, do one of the following:
A dialog box is displayed for you to confirm that you want to reset the selected device. Press Yes to continue and reset the device; press No to cancel the operation.
Resetting a hub or a module is the same as rebooting the device. Make sure that you are aware of what is attached to the selected hub or module. Resetting a Controller or a Master Management module effectively resets the entire hub.
Hubs and modules displayed in red cannot be reset using the Reset function because there is no IP connectivity to the hub or module.
Nways Manager-LAN monitors hubs by means of polling and trap handling. Polling is performed when:
The polling of each hub consists of the following steps:
The Search function uses station information to build a Module Level view. To receive accurate station information for a specific hub segment:
| Note: | Bridges may hide the MAC Addresses of attached stations. |
The information returned by the poll is held in memory and reflects the information gathered for the hub during the previous poll.
There are two types of polling: normal polling and forced polling.
Normal polling (the default value that is shown in the SMIT installation panel) uses polling steps 1 and 2 with step 3 executed on every 10th cycle. Normal polling occurs when:
Forced polling uses polling steps 1, 2, and 3. Forced polling occurs when:
Nways Manager-LAN monitors the status of discovered hubs by polling the hubs in either of the following ways:
The Polling Policy option lets you set the interval for periodically polling single or multiple hubs.
You can display the Single Hub Polling Interval Panel in any of the following ways:
The information on polling policy and polling interval in the panel is also displayed at the bottom of the Hub Level view for each hub.
If the Polling Policy field is set to On Request, you cannot change the polling interval.
If the Polling Policy field is set to Regular, you can specify the interval between polls using the scrollable hours and minutes fields. Note that it is useful to set a higher polling rate for sensitive devices and reduce the frequency of polls for devices that have less effect on the network if they go off-line.
| Note: | Changing the Polling Policy from On Request to Regular triggers normal polling (see Polling Hubs for details.) |
The minimum polling interval is one minute; the maximum polling interval is 23 hours and 59 minutes. The default polling parameters are:
These default values can be changed through SMIT.
Any values changed in the Polling Policy panel are saved when you click on Apply or OK.
| Note: | SNMP recovery performs a hub poll independently of the polling policy and hub
status (Managed or Unmanaged) configured in NetView for
AIX.
To cancel the hub poll started by the SNMP recovery, select the hub in the IBM Hubs Topology or the master agent in the IP Internet submap and select Options -> Unmanage Objects from the menu bar. |
To set the same polling policy for two or more hubs, follow these steps:
| Note: | When all the hubs in the group have the same values, this panel displays the common values. Otherwise, it shows the default values which can be set by selecting SMIT -> HubManager -> Configure -> Change the Default Polling Policy. |
Nways Manager-LAN uses two types of polling policy:
If the Polling Policy field is set to On Request, you cannot change the polling interval. If the Polling Policy field is set to Regular, you can specify the interval between polls.
The minimum polling interval is one minute; the maximum polling interval is 23 hours and 59 minutes. The default polling parameters are:
Any values changed in the Polling Policy panel are saved when you click on Apply or OK and apply to all hubs selected in the IBM Hubs Topology.
| Note: | SNMP recovery performs a hub poll independently of the polling policy and hub
status (Managed or Unmanaged) configured in NetView for
AIX.
To cancel the hub poll started by the SNMP recovery, select the hub in the IBM Hubs Topology or the master agent in the IP Internet submap and select Options -> Unmanage Objects from the menu bar. |
The Threshold function is available with master or slave TRMM agents V2.1 Advanced or higher. It lets you monitor activity (statistics) and to specify threshold values for selected resources.
TRMM agents provide thresholding capability for the network, station, port, and pre-defined MIB object identifier (provided that it has a type of counter or integer). Once you have set the threshold parameters, the TRMM monitors the associated counters at selected (user-defined) intervals. When the counter value exceeds the threshold value you have specified, an SNMP trap is sent to Nways Manager-LAN.
The TRMM sends additional traps each time the value drops below and then again exceeds the threshold value. No additional traps are sent if the value is consistently above the threshold.
If you specify a threshold value of 100 for an interval of 60 seconds, the TRMM will send a trap if the value of a specified counter reaches 101 during a 60-second period. Even if the counter value temporarily exceeds 100 during the next 60-second interval, the TRMM will not send a second trap. This is because the TRMM does not register that the threshold has been exceeded a second time until the counter value remains equal to or falls below the threshold for at least one 60-second interval.
To configure thresholds for a network, port, or station, you need the following information:
A Threshold Control panel is displayed showing the status of all the current thresholds.
You can add new thresholds, enable or disable a threshold after selecting it in the list box, and modify or delete an existing threshold. You can also enable, disable, or clear all listed thresholds. When you select to add or modify a threshold, a panel is displayed corresponding to the threshold index selected and a complete description of the threshold's parameters is provided for information or modification.
| Note: | Modifications made in the Statistics Attributes Panel will be shown in the Statistics Control Panel when you click on the Refresh pushbutton. |
Depending on the threshold category, other parameters must be entered. Non-applicable parameters are shown in reduced highlight depending on your selection.
Table 6. Summary of Threshold Counters
| Type | Description |
|---|---|
| frames | Blocks of characters in the standard frame panel used by the Token-Ring protocol. |
| bytes | 8-bit strings of data |
| broadcast frames | Frames sent to the broadcast address and received by all stations. |
| multicast frames | Frames sent to the multicast address. |
| hard errors | Fatal errors that require beacon recovery. |
| soft errors | Errors that are recoverable by the MAC layer protocol. These include line errors, burst errors, lost frame errors, ARI/FCI set errors, frame copy errors, receive congestion errors, and token errors. |
| Note: | If the MIB variable has not yet been specified, Threshold Status is
no-statistic-specified. If the first interval has not yet
completed, threshStatus will be not-yet-available.
If the object referenced by the MIB variable is not accessible, Threshold Status is not-accessible. Otherwise, Threshold Status is valid. |
The Test option is available from all level views and the context menu in the Hub Level view. This option allows you to perform problem determination by executing specific tests.
When you select Hub -> Test in a Hub Level view, the following options are displayed:
When you press MB3 on a module icon in a Hub Level view, the following options are displayed on the context menu:
The Request Hub Poll option allows you to poll a specified hub to check its status. Polling on request allows you monitor critical resources more often.
To poll a hub on request, follow these steps:
Notes:
The Restart pushbutton allows the poll to be reissued.
Notes:
The Ping option can be selected:
A panel is displayed showing a list of all the agents in the hub that can be pinged.
| Note: | An asterisk (*) next to a slot number means that the Master Management module is installed in the slot. |
When you select an agent and click on the Ping pushbutton, an emulator window is displayed showing the ping taking place.
If the selected module is not an agent, the Ping option is shown in reduced highlight in the context menu.
The Ping option performs a standard echo test on a Management module by sending one ICMP packet to the module and waiting for a reply. A message is displayed in a terminal emulator window indicating the result of the test. A successful test means that the agent in the selected hub is operating correctly and Nways Manager-LAN has IP connectivity to them.
The Echo function can be selected only from the context menu of a module. It cannot be selected from the menu bar and is available only for 8250 agents and 8260 Master DMMs.
The Echo option performs a remote echo test of any other IP node that supports the Internet Control Message Protocol (ICMP) Echo protocol. A panel is displayed to allow you to change the settings for the echo test.
You can change the following parameters:
Click on the Start pushbutton to start the echo test. Click on the Stop pushbutton to stop the echo test and display the results. If the test was successful, the number of packets successfully received is shown in the Packets Received field.
While the echo test is running, all the pushbuttons at the bottom of the screen are shown in reduced highlight and cannot be selected. To stop the test, click on the Stop pushbutton.
If the test failed, repeat the test with different parameters and use the Statistics utility to record the errors for analysis.