Adding Network Devices to the NAC Profiler Configuration
Available Languages
Table Of Contents
Adding Network Devices to the NAC Profiler Configuration
Adding Network Devices to the Configuration Individually
Adding Network Devices to the NAC Profiler Configuration
This chapter includes the following topics:
•
Adding Network Devices to the Configuration Individually
Overview
After the necessary NAC Profiler Server and NAC Profiler Collector configurations are in place, the next step is to add the network infrastructure devices (switches and routers) that provide connectivity to the network attached endpoints. For efficiency in SNMP polling, Network devices are associated with the appropriate NAC Profiler Collector such that the Collectors themselves perform the SNMP queries from the distributed points in the network where the CAS appliances are deployed. This allows the SNMP traffic to be localized and not consume core network processing resources. Each Collector will periodically poll the network devices that have been associated to it to gather information about attached endpoints and their status. Communication with network devices is performed by the NetMap module on each Collector at the intervals specified in the NAC Profiler Server configuration. Communication between NetMap and network devices is via the SNMP protocol. To ensure changes in the endpoint topology are learned in real-time, the network devices can optionally to be configured to send SNMP Traps to the NAC Profiler Collector running the NetTrap module assigned to poll them. Doing so provides the system with near real-time indications when endpoints join or leave the network so the NAC Profiler is able to maintain an accurate model of the endpoint topology.
Since NAC Profiler's primary functionality is Endpoint Profiling and Behavior Monitoring, the network devices added to the system configuration should be those devices in that comprise the network access layer, or "edge" of the network the system will be deployed on; that is, the devices (typically Layer 2 switches) that end-users, printers, copiers, FAXes, IP telephony devices and other network endpoints use for connectivity to the network infrastructure. Layer 3 devices (routers) should also be included so that their Address Resolution Protocol (ARP) tables can be accessed, but these can be limited to either the routers that serve as the distribution layer for some number of L2 edge devices, or left out of the devices list entirely if the edge switches are capable of providing ARP table level visibility. Cisco NAC Profiler uses information from Layer 3 devices to create a mapping between endpoint IP addresses and MAC (hardware) addresses. Layer 2 Source Address Tables (SAT) information from switches and switch/routers is used by the system to locate endpoints.
Network devices added to the NAC Profiler System configuration are added to a Table of Network Devices commonly referred to as the Device List. To perform network device management tasks such as adding the network devices to the system configuration, select the Configuration tab. In the left hand navigation pane, select Network Devices to display the Configure Network Devices page in the main pane as shown below.
Figure 8-1 Configure Network Devices Page
The Configure Network Devices table lists a number of administrative task options for managing the network devices in the system configuration, the task names are links that will navigate the interface to the page(s) associated with the task. The configure network device tasks are:
•
•
•
•
•
To initiate any of the network device list management functions, select the link in the leftmost column of the Configure Network Devices table. The remainder of this chapter provides instructions for using these functions to manage the network device list in the system configuration.m configuration.
Adding Device Groups
Note
In many network environments, it may be desirable to define groups of devices to give a clearer picture of the network topology and to make the NAC Profiler network device configuration task easier. As mentioned, in addition to the fact that groups of devices are associated with a specified NAC Profiler Collector, it makes the administration of the system easier if the device groups are aligned with the network devices associated with each of the NAC Profiler Collectors, and it is additionally recommended that he naming convention for the NAC Profiler Collectors and the device groups be similar if not identical. When the network devices in an environment use similar configuration parameters such as community strings, VLAN IDs, etc., the use of groups can streamline the management of devices. If a network device is designated a member of a device group, that device inherits the General Settings, Access Method, VLAN Settings, and Endpoint Roles (if applicable) for the device group, and will not require these parameters to be specified individually for the devices belonging to the group. Network devices added to the system configuration individually or imported can be designated as a member of a group and inherit the group configuration parameters.
To add a network device group to Cisco NAC Profiler configuration, select Add Group from the Configure Network Device table. This will open the Add Group form in the main pane as shown below.
Figure 8-2 Add Network Device Group Form
Enter the following information for the network device group to be added:
Group Name
Enter a unique name to identify this group of network devices. Once a group is created and stored, the Select Group drop-down list in the Add Network Device and Edit Network Device forms will be populated with all groups saved to the system configuration.
1.
Select Type
Select the device type (Layer 2, Layer 3, or Device) for devices in the group being added from the drop down list. The device option is for managed devices that might have information for useful to the Collector, but is neither a Layer 2 or Layer 3 network device. An example would be managed Novell Servers that contain the MAC/IP binding information and will provide that information if queried via SNMP.
Select mapping module
This entry is used to specify the name of the NAC Profiler Collector that will be assigned to poll the devices in this network device group, from the list of configured Collectors listed in the pull-down. The default option should not be selected.
The pull-down menu will show an entry for each NAC Profiler Collector(s) currently in Cisco NAC Profiler configuration. Note that each of the Collector names has "-nm" added to the Collector name. This designates that the mapping module for device polling via SNMP is the NetMap component on the collector.
Save Configuration
If the network devices in this group have a mechanism for making configuration changes persistent, selecting the `save configuration' checkbox will configure Cisco NAC Profiler to save all configuration changes it makes to any devices in the group to the saved configuration file on the effected network device(s). This is applicable when using NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document.
2.
Method
This parameter determines which version of SNMP will be used for communication with network devices in the group. Select the radio button of the SNMP version that devices in this group are running. By default NAC Profiler will use SNMP version 1 for communication with network devices. SNMP version 2c or version 3 may be selected as options for groups of devices using one of these versions of SNMP
Read-Only Community String
Enter the read-only community string that has been configured on all devices in the group for read-only SNMP access.
The web interface will obscure the text being entered in the community string fields to protect it. In order to ensure that the community string is entered correctly, it may be desirable to cut-and-paste the community string in clear text (from Notepad, for example) to ensure that it is entered into the NAC Profiler interface correctly. If the community string is not entered correctly, NAC Profiler will not communicate with the device.
Read-Write Community String
Providing the read-write community strings for network devices is an optional parameter for network device configuration. It is required only when the NAC Profiler will be used in Port Provisioning mode to make configuration changes to network device configuration parameters as outlined in Chapter 13, "Using the Endpoint Console."
Enter the read-write community string that has been configured on all devices in the group for read-write SNMP access.
The remainder of the parameters in this portion of the form is applicable only to groups of devices using SNMPv3. If the version of SNMP in use on the network devices in this group being added is SNMPv3, complete these parameters:
SNMPv3 Username
Provide the SNMPv3 Username to use when authenticating a SNMPv3 session with devices in the group.
SNMPv3 Security Level
Select the radio button of the SNMPv3 security level in use for SNMPv3 sessions with the devices in the group.
SNMPv3 Hash Type
Select the radio button of the SNMPv3 hash type in use for SNMPv3 sessions with the devices in the group.
SNMPv3 Encryption Type
Select the radio button of the SNMPv3 encryption type to use for SNMPv3 sessions with the devices in the group.
3.
Default VLAN ID
Enter the VLAN ID that has been configured as the Default VLAN on devices in this group. The VLAN name, "Default", will be used in the NAC Profiler user interface when managing port parameters on devices in the group. Although the value presented to the user will be the VLAN name: `Default', the setting of the VLAN ID on each interface of the device or devices in the group will be based on the configuration in this section. This allows NAC Profiler to be easily deployed in environments where disparate VID values are used for the same VLAN in different parts of the enterprise network.
An example of this is the Printer VLAN, which can vary by floor, building, or campus in some environments. When the VLAN name Printer is selected for applications to a particular port, the specific VID appropriate for each port on each device will be applied according to the network device configuration by NAC Profiler.
Authorized VLAN ID
Enter the VLAN ID that has been configured as the Authorized VLAN on the devices in this group. The VLAN name, "Authorized", and not the VID value will be used in the administrative screens for managing ports and endpoints when the user is configuring network access for groups of endpoints. Although the value presented to the user will be the VLAN name `Authorized,' the setting of the VLAN ID parameter on each interface will be based on the configuration in this section for the specific device being configured. This allows NAC Profiler to be easily deployed in environments where multiple VID values are used throughout the enterprise for similar endpoint types.
Other VLANs
Define other VLANs which have been configured on the network devices in this group as applicable by specifying one per line in the format VLANname:vid. Like the Default and Authorized VLAN, VLANs specified as available on the device will be presented by VLAN name as pull-down options in the Port Control views enabling the setting of the VLAN parameter on network device ports. The VLAN name provides a level of abstraction in the user interface to allow for disparate VLAN IDs used for the same named VLAN in different areas of the network. NAC Profiler will track what VID is being used for each VLAN name on a per-switch basis, allowing assignment by VLAN name rather than VID.
Once Device Groups are added to the system configuration, they are accessible in the Add Network Device and Edit Network Device forms. Defining device groups prior to adding network devices either individually or through the Import function can save significant time by entering device configuration parameters common to the group once instead for each device individually.
Importing Network Devices
The most efficient manner to add network devices to Cisco NAC Profiler configuration is through the Import Device feature. NAC Profiler has the ability to import a device list from an external CSV file accessible by the computer accessing the NAC Profiler web user interface. Many network management systems provide the ability to export the list of devices it is monitoring into a CSV file that can be edited using spreadsheet software such as Microsoft Excel. Alternatively, a list of the network devices to be added to the system configuration can be created manually.
The Import Device utility requires that the list of devices have the format illustrated below. Essentially the format is a table with four columns with no column headings that contains a row for each device to be imported containing the device name, IP address, read-only community name and read-write community name.
Note
Figure 8-3 Example Device List in Spreadsheet Application
Once the list of network devices has been edited to this format, save the file as a CSV file (in Microsoft Excel select Save As, Select Save as type CSV (comma delimited) noting the location and filename. Ensure the computer being used to manage Cisco NAC Profiler via the web interface can access the CSV file.
Select Import Device List from the Configure Network Devices table or from the menu at the top of any network device management page. The Import Network Device form will display in the main pane.
Figure 8-4 Import Network Device Form
Click the Choose... button to select the device list CSV file created previously.After selecting the appropriate file it is entered into the `CSV File Name' field in NAC Profiler. Click the Import File button. The list of devices in the CSV file successfully imported will display in the Import Device Information form shown below. This form enables editing of fields or manual population of any empty fields with the appropriate information.
Figure 8-5 Import Device Information Form
Note
If the devices being imported will be assigned to a Group, all devices will inherit the group community names regardless of whether community names were imported or not.
Once any corrections or additions are made to the individual device entries, the form allows assigning all the devices being imported to a Device Group. Assigning the devices to a device group results in all the devices being imported inheriting the parameters specified for the group (including the designated Collector to be associated with these devices), as described in the previous section. If the imported devices are being assigned to a Device Group, select the group from the drop-down list.
If the devices are not going to be assigned to a Device Group, leave `None' in the Select Group drop-down and specify the following parameters for the devices being imported:
Access Method
This parameter determines which version of SNMP will be used for communication with network devices in the group. Select the pull down of the SNMP version that devices being imported are running. By default NAC Profiler will use SNMP version 1 for communication with network devices. SNMP version 2c may also be selected as options for importing devices.
Device Type
Select either Layer 2 or Layer 3 to designate the type of devices being imported (switch or router)
Click the Import Devices button at the bottom of the window. A message stating "Imported device information saved" will be presented. The list of imported devices will now be accessible in tabular format by selecting List Network Devices from the Configure Network Devices table.
Adding Network Devices to the Configuration Individually
To enter network devices one at a time, select the Add Device option from the Configure Network Device table. This opens the Add Network Device form in the main pane (Figure 8-6).
Figure 8-6 Add Network Device Form
This forms allows the entry of all required information about a network device as it is added to the system configuration. To add a network device, complete the fields of the form with the device specifics as outlined below.
1.
Device Name
Enter a unique name to identify this device. NAC Profiler will show the location of endpoints by switch and port—choosing a name for switches (e.g., Bldg10-floor8, etc.) may be useful to easily differentiate between multiple switches in a large enterprise network.
IP Address
Enter the IP Address of the network device.
Alternate Addresses
(Optional) Allows the specification of other interface addresses that may be used by the network device (Layer 3 devices typically).
2.
Select Type
Select the device type (Layer 2, Layer 3, or Device) from the drop down list. The device option is for managed devices that might have information for useful to the Collector, but is neither a Layer 2 or Layer 3 network device. An example would be managed Novell Servers that contain the MAC/IP binding information and will provide that information if queried via SNMP.
Select mapping module
This entry is used to specify the name of the Collector that should poll this device, or group of devices, from the list of configured Collectors listed in the pull-down. The default option should not be used in the case of NAC Profiler as the pull down will be populated with the list of Collectors that are associated with the NAC Profiler Server.
Select Group
Note
Trunk Ports
(Optional) Allows designation of known trunk ports on the network device. Trunk ports are ports providing connectivity to other infrastructure devices, not endpoints.
Save ConfigurationIf this network device provides a mechanism for making configuration changes persistent, selecting the `save configuration' checkbox will configure Cisco NAC Profiler to save all configuration changes it makes to the device to the saved configuration file. This is applicable when using NAC Profiler in the Port Provisioning mode to change port settings as described earlier in this document.
3.
Method
This parameter determines which version of SNMP will be used for communication with network devices. Select the radio button of the SNMP access method that this device is configured. By default NAC Profiler will use SNMP version 1.
Read-Only Community String
Enter the read-only community string that has been configured on the device for read-only SNMP access.
Read-Write Community String
Enter the read-write community string that has been configured on the device for read-write SNMP access.
Note
The remainder of the parameters in this portion of the form is applicable only to devices using SNMPv3. If the version of SNMP in use on the network device is SNMPv3, complete these parameters:
SNMPv3 Username
Provide the SNMPv3 Username to use when authenticating a SNMPv3 session with the device.
SNMPv3 Security Level
Select the radio button of the SNMPv3 security level in use for SNMPv3 sessions with the device.
SNMPv3 Hash Type
Select the radio button of the SNMPv3 hash type in use for SNMPv3 sessions with the device.
SNMPv3 Encryption Type
Select the radio button of the SNMPv3 encryption type to use for SNMPv3 sessions with the device.
4.
Default VLAN ID
Enter the VLAN ID that has been configured as the Default VLAN on this device. The VLAN name, "Default", will be used in the NAC Profiler user interface when managing device port parameters. Although the value presented to the user will be the VLAN name: `Default', the setting of the VLAN ID on each interface of the device will be based on the configuration in this section, specific to the device being configured. This allows NAC Profiler to be easily deployed in environments where disparate VID values are used for the same VLAN in different parts of the enterprise network.
An example of this is the Printer VLAN, which can vary by floor, building, or campus in some environments. When the VLAN name Printer is selected for applications to a particular port, the specific VID appropriate for each port on each device will be applied to the device configuration by NAC Profiler.
Authorized VLAN ID
Enter the VLAN ID that has been configured as the Authorized VLAN on this device. The VLAN name, "Authorized", and not the VID value will be used in the administrative screens for managing ports and endpoints when the user is configuring network access for groups of endpoints. Although the value presented to the user will be the VLAN name `Authorized,' the setting of the VLAN ID parameter on each interface will be based on the configuration in this section for the specific device being configured. This allows NAC Profiler to be easily deployed in environments where multiple VID values are used throughout the enterprise for similar endpoint types.
Other VLANs
Define other VLANs which have been configured on the network device as applicable by specifying one per line in the format VLANname:VID. Like the Default and Authorized VLAN, VLANs specified as available on the device will be presented by VLAN name as pull-down options in the Port Control views enabling the setting of the VLAN parameter on network device ports. The VLAN name provides a level of abstraction in the user interface to allow for inconsistent VLAN IDs used in different areas of the network. NAC Profiler will track what VID is being used for each VLAN name on a per-switch basis, allowing assignment by name rather than VID.
List Network Devices
At any time it is possible to get a list of all network devices currently in the system configuration, and determine the last time the NAC Profiler Endpoint Profiler system has successfully polled the device.
From the Configuration Tab, select Network Devices from the left hand navigation pane to display the Configure Network Devices table. Selecting the List Network Devices link in the leftmost column of the table will provide a list of all the network devices currently in the system configuration.
The Table of Network Devices has eight columns providing the following information for each device in the configuration:
•
•
•
•
•
•
•
•
Note
Figure 8-7 Table of Network Devices
Network Devices Tree View
NAC Profiler helps organize your devices and device groups by maintaining a Network Devices `tree view' in the left side bar panel. This expandable view shows all the devices that have been configured in NAC Profiler and which group(s), if any, they belong to.
Expanding the Network Devices tree view will display grouped and ungrouped devices. Figure 8-8 illustrates an expanded Network Device Tree view.
Figure 8-8 Network Device Tree View
Editing a Network Device
It may be necessary from time-to-time to edit devices added to the system configuration. An example of when this might be necessary is enabling Profiler Events as described in Chapter 11, "Integration with Cisco NAC Appliance." Profiler Events cannot be enabled on the ports of a network device until the device has been successfully polled by the NAC Profiler. This would be done using the Edit procedure outlined in this section. In addition, if community strings are changed or other parameters of the network device change, those changes must be entered in the network device's configuration in Cisco NAC Profiler configuration.
To edit a device already added to the system configuration, navigate to the Table of Network Devices to list all the network devices in the system configuration and their status.
The IP address of each network device (second column of the Table of Network Devices) is a link that opens the Edit Network Device form for the selected device. Figure 8-9 illustrates an example Edit Network Device form. Current values for all network device parameters are shown in the form, and can be edited as necessary.
If Profiler Events have been configured as described in Chapter 10, "Configuring NAC Profiler Events," a section appears on the Edit Device form that is not present when the device is added. In order for these options to be present in the Edit Device form, Profiler Events that are enabled per-device, such as MAC Change or Profile Change events, have to be added to the system configuration and the device must have polled by NetMap before these controls appear on the Edit Device form.
This section of the form allows the configured Profiler Events to be enabled on a per device basis, on selected ports. See Figure 8-9.
Figure 8-9 Edit Network Device Form
For each Event in the system configuration, a check box appears by the event name which is used to enable the event in the configuration of the network device being edited. This checkbox must be checked in order for the selected event to be triggered on this device.
At the bottom of the Edit Device form, there are 4 buttons: Update Device, Remove Device, Clear Device Ports and Query Now as illustrated above. The function of each of these buttons is as follows:
•
•
•
•
Note
If Query Now is selected, the interface displays the message below:
Figure 8-10 Query Now Message
Additionally, there is an option to remove the device from the NAC Profiler database and an option to Clear Device Ports which should be performed if the blades in a chassis are added or removed.
Find Device
NAC Profiler's Find Device option enables searching for a particular device using its IP address and/or device name as well as contents of the System Description. To utilize the Find Network Device tool, navigate to the Configuration Tab and select Network Devices. Select Find Device from the table on Configure Network Device page to display the form illustrated below. (The Find Network Device tool can be launched from any of the Network Device Configuration pages from the link at the top of the main pane.) Select Find Device using either of these methods to bring up the Find Network Device form illustrated below.
Figure 8-11 Find Network Device Form
The fields of the form are utilized to enter search criteria about the device(s) to be searched for:
Device Name
If the exact name of the device is unknown, enter a portion of the name. NAC Profiler will search based on the input character string and return all matches of that string. For example, if searching for a Cisco Catalyst 3750 for which the device name is unknown simply enter `3750' in the `Device name' field. NAC Profiler will return every record in the database containing `3750'.
IP Address
Enter the complete host IP address of the network device for which to search the database.
Note
The results of a find network device are returned as a subset of the Table of Devices based on the search criteria entered in the find network device form. An example of a network device search in which the device name field of the Find Device form was specified as `Archimedes' is shown in Figure 8-12.
Figure 8-12 Find Network Device Results
The Table of Network devices returned from a find device operation operates identically to the Table of Network devices as described earlier. Clicking on the device IP address opens the Edit Network Device form, and all options described in editing a network device above are available.
Feedback