Today’s enterprise networks are getting more complex day-by-day. This is due to the global reach of many big enterprises. For such enterprises, they have offices or branches spanned across multiple cities; managing these networks is a major challenge for the IT Operations. These enterprises need to optimize their limited resources—like IP addresses—and keep network security aspects in mind.
Given the complexity and dynamism of these networks, it is important to manage and monitor these efficiently.
So, what is the way out?
This blog explains how HP Network Automation (NA) Satellite Gateway functionality can be leveraged to manage such overlapping address domains within a single enterprise network in terms of change configuration and compliance. In addition, it manages the devices in case of the failure of NA Core servers. This is also a challenge using limited resources. In a case like this, it is desirable for the enterprise to manage remote devices with duplicate IP addresses behind the DMZ or firewall in a failsafe environment
Let us talk about the solution in detail. The solution is addressed by leveraging two major features of Network Automation: NA Horizontal Scalability and NA Satellite Gateway.
NA Horizontal Scalability provides a solution to manage multiple Network Automation cores connected to one NA Database. This solution is best where users do not need to know which NA core accesses a particular device, in the event one NA core goes down. NA Horizontal Scalability provides for scaling NA beyond the limits of a single NA core. To learn more about NA Horizontal Scalability, refer Horizontal Scalability Guide from the Network Automation documentation.
The Satellite Gateway functionality provides a secure means to route packets from the Network Automation Core to remote networks by creating an encrypted tunnel between the NA Core and remote network. When there are devices that have overlapping IP addresses, the NA Core cannot directly manage two devices with the same IP address. With the Satellite Gateway functionality, it is possible to partition the network into Realms and access all devices directly. For more info on Satellite Gateway feature, refer Satellite Guide from the Network Automation documentation.
This solution helps the organization manage the following:
Failover of NA Cores that manage a certain set of devices, under normal or abnormal conditions, so that the running tasks on devices will not be impacted
Devices using duplicate or overlapping IP addresses
Devices having no secure protocol support like SSH (Telnet-only devices)
Devices behind the DMZ or firewall – strict rules to reach them from NA Core
In this solution, NA Horizontal Scalability is used to achieve the first solution mentioned above and the Satellite Gateway is used to achieve the others.
As shown in the above deployment scenario, there are two NA Cores used as an NA App Server which are managed in a Horizontal Scalability setup using a single Database. This will manage the device tasks under failure of NA Cores.
The NA satellite functionality provides a secure means to route packets from the NA Core to remote networks by creating an encrypted tunnel between the NA Core and remote network. When more than one remote gateway is present, the NA Management Engine creates a gateway mesh within the network of tunnels that enables the NA core to securely reach any remote gateway through the gateway mesh.
It is recommended that the core gateway is running on the same host as the NA Core for the following reasons:
Performance — TCP/IP socket overhead can be avoided.
Security — Packets are sent internally and cannot be snooped on by other hosts on the network.
In the Satellite Gateway setup, we need a Core Gateway and a Remote Gateway server to be deployed to manage remote devices behind the DMZ or firewalls. The NA Core and Core Gateway has a one-to-one mapping capability and the Core Gateway can be installed on the same server as the NA Core or it can be on a separate server. In the above picture, it is shown as a separate server. Each NA Core App server needs a Core Gateway to access the Satellite Gateways behind DMZ or Firewalls. To follow the installation steps, refer to the Satellite Gateway Guide.
Behind the DMZ or firewalls, the organization may have devices with duplicate or overlapping IP addresses, as shown in the above picture. To manage the duplicate IP addresses, a Satellite Gateway which refers to NA remote GW and NA Satellite Agent is configured. The Remote Gateway is a service that tunnels traffic to and from managed devices. The NA gateway routes SSH and Telnet traffic to other gateways. The gateway helps manage servers behind duplicate IP address devices and DMZ or firewalls. In addition, the gateway supports bandwidth throttling on tunnels between realms and can be used anywhere that supports SSL proxy or TCP port forwarding. Tunnels can be authenticated and encrypted using SSL.
The NA remote agent includes:
A process that handles SNMP and coordinates with the NA Management Engine on the NA Core
A Syslog process that handles syslog notifications from local devices
A TFTP process that enables TFTP access to local devices
The solution to fulfil the above requirement can be achieved by setting up NA Cores to manage devices in a Horizontal Scalability setup, and then setup Satellite Gateway using Core Gateway and Remote Gateway.
Using Security Partitions in NA Core, the devices are managed. A Security Partition is a grouping of devices with unique IP addresses. Each security partition is defined for a separate realm, for our purposes here—a Satellite Realm.
Each Satellite realm is network of devices with no duplicate or overlapping IP addresses. This is how the devices with duplicate IP addresses are managed by different Satellite realms and in turn managed by corresponding security partitions on each NA Core.
And during the failure of any single NA core, the other NA core in the Horizontal scalability setup, as mentioned above, will take care of failover conditions and manage the devices which were managed by the fallen NA Core.
About the author: Puspita Nanda is a Senior Test Engineer & Quality Analyst working in Hewlett Packard for over eight years. She has been part of various product groups in HP Software in the last 6 years. Presently she is working in the HP Network Automation product.
She has over 11 years of experience in delivering multiple testing & QA services to various projects within and outside HP. Puspita is proficient in various testing and QA methodologies and their execution. She also worked as a Software Quality Analyst (SQA) and has possess good knowledge on the HP EDGE framework. Also she was working as a KM Lead to share knowledge within and outside the team. She has good domain knowledge in Digital Document Management, Printing, SAP archiving, Trading, Networking, Automation and System Testing.
Puspita has Master of Computer Application degree from Utkal University, Orissa, India.
- Michael Procopio LinkedIn.com/in/Michael Procopio