OpenNetAdmin

Track. Automate. Configure.

Home About Features Community Develop
Download this project as a tar.gz file

More Feedback and Feature Requests

dmo

17-11-2009 08:12:56

Hi Matt / ONA Team,

Just wanted to say a quick thanks for all the work you've put into this. I'm currently using it as a IPAM solution for about 1500 IPSec devices.

Wanted to provide some feedback on ONA - I'd really like to use it exclusively for ALL of my network management needs, only I can't due to some current limitations.

Quick overview of my network -

1500 Nortel IPSec devices, using separate subnets per customer. Customer 1 could have subnet 10.1.1.0/25 for example. Customer 2 10.1.1.128/25. Etc, etc. Currently I use ONA as IPAM, a Lotus Notes DB to track inventory (it's as horrific as it sounds), a Wiki System connected to ONA to store documents, and lastly a secure DB to store backdoor admin passwords for all of the devices. That's 5 services to administer and maintain.

Limitations:

Associated Interfaces: I'd love to be able to put the Public ISP addresses here, but I can't unless it's in a defined subnet.

Multiple IP addresses: I've seen a request here for duplicate addresses for MPLS. For me, I need multiple IP addresses to support my ITM devices (about 1500 as well) - because the management IP is on a customer controlled network. This means I have about 10 devices with the management IP of 10.1.1.1. We use proxy servers to manage these devices on a customer by customer basis.

Inventory Management - This one is huge for me. OpenNetAdmin is *almost* a full IT inventory management system as well. It's missing a few things for my deployment though, mainly the ability to attach files. Each of my managed devices has to have an order request + ISP information with it. Currently I'm beta-ing a ONA setup mixed with a Wiki system and using the Wiki System to both attach files and use as a "Case History" per device. It's ok, but I'm not totally happy with it because it requires another server / service to manage along with passwords, users, etc. If ONA had the ability to attach files *and* have some sort of comments / customizable fields where you could use it as a "Device History" for changes or Notes, it'd be perfect.

Lastly, password management. ONA could easily be used for this as well with the addition of some customizable fields that are not visible by a default / guest account. Sure, you can disable the guest accounts, but I need to have people able to look at the system for simple IPAM needs and device info. However, I want only my level 3 support to be able to see the password field.

Config Compare: This isn't absolutely required, but as I see the RANCID support is already there and working on the site demo version - if this could be implemented, it'd be great. Not sure if it could work for Nortel configs (they are stupidly big and complicated) but I think something might be able to be hashed out.

Anyway, that's it for now. Matt feel free to contact me on my GTalk if you still have it (seventil .at. gmail.com)

Thanks!

Daniel

Matt

18-11-2009 21:07:14

Hi Matt / ONA Team,

Just wanted to say a quick thanks for all the work you've put into this. I'm currently using it as a IPAM solution for about 1500 IPSec devices.

Wanted to provide some feedback on ONA - I'd really like to use it exclusively for ALL of my network management needs, only I can't due to some current limitations.

Quick overview of my network -

1500 Nortel IPSec devices, using separate subnets per customer. Customer 1 could have subnet 10.1.1.0/25 for example. Customer 2 10.1.1.128/25. Etc, etc. Currently I use ONA as IPAM, a Lotus Notes DB to track inventory (it's as horrific as it sounds), a Wiki System connected to ONA to store documents, and lastly a secure DB to store backdoor admin passwords for all of the devices. That's 5 services to administer and maintain.


Feedback is one of the things that drives improvement so I'm glad to get it. Hopefully we can come up with some solutions.

I can certainly understand the desire to have a more central place to deal with all of this information. Its one of the reasons I started ONA.


Limitations:

Associated Interfaces: I'd love to be able to put the Public ISP addresses here, but I can't unless it's in a defined subnet.


I understand the need. I have wanted to do the same a few times. Here are the challenges:

* It messes with the integrity of how data is stored
* several checks and search methods will need to be updated

I'll have to put some more thought into how to implement this. I have a few ideas floating in my head on it but I'll have to play with it. I'm thinking of allowing a subnet_id to be 0 to indicate its a more generic interface with no subnet. I have to figure out how this impacts searches and displaying of data. As well as how to make it intuitive to manage. More to come......


Multiple IP addresses: I've seen a request here for duplicate addresses for MPLS. For me, I need multiple IP addresses to support my ITM devices (about 1500 as well) - because the management IP is on a customer controlled network. This means I have about 10 devices with the management IP of 10.1.1.1. We use proxy servers to manage these devices on a customer by customer basis.


This one could get interesting in your environment.. I have recently implemented a few new things that could work but we'll have to discuss some details as to what might work best. I do now have a method for what I call "contexts". This would handle separate autonomous networks for MPLS or internal/external etc when things could overlap but are never to intermingle. It still needs more work for some of the maintenance forms but is currently usable. With that said, I dont think its right for your situation due to its "overhead".

I also now have DNS view support but it does not really mean duplicate IPs.. its just a way to do split horizon for DNS. you might be able to use this however to track the info in a way unrelated to its intended DNS purposes??

There is also the interface sharing option but it is more intended for HSRP,VRRP, CARP type setups.

I'll need to get a bit more detail on the requirements for this.


Inventory Management - This one is huge for me. OpenNetAdmin is *almost* a full IT inventory management system as well. It's missing a few things for my deployment though, mainly the ability to attach files. Each of my managed devices has to have an order request + ISP information with it. Currently I'm beta-ing a ONA setup mixed with a Wiki system and using the Wiki System to both attach files and use as a "Case History" per device. It's ok, but I'm not totally happy with it because it requires another server / service to manage along with passwords, users, etc. If ONA had the ability to attach files *and* have some sort of comments / customizable fields where you could use it as a "Device History" for changes or Notes, it'd be perfect.


I think this is a prime case for a plugin or two. Attaching files is something that could be done via a plugin pretty easily I would suspect. Since there are many ways that people might want to use this, then a plugin is the right way to go for that. Another option for some user customizable data is the "custom attributes" functionality. you can define your own item to track and then you can set values for that item. It might help out.

Also if you happen to use the Puppet system management tool, I have some plugins that expose "fact" data gathered by puppet. This is good if you manage many unix systems.

As far as case history/comments.. I do actually have a tool in place that might be useful for that? Its the "message_add" dcm module. There is no GUI way to manage the data other than to view the messages for a host or subnet. It was originally intended to loosely tie into notification queues. There is a priority for each message as well as an expiration date. Give it a look and see if it is helpful in any way. It could probably be turned into something more.



Lastly, password management. ONA could easily be used for this as well with the addition of some customizable fields that are not visible by a default / guest account. Sure, you can disable the guest accounts, but I need to have people able to look at the system for simple IPAM needs and device info. However, I want only my level 3 support to be able to see the password field.



I believe you and I talked about this several months ago. I had some initial ideas on it but we never got around to finishing the thoughts on it. I think its something that could be set up fairly easily.


Config Compare: This isn't absolutely required, but as I see the RANCID support is already there and working on the site demo version - if this could be implemented, it'd be great. Not sure if it could work for Nortel configs (they are stupidly big and complicated) but I think something might be able to be hashed out.

Anyway, that's it for now. Matt feel free to contact me on my GTalk if you still have it (seventil .at. gmail.com)

Thanks!


The config compare stuff is already there.. the part you are essentially missing is a method to get the nortel config files into the config tables in ONA. the dcm module config_add will get them in there. I've not played with it much but I think it would be reasonably easy to take the Rancid login scripts and use them to get the configs and then push them into ONA. There are a few things abount Rancid that I didnt care for on the Cisco side of things so I ended up implementing my own login methods.

I do still have your GTalk info.. I'll try and get with you sometime soon.. its pretty busy at work right now so my days are consumed.

Matt

18-11-2009 21:27:58

Also, just went back and read the past posts you had about the config compare. I didnt put it together that it was you :)..

This just goes to show that I need to be bugged more often since I tend to forget about things.. or more specifically, I only work on the stuff that *I* need at the time or that the most people are talking with me about at the time. :).. I still have intentions on getting the more robust config compare thing.. it just sank to the bottom of my priorities..


Just keep buggin me!