eSight V300R001C10 Terminal Resources Technical White Paper Issue 01 Date 2013-12-10 HUAWEI TECHNOLOGIES CO., LTD.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
eSight V300R001C10
Terminal Resources Technical White Paper
Issue 01
Date 2013-12-10
HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd. i
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
eSight
Terminal Resources Technical White Paper About This Document
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
About This Document
Purpose
This document describes the terminal discovery process and typical applications of eSight
Terminal Resources Management.
Intended Audience
This document is intended for:
Technical support personnel
Maintenance personnel
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
eSight
Terminal Resources Technical White Paper About This Document
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue 01 (2013-12-10)
This issue is the first official release.
eSight
Terminal Resources Technical White Paper Contents
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Contents
About This Document .................................................................................................................... ii
1 Executive Summary ...................................................................................................................... 1
2 Introduction.................................................................................................................................... 2
3 Solution ........................................................................................................................................... 3
3.1 Overview ...................................................................................................................................................................... 3
3.2 Implementation ............................................................................................................................................................. 4
3.2.1 Terminal Discovery Process ...................................................................................................................................... 4
3.3 Function Constraints ..................................................................................................................................................... 5
3.3.1 Applicable Device Types ........................................................................................................................................... 5
3.3.2 Application Scenarios ................................................................................................................................................ 6
3.3.3 Typical Applications .................................................................................................................................................. 6
3.4 Typical Applications ..................................................................................................................................................... 7
3.4.1 Terminal Fault Diagnosis ........................................................................................................................................... 7
3.4.2 Unauthorized Access Monitoring .............................................................................................................................. 8
4 Experience ..................................................................................................................................... 11
5 Conclusion .................................................................................................................................... 12
6 Acronyms and Abbreviations ................................................................................................... 13
eSight
Terminal Resources Technical White Paper 1 Executive Summary
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
1 Executive Summary
eSight Terminal Resources Management discovers access terminals by analyzing MAC
forwarding tables and Address Resolution Protocol (ARP) tables and manages terminal
resources in a unified manner.
Terminal Resources Management provides the functions of recording the access history and
suspicious terminal logs and managing unauthorized access.
eSight
Terminal Resources Technical White Paper 2 Introduction
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
2 Introduction
A growing number of terminals are connected to the network with the continuous expansion
of the network scale. Currently, enterprise network users are confronted with the following
challenges:
Insufficient methods for diagnosing faults efficiently
Insufficient security and prewarning mechanisms for preventing security risks
Terminal Resources Management can display terminal information in multiple dimensions
such as the terminal MAC address, terminal IP address, access device port number, and home
VLAN. This information enables user to diagnose faults effectively. In addition, Terminal
Resources Management can identify potential security risks such as multiple terminals
connected to a port, IP address embezzlement, and MAC address embezzlement and identify
unauthorized devices based on the IP address or MAC address whitelist. Therefore, Terminal
Resources Management can construct a secure network environment.
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
3 Solution
About This Chapter
3.1 Overview
3.2 Implementation
3.3 Function Constraints
3.4 Typical Applications
3.1 Overview
eSight Terminal Resources Management analyzes the device MAC forwarding table and ARP
table to discover all access terminals on the network, record the terminal access history, and
identify suspicious and unauthorized terminals. This helps network maintenance engineers to
monitor and manage terminal resources in a unified manner.
Figure 3-1 shows the Terminal Resources Management solution.
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Figure 3-1 Terminal Resources Management solution
Terminal Resources Management manages terminals based on data of discovered terminals. In eSight,
users can perform manual discover immediately or automatic discover periodically.
Step 1 Maintenance engineers add valid IP addresses and MAC addresses to a whitelist. Terminal
Resources Management discovers unauthorized terminals based on the terminal access
whitelist. If no whitelist is configured, all terminals are considered valid by default.
Step 2 Maintenance engineers select devices and configure the discovery range. If the terminal
automatic discovery function is enabled, maintenance engineers can configure the discovery
interval.
Step 3 eSight collects and analyzes the MAC forwarding table and ARP table to discover access
terminals on the network.
Step 4 Maintenance engineers can view the terminal access history, suspicious terminal logs, and
unauthorized access history to monitor all access resources.
----End
3.2 Implementation
3.2.1 Terminal Discovery Process
Figure 3-2 shows the process of discovering terminals A, B, and C in eSight. The discovery
process is as follows:
Step 1 eSight collects MAC forwarding tables and ARP tables of all devices.
Step 2 eSight analyzes the collected data for information such as the MAC address, IP address, and
access port.
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Step 3 eSight checks the discovered terminals to identify suspicious and unauthorized terminals.
Step 4 eSight shows terminal data for maintenance engineers in multiple dimensions.
----End
Figure 3-2 Terminal discovery process
3.3 Function Constraints
3.3.1 Applicable Device Types
Device Type Version
Huawei devices that
can read MAC
forwarding tables using
Huawei private
management
information base (MIB)
and read ARP tables
using a public MIB
ACU,AC66,AR150,AR200,AR1200,
AR150,AR2200,AR3200,AR500,AS
G,CE5800,CE6800,ME5000,ME60,
NE20,NE20E,NE40,NE40E,NE80,N
E80E,NE5000E,NIP,S23,S27,S33,S
37,S53,S57,S63,S67,S77,S93,S97,E
udemon1000E,Eudemon200E,Eude
mon200E-X,Eudemon200S,Eudemo
n300,Eudemon8000E,FatAP,SIG,SR
G,SPU,SVN,USG2100,USG2110,U
SG2200,USG3030,USG50,USG530
0,USG5500,USG9100,USG9200,US
G9300,USG9500,USR20,WS6600,
WSG2110,WSG2200,WSG5100,WS
G5300,WSG5500,WSG9300,WSG9
500
N/A
Devices that read MAC
forwarding tables and
ARP tables using a
public MIB
Other types
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
3.3.2 Application Scenarios
Device Type Application Scenario
Huawei devices that
can read MAC
forwarding tables using
Huawei private MIB
and read ARP tables
using a public MIB
ACU,AC66,AR150,AR200,AR1200,
AR150,AR2200,AR3200,AR500,AS
G,CE5800,CE6800,ME5000,ME60,
NE20,NE20E,NE40,NE40E,NE80,N
E80E,NE5000E,NIP,S23,S27,S33,S
37,S53,S57,S63,S67,S77,S93,S97,E
udemon1000E,Eudemon200E,Eude
mon200E-X,Eudemon200S,Eudemo
n300,Eudemon8000E,FatAP,SIG,SR
G,SPU,SVN,USG2100,USG2110,U
SG2200,USG3030,USG50,USG530
0,USG5500,USG9100,USG9200,US
G9300,USG9500,USR20,WS6600,
WSG2110,WSG2200,WSG5100,WS
G5300,WSG5500,WSG9300,WSG9
500,USG2100,USG2110,USG2200,
USG3030,USG50,USG5300,USG55
00,USG9100,USG9200,USG9300,U
SG9500,USR20,WS6600
Scenario with wired
access terminals
Devices that read MAC
forwarding tables and
ARP tables using a
public MIB
Other types
3.3.3 Typical Applications
Device Model Technical Constraint
Huawei devices that
can read MAC
forwarding tables using
Huawei private MIB
and read ARP tables
using a public MIB
ACU,AC66,AR150,AR200,AR1200,
AR150,AR2200,AR3200,AR500,AS
G,CE5800,CE6800,ME5000,ME60,
NE20,NE20E,NE40,NE40E,NE80,N
E80E,NE5000E,NIP,S23,S27,S33,S
37,S53,S57,S63,S67,S77,S93,S97,E
udemon1000E,Eudemon200E,Eude
mon200E-X,Eudemon200S,Eudemo
n300,Eudemon8000E,FatAP,SIG,SR
G,SPU,SVN,USG2100,USG2110,U
SG2200,USG3030,USG50,USG530
0,USG5500,USG9100,USG9200,US
G9300,USG9500,USR20,WS6600,
WSG2110,WSG2200,WSG5100,WS
G5300,WSG5500,WSG9300,WSG9
500
eSight can obtain VLAN
information about access
terminals connected to
these devices.
Devices not in the
discovery range are
discovered to eSight as
terminals.
Devices that read MAC
forwarding tables and
ARP tables using a
Other models eSight can obtain VLAN
information about access
terminals connected to
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Device Model Technical Constraint
public MIB Cisco devices.
Devices not in the
discovery range are
discovered to eSight as
terminals.
3.4 Typical Applications
Terminal Resources Management can identify unauthorized terminals based on the IP address
and MAC address whitelists and identify suspicious terminals through ports with multiple
MAC addresses, repeated IP addresses, or repeated MAC addresses.
3.4.1 Terminal Fault Diagnosis
When a terminal application is faulty, fault diagnosis on the network is involved. The switch
to which the faulty terminal is connected must be located for fault diagnosis. Maintenance
engineers can view the terminal access history and quickly locate the terminal based on the
terminal IP address or MAC address.
Figure 3-3 Terminal location
Maintenance engineers can click a found terminal to view its historical access information, as
shown in Figure 3-4.
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Figure 3-4 Terminal access history
On the Terminal Access Record page, maintenance engineers can click a device and view the
key performance indexes and alarms using Telnet, ping, or Trace on the NE Manager page
that is displayed.
Figure 3-5 Viewing key performance indexes and alarms
3.4.2 Unauthorized Access Monitoring
Maintenance engineers can add valid IP addresses and MAC addresses to a whitelist. Then
eSight can identify unauthorized terminals and generate alarms in a timely manner.
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Figure 3-6 Creating a whitelist
Based on remote notification rules, eSight can remotely notify maintenance engineers of
unauthorized terminals by email.
Figure 3-7 Creating access binding rule
Figure 3-8 Remote notification
eSight
Terminal Resources Technical White Paper 3 Solution
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
The Unauthorized Access Management page records the access history of all unauthorized
terminals. Maintenance engineers can add valid terminals to a whitelist or acknowledge them.
Figure 3-9 Unauthorized Access Management page
Figure 3-10 Unauthorized access log
eSight
Terminal Resources Technical White Paper 4 Experience
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
4 Experience
Unified management of a large number of terminals
Terminal Resources Management analyzes MAC forwarding tables and ARP tables to quickly
discover access terminals on a heterogeneous network. This helps enterprise network users to
clearly learn about the terminal online trend and trace the terminal locations and access
history.
Fast fault diagnosis
Terminal Resources Management can display terminal information in multiple dimensions
such as the terminal MAC address, terminal IP address, access device port number, and home
VLAN. Such information helps enterprise network users to quickly locate terminals and view
key device data such as the device running status, performance indexes, and alarms. Therefore,
eSight can meet operation and maintenance (O&M) requirements on fault diagnosis and
responsibility division.
Terminal security management and control
Terminal Resources Management can quickly identify unauthorized access terminals and
generate alarms based on the configured IP address, MAC address whitelist or access binding
rule. In addition, Terminal Resources Management can identify potential security risks such as
multiple terminals connected to a port, IP address embezzlement, and MAC address
embezzlement.
eSight
Terminal Resources Technical White Paper 5 Conclusion
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
5 Conclusion
Terminal Resources Management can manage all access terminals on the network in a unified
manner, quickly locate terminals, record the terminal access history, and efficiently prevent
security risks.
eSight
Terminal Resources Technical White Paper 6 Acronyms and Abbreviations
Issue 01 (2013-12-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
6 Acronyms and Abbreviations
Acronym and Abbreviation Full Name
ARP Address Resolution Protocol
SNMP Simple Network Management Protocol
Related Documents
