How To Understand and Configure Your Network for IntraVUE

Summary

This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of the existing network.

This document is targeted at a technical person who is somewhat familiar with network terms, running programs from a DOS prompt, and who must install IntraVUE.

IntraVUE is designed to monitor and collect diagnostic data for Local Area Networks (LAN) - layer 2 switches and their associated edge or end devices. IntraVUE was not designed to provide layer 3 or Wide Area Network (WAN) diagnostics but will work with them to get data from layer 2 switches and edge devices.. To properly configure IntraVUE you must understand how the network addresses of the switches relate to the edge devices and you must have the SNMP community of any managed switches/routers.

This document will progress through the following 'steps'.

Understanding the terms. Please spend some time reviewing the terms as their definitions include how they are relevant to IntraVUE and your network.
IntraVUE scanning requirements.
Various types of networks from simple to very complex.
Tools that are available to understand your network before using IntraVUE.
Using IntraVUE in conjunction with tools to understand your network and properly configure IntraVUE.
Configuring IntraVUE for long term monitoring and reporting.

TERMS

Access Control List (ACL) - A set of rules configured in layer2 and 3 switches that limit what traffic can move from one interface to another or that can be communicate with the switch. ACL's are optional. If enabled, the IP of any device needed to talk to the switch must have a rule that allows that IP. Cisco uses ACL's, other switch vendors have Management Station Lists or similarly named functions that similarly limit who can talk to a switch/router.
ARP - Address Resolution Protocol. ARP is the method used to find hardware when only the IP address is known. An ARP message is a broadcast message that requests receipts to tell the MAC address for the provided IP address. Typically a device only knows its own MAC and stores the MACs of devices it talks to. Some devices, like routers, store MAC addresses in large tables and provide the MAC address to other devices. Devices keep a table of MAC addresses for IP addresses known as ARP Caches.
Broadcast - communications traffic that is sent to all devices in a subnet. A layer 2 switch will typically send broadcast traffic to all ports of the switch. See VLAN which is a technology invented to limit broadcast traffic to certain ports of a layer 2 switch.
Community - The equivalent of a password for SNMP communications. It is case sensitive. There are read-only and read-write types. IntraVUE only uses read-only.
Firewall - A special purpose router with additional rules to prevent traffic from moving between subnets, especially 'inside' versus 'outside' an area.
Gateway - The router any traffic will be sent to if the destination IP address is not local (in the same subnet) as the sender. If that gateway can not route the traffic, it sends the traffic to its gateway, and so on until it reaches the destination.
IP Address - The (I)nternet (P)rotocol Address is the logical address of a device within a computer network. It is internally a 32-bit number, typically expresses as 4 sets (octets) of numbers between 0 and 255, separated by periods, like 192.168.100.252. Routers route traffic from one subnet to another based on IP address.
Layer 2 Switch - moves Ethernet packets based on the MAC address of the recipient. Connections are made using 'ports'. If a match on a port is found the packet is sent on that port only.
Layer 3 Switch - moves Ethernet packets based on IP address. The IP address is compared to the interfaces IP addresses and subnet masks. If a match is found the packet is forwarded to that interface. If not it is sent to the routers gateway.
Local Devices - All other devices that are in the same subnet (based on the subnet mask and ip address) as a device. Communication to these devices is sent directly to the devices without being forwarded to the gateway, even if there is no response.
MAC Address - The unique physical address of a network adapter or network interface. It is usually expressed as 6 sets of 2 hexadecimal numbers. The first 3 sets typically identify the vendor of the adapter or piece of equipment having an adapter. Switches move data by knowing what port a mac address is on.
PING - A tool used to test if a particular host is reachable using an IP address. Pings use ICMP, 'echo request', protocol. If the sending device does not have a MAC address for the IP address in its ARP Cache, an ARP (broadcast) request will be issued before the ping.
Remote Devices - All devices that are in a different subnet (based on the subnet mask and ip address) than the reference device. Communication to these devices is forwarded to the gateway if there is one, and nowhere if there is not a gateway.
Router - A router is the same as a layer 3 Switch. Typical routers are not configured to do layer 2 switching, but may. Routers maintain very large tables of MAC addresses for IP addresses as a result of moving/routing traffic between subnets.
Subnet - A set of Ethernet devices that share a common routing prefix, called a subnet mask. Subnets break a network into smaller parts and are connected at the edges by/through routers. Devices in the same subnet are Local to each other and traffic does not go thru a router. To determine what is local to a particular IP Address, the IP Address is mathematically combined with the subnet mask to compute a range of IP Addresses that is within that subnet. It is VERY IMPORTANT that all devices in a subnet have the same subnet mask and that subnet mask agree with their gateway.
VLAN - A (V)irtual LAN is a group of devices configured to communicate as if they were in the same broadcast domain. It allows edge/end devices to be grouped together even if not connected to the same switch. VLANs make it possible to create multiple layer 3 networks on the same layer 2 switch. Broadcast traffic from a VLAN'd port of a layer 2 switch will ONLY go to other ports in the same VLAN, NOT to all ports of the switch as would be done without a VLAN.

IntraVUE Scanning Requirements

The host computer must be able to PING all the devices to be scanned.
The devices storing the mac addresses of the devices must be in the scan range and must be configured to respond to SNMP from the host. This requires at least the SNMP read only community and may require additional permissions such as an entry in an Access Control List.
The switches must provide timely responses to SNMP queries. Typical response times are less than 20 milliseconds but some switches are known to take 20 seconds (20000 millisends). IntraVUE will tolerate a response as slow as 1000 milliseconds (1 second).
Switch responses must conform to SNMP standards and managed switches must respond to the Bridge Mib, RFC 1493 or one of its successors.

Types of Networks

Networks are described in increasing order of complexity.

The simplest network is one in which all the edge devices and all the switches are in the same subnet. To scan this type network you only have to enter the full scan range and proper SNMP communities. If this is your network, you do not have to read the rest of this document. IntraVUE LITE was designed for this type network when the subnet mask is 255.255.255.0 (Class C).
In figure 1 below, each blue 'cloud' represents a different subnet but you only need to scan devices in the big cloud, 'Plant Private Network'.

Figure 1
Another simple network is one in which all the edge devices are in one subnet and all the infrastructure switches are in another subnet. The IntraVUE host computer should be in the subnet of the edge devices and should be the top parent of the IntraVUE network. (In the images below imagine only ONE LAN on the right side.)
In figure 2 the IntraVUE host is on the left. All the LOCAL edge devices communicate without going thru a router, but the IntraVUE host must go through a router in order to get ping and SNMP data from the switches. The router (which knows the macs of the switches) must be in the scan range of the same IntraVUE network and respond to SNMP.

Figure 2
In some cases, plant personnel are not allowed to know the SNMP community of the central router. In figure 3, a NIC card has been added for each formerly remote LAN to solve this problem. Now those LANs have local addresses on the host computer and communication does NOT go through the router. The MAC addresses of all devices are in the host computers local ARP cache.

Figure 3
Similar to network #2 this network has devices in many different subnets, not just 2 (as shown in figures 2 and 3 with all the LANs on the right). For example, one router with subnets for office, building 1, building 2, and switches.
You can configure IntraVUE to have all devices in one big IntraVUE network or have a separate IntraVUE network for each LAN. If you do the later, the switches that are used in each LAN must also be in each IntraVUE network.
Network #3 is made more complex by configuring the layer 2 switches in the network to have VLANs. This is one of the most common plant floor network architectures.
In the figure 4 there are 5 VLANs. The layer 2 switches are in the center circle, Switch VLAN. Even though they are connected by layer 2 switches, devices in one VLAN can not communicate with devices in another VLAN without going through the router.

Figure 4
For IntraVUE to provide the most diagnostics, each VLAN of edge devices should be a separate IntraVUE network in the System Configure's Scanner Tab. Each one of the 'remote' networks must also include the interface (IP address) of the router leading to the edge devices (as determined by TRACERT) as the top parent.
In figure 4, the IntraVUe network for VLAN 1 needs to have the local computer as top parent, all the local ip addresses, the router, and the switch ips. VLANs 2, 3, and 4 each need to have the ip of the router as top parent, the ips of the VLAN, the router, and switch ips all in the scan ranges of that IntraVUE network. (The switch ips will be in all 4 IntraVUE networks.)
VLANs are configured in a layer 2 switch by assigning VLAN numbers to ports of the switch. Packets arriving on a port of a switch having a VLAN(s) configured will only be sent to other ports having the same VLAN(s) configured. This limits broadcast traffic to only the ports with the same VLAN number as the originator.
Figure 5 illustrates this using different colored lines for each VLAN. If the destination MAC is on a port in another VLAN, the message will be sent to the gateway and then back to the switch on the port having the same VLAN number as the destination. If a port of a switch is not configured for a VLAN, it acts as if all VLANs are configured for that port.
All traffic for a device in a different VLAN (differnt colored line) must go to the router to be redirected to the switch.

Figure 5
Implementing Rapid Spanning Tree protocol (RSTP) in the switches creates a physical ring of communication where the last switch in a series of connected switches is connected to the first switch, thus forming a ring. The last link is never 'active' unless there is a break between any other switches in the ring. At that time, communication will start a new path and all switches will continue to be able to communicate, but using a different path.

Nothing special needs to be done to handle this situation. IntraVUE will discover the new path and redraw the topology to reflect the change in the ring.
Hot Standby Redundant protocol (HSRP) creates a connection between a pair of routers. In this scenario 2 routers are configured so that either one can act for the other in the event the other router fails. The routers 'share' a virtual IP address and a virtual mac address as well as having their own ip and mac. In some cases, one router will respond to the virtual IP/mac, but the other can assume in within milliseconds if necessary. In many cases, each router handles some VLANs. In figure 6, router A will handle the even VLANs and router B will handle the odd VLANs.
Other devices are configured to use the 'virtual' IP address of the routers.
Additionally each 'upper level' layer 2 switch is connected to both routers, so that if a router failure happens there is a connection to the other router using the same 'virtual' IP address.
Since the routers are connected and the upper switches are connected to each router, an alternate path is created and the mac of the routers can be seen on two possible ports of the 'upper level' switches.
This arrangement is shown in figure 6.

Figure 6
Depending on different circumstances, such a VLANs, each switch above reports may report the virtual mac on either of 2 ports depending on which VLAN last communicated with a router. Additionally there is a path where the switch can see the 'second' router through the 'first' router.
To handle this situation, we normally configure IntraVUE to EXCLUDE the ip addresses of the upper level switches. Typically no edge devices are connected to these switches and IntraVUE is a tool to manage the communication to the edge devices. Additionally we configure the ports of the lower switches going to the upper switches to be trunked. This is done in a configuration file and is explained in detail in IntraVUE help, under 'Handling Trunking'.
Within any network, multiple connections between layer 2 switches may exist. There are two common reasons for this.
- To increase bandwidth between two switches, 2 (or more) ports of one switch are directly connected to 2 (or more) ports of another switch. The switches than pick the best port to use at any time. The upper switch will report a mac address on port A, then B, then A, and so on.
- The traffic that arrives at a switch having several VLANS may take different paths through sets of switches. This will cause the router and possible some of the upper level switches to be seen on different ports.
The IntraVUE scanner must be configured to treat ports that can lead the same mac address as 'trunked ports'. This is done in a configuration file and is explained in detail in IntraVUE help, under 'Handling Trunking'.

Tools to Get Information

The following tools can be used to get more information about your network. The tools should typically be run on the computer which is hosting IntraVUE.

PING - a DOS command line tool. Using PING tells whether a device can be reached from the host computer.

Figure 7

TRACERT - a DOS command similar to PING, but each time the request passes through a router, the router is listed.

This is an important tool because it will show you the last router in the path to a device. The last entry is the target device. The last router is the second to last entry in the list and is the router which will know the MAC addresses of the devices in the target subnet. In figure 7, the 10.1.1.3 router must be in the scan range in order to get the MAC of the 10.2.2.5 edge device.

Figure 8

SWITCHPROBE - This is a java application provided by IntraVUE. It is available on the host PC by selecting "START / Programs / IntraVUE / Tools / Use Switchprobe".

Figure 9

Switchprobe is useful to verify you have the proper SNMP community set for a switch because it provides feedback in about 5 seconds. It tests a combination of IP address and SNMP community and provides the results that the internal scanner will see.

Figure 10

Note that you may have the right community and IP address and this tool will still fail if the switch or router being queried has implemented Access Control Lists (ACL), and the requesting IP address (the IntraVUE host) is not in the list. Double check the spelling of the community you used, make sure SNMP is enabled in the switch, make sure you can ping the switch, and check the community with network support personnel.

Figure 11

Switchprobe is also useful for diagnosing why a switch does not respond as expected.

TrunkingFiles.zip is a collection of programs that finds duplicate paths between switches for networks that are entirely Cisco. If you need these programs IntraVUE tech support will assist you in their use.

Switches - The switches can provide configuration information concerning their SNMP community, supported SNMP version, hosts that can get data, and other data using either telnet and a command line interface or, sometimes, a web interface to the switch.

Initial Scanning and Discovery

The first step is to select a good computer in which to install IntraVUE.
- Windows XP and Windows Server 200X are preferred over Windows Vista.
- Is it in the same subnet as the edge devices. It should be for best results. (Review the big blue cloud in figure 1)
- Is it directly connected to a managed switch and is that switch also connected to the devices in the scan range.
- If any devices are in a different subnet, you should be able to PING them and do a TRACERT to find the last router leading to the devices.
- Install the IntraVUE software.
If the layer 2 switches are in a different subnet from the host computer complete a scan of only the layer 2 switches and verify their arrangement.
- Clear the database.
- Add one network in the System Config Scanner tab.
- Select as top parent the interface (IP address) of the router which was in the TRACERT to one fo the switches.
- Add the full scan range of the switches.
  
  Figure 12
- Make sure the default SNMP community in the Scanner tab is set to the community of the switches.
- Set the scanner speed to either Ultra or Fast
- 'Apply and Close' the System Configuration dialog.
- There should be a hierarchy of switches showing in the IntraVUE browser. All the switches should have a green outline. There should be port numbers in the hover text of lines between switches.
  
  Figure 13
- Using the IntraVUE export function, you can create a document that lists the switches by IP and the switches connected to them by port number.
- Save the database, perhaps as Switches_Only. This will serve as a good starting point for future scans.
Complete a scan on one subnet/vlan of edge devices and the switches.
- Restore the Switches_Only database if it is not the current database.
- Go into system Configure's Scanner tab and Edit the switch network.
- Add the scan range of the edge devices to the same network as the switches.
  
  Figure 14
- Say OK to the scan range, Ok to the Network, and Apply and Close System Config.
- Wait for all the devices to be discovered, move out of unresolved, and move to a port of a switch.
- Save this database with an appropriate name for the switches and devices you just scanned.
Investigate any auto-inserted nodes. Verify they are ALL unmanaged switches, hubs, or switches not in the scan range. If a managed switch should be at the location of the auto inserted node, is the switch in the scan range? If the IP of the switch appears under the auto-inserted node and it does not have a green outline, the SNMP community is probably not configured correctly. Contact IntraVUE tech support for questions.
Review the System Event Log. There should not be any reports of devices continuously moving between two locations. If there are, contact IntraVUE Tech Support to discuss possible trunking situations. There should not be any messages from a switch reporting a mac address was on one port and is now on another. Enable Filters in the event log and uncheck 'All Events' and 'connections'. You should not see any repeating moves. Then check 'All Events' and look for things anything unusual to your understanding of the network.

Figure 15
Before continuing, if you have Cisco VLANs you may configure IntraVUE to be more efficient by limiting the VLANs being monitored to only the ones being scanned. See the Help file on ivserver.properties and set 'force.cisco.vlans' to only those being scanned. In figure 16, only VLANs 1, 501, and 502 will be queried.

Figure 16
Separately scan any other subnets or VLANs and review them - ONE AT A TIME. This will be time consuming but if the goal is 'no surprises' it is recommended. Repeat the following steps for each - only the edge devices of one vlan, plus the switches, plus the appropriate top parent.
- Restore the Switches_Only saved backup file.
- Use the Scanner tab to add the devices for this vlan or subnet
- Check the results in the same way as the first scan.

Long Term Monitoring with IntraVUE

Typically, you will want one IntraVUE network for each VLAN.

Clear the database.

If you are scanning devices local to the IntraVUE host computer, add a network and make the IntraVUE host the top parent. Add the scan range of the local devices. Add the scan range of switches used by the local devices.

For EACH other VLAN add an additional IntraVUE network. The top parent of each will be the interface of the router (as determined by TRACERT) for that VLAN.

As a result, for each 'network' defined in the System Configuration Scanner Tab, there will be a line coming out of the center Scanner node.

Figure 17

Review the System Event log for devices moving that are not expected to move. Most of these issues should have been dealt with as part of discovery, but it is possible something might not surface until you scan all VLANs at once. If this happens it is probably wise to call tech support and email a copy of your database.

IntraVUE Technical Support - 01-978-499-7800 or help@intravue.net