How to generate L3 network map

Hello everyone.

Many of you have read the article “How to create clear logical (L3) network diagrams”, after which there was an irresistible desire to document your network economy. Two or three approaches, then it was easy to agree with myself that the changes would be made at the end of the week, month, etc. After a certain amount of time, the understanding came that point changes were no longer necessary – you had to move and arrange so much that it would be easier to do everything anew. The next stage of acceptance (and you can even praise yourself that “we can, we can draw diagrams, we just don’t need it yet”), but it’s time to move on to the next level.

Yes, programs that in fact themselves document and draw a picture of the network, since the hardware is now all intelligent and willingly talk about their stuffing and a little about the neighbors. An incomplete list of software is given in the article “Network Maps. A brief overview of software for building network maps. ” Disappointment comes pretty quickly – just touch a couple of programs or even read the description. For example, the same Zabbix is ​​great as a system for monitoring and collecting metrics from everything that you can reach, but its so-called “network maps” have no right to be called such. It is rather “Mnemonic schemes”… It is difficult and uninteresting to create and keep them alive. The other extreme is to draw everything on the map. wiggles has an ip address. Of course, in the presentation, where the servers, 3 workstations and a switch are drawn, it looks great. In real life, it looks like an ugly mess.

In the previous paragraph, I wrote that the list of software is not complete. I have personal experience with HP OpenView NetworkNodeManager (since the last century :)). It is an enterprise and quite expensive. I will not drown for him, since it seems that more than 10 years ago it ended its existence with version 6.22 and is no longer for sale (but this is not certain – while I was preparing the article, I came across the mention of HP OV NNMi community edition version 7 – the truth could not be downloaded) … Actually, based on the experience of use and knowledge of the internal structure, I still consider OpenView to be the standard in terms of building a network map. The developers and the program “grew” along with the global understanding of networks, along with the development of technology. But what can I say – HP itself was actively creating them. In general, the engineers knew their business, well done. Even when the implementation of some things in OpenView seemed inconvenient and illogical, after reading the documentation and some comprehension, it came to the understanding that it was necessary to do just that. A screenshot of this beauty is attached.

However, enough memories – let’s get to the point.

It is easy to draw an L3 map automatically. You don’t even need special equipment – a linux computer will be enough, snmp access to all network devices. The minimum set of required software is available in all distributions. The first step is to scan the network for the presence of live devices (fping / nmap), the second step is to collect information from them (snmpwalk). Stage three is to normalize information using bash / awk / sed / python / perl / php – who is closer to what. Map generation is also implemented programmatically, for example via graphviz.

Stage number 1. You can not do it, but it is better to ping. the timeouts for snmp polling are quite large. It may happen that during the polling time we will catch network reconfiguration. The larger the network, the greater the chances.

Let’s discuss stage two. What branches of the snmp agent should you look at? System – required, also required ip.ipAddrTable, interfaces.ifTable… We take the routing tables from ip.ipRouteTable (or from IP-FORWARD-MIB). I propose to store the values ​​from the system. for example SNMPv2-MIB::sysObjectID.0 will allow you to stick to the network object an icon corresponding to the real type of equipment, as well as additionally look into the corresponding vendor MIB. And looking at the 3rd bit SNMPv2-MIB::sysServices.0 it is possible to decouple the routing equipment from L2 or end hosts.

Stage three – normalization. Pretty simple too. And first of all, it is necessary to remove duplicates, since we scan all available addresses, and the equipment can readily respond from all its network interfaces. You may want to bring the interface names to a single form (who worked with cisco will understand). It is also necessary to seal the “black holes” – if, for example, two networks are connected through a piece of hardware for some reason that does not want to cooperate with us and does not respond to snmp, then we can manually describe this in a certain file with the necessary interfaces / addresses / metadata and our “normalizer” will take this information into account when generating the topology. You need to clean up the loopback interfaces and the routes attached to them. In routing tables, only static routes are of interest. You can see which interfaces are configured, but administratively omitted. In general, there is a lot to be done here, and I definitely missed something.

Drawing a map. As I wrote earlier, you can immediately and quickly generate a gv-file and get a picture using graphvis. If you just draw each network object as a square, the network as a circle (ellipse) and connect devices and networks with lines, then the result will most likely not please you. A finer job of cleaning the network map is required:

1. Hiding end devices… It is clear that it seems like a network should consist of network devices, but some of them are absolutely not needed on the map. These are, for example, workstations, peripheral equipment and other devices with only one interface. You don’t need to draw them, the diagram will become an order of magnitude cleaner (HP OpenView did not take hosts to the top level and also allowed you to manually hide objects). I tried to clearly reflect in the picture: on the left – before (what the scheme looks like without taking into account this rule), on the right – after (that is, we accept the rule).

how is it done

everything is very simple. We make a text file test.gv with the following content:

graph method1 {
	model=subset
	overlap=compress;
	H1 [shape="none" image="notebook.png" label="" xlabel="N"]
	H2 [shape="none" image="notebook.png" label="" xlabel="N"]
	H3 [shape="none" image="notebook.png" label="" xlabel="N"]
	N4 [shape="ellipse" label="N"]
	R5 [shape="none" image="router.svg" label="" xlabel="N"]
	N6 [shape="ellipse" label="N"]

	H1 -- N4
	H2 -- N4
	H3 -- N4
	N4 -- R5
	R5 -- N6
}

We put the pictures mentioned in the text side by side and use the neato utility to generate a picture:

$ neato -Tsvg -O test.gv

see https://graphviz.org for details on the syntax of the input file and the netato command line (and not only)

I also ask you to pay attention to the fact that the right and left pictures here and below differ in the relative position of the elements. This is not on purpose, it just generates the optimal layout of the elements. Their number is changing, which means that you need to place it differently. Of course, you can fix the coordinates of objects manually, but we originally planned to get away from such methods 🙂

2. Aggregation of local networks… Here, OpenView had something that I no longer liked 🙂 each network was displayed separately. At the dawn of the development of network technologies, this was normal, but with the advent of 802.1q and the active use of vlan on cards, it became very crowded. But if you collect all these “final” networks into one object, then it will become much easier to work with it. You can also draw a thicker outline.

3. Point-to-point connections… Here I think no one will have any objections. Why draw a network on ppp-channels when there will be no additional connections to it? So, instead of a network, draw a line.

4. Multilinks… There are also such cases. It is not always possible to combine channels at the physical level and there is no one to condemn. But we will replace a bunch of lines with one fat one.

5. Point-to-point connection without a second node… You can guess about the existence of this node by the / 30 mask on the interface. You can, of course, not draw (see rule number 1), but what if this is something that we have forgotten a little? Based on the mask and the ip-address of the interface on our side, we will calculate what address the neighbor will have. Let’s draw it in gray, with a direct connection, of course – in the final picture we will see, remember and possibly fix it.

why is it not quite right

there are nuances. For example, for ppp, you can set addresses from absolutely different ranges, even more so – you can not set addresses. But we rely on the age-old traditions of the elders.

6. Static route… This is already indirect information from the routing table. A static route on router R1 of the form (this is a piece from Linux, but the essence is important, not the form):

10.10.1.0/24 via 10.10.1.10 dev enp0s3

When we tried to remove information from the gateway directly using snmp, we failed, but we still have the opportunity to display both it and the network that is hidden behind it. This, of course, is not entirely reliable information, so we will show it in gray and strokes.

7. Aggregation of networks with identical connections. A special case of point # 2. I decided to describe it separately, because the grids / vlans that route several Cisco switches with hsrp look ugly. On OpenView, this also looks intimidating (I had 3 “six-ton” units with a handful of vlan-s – just horror).

8. Display the default gateway… Yes, also from the routing table. Maybe you should display it in a non-gray color? I haven’t decided yet.

9. Marking… Object signatures require special thought. By default, OpenView only showed the names of network objects and the network address (no mask). A separate button enabled the signatures of all links and interfaces. It’s inconvenient, but I don’t remember any other options.

If we remove redundant information from the diagram, it will look something like this:

Of course, you can still clean it up – for example, you can omit the unchanged part of the network prefix (192.168) or, if the division was large, replace it with mnemonic names. Another option is that additional information appears at certain levels of image scaling (graphviz cannot do this).

That’s basically all that is required to automatically create a map of the L3 network. It is clear that by picking the vendor-MIB you can get more information, up to L2 (by the way, this is also a very interesting topic, I also started fantasizing about this topic). Also, there is still no understanding of what to do with asymmetric routing, with crypto gateways / firewalls / tunnels, address translation, etc. If there are ready-made recipes – write, I will supplement the article. I also want to say that gfaphviz is for a seed 🙂 You can and should do everything with more modern and interactive methods, with a database, multithreaded polling, drawing via the web. Scaling, editing, moving objects – and all this with a mouse with convenient menus and shapes. In addition, you can take the state of devices from the same zabbix via api. Beautiful!

Well, as an example – a slightly obfuscated map of a real network.

It was not done according to all the described canons, instead of pictures of objects, just squares (in svg format, pictures are pulled up by links, and png turns out to be too large). Also, there are no interface signatures. The card itself fell apart – a consequence of the fact that the “black holes” were not removed. The thing is that it was one pet-project, which has been on my hard disk for 5 years already, and I suppose I’m ready to die there. Now I do not even have access to the polygon (I am reluctant to write a minimal network emulator, and, for example, gns will not pull such scales). If anyone is ripe for development, he is ready to join with joy.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *