Written by Daniel Verastiqui
Daniel Verastiqui is the Director of Client Services and Corporate Communications at Uplogix, Inc.
Read enough of my blog posts and you’ll hear the same message over and over: don’t use the network to manage the network. This is a staple of life at Uplogix, and many of us have it tattooed across our backs in an ornate font that suggests we’ve done time in the most hardcore datacenters this country has to offer. However, we’re not unreasonable people. We’re happy to use the network for other tasks, such as synchronizing information across a deployment of thousands of Local Managers. You know all those alarms and events and configuration files we’re collecting? Wouldn’t it be inefficient to have to go to each Local Manager just to view that data?
Of course it would, and that’s why we built the Uplogix Control Center.
Let me tell you a little about what the Manager of Managers does.
Securing Your Users
Could you imagine hiring a new router jockey and having to log into 2,000 individual Local Managers to create the user, set their password, and give them privileges? No, you can’t, because nightmares only happen while we’re sleeping. When you turn up an Uplogix Control Center and point your Local Managers at it, the UCC becomes your single touch point for making major changes throughout the deployment.
When it comes time to onboard your new employee Sven, you only need to create his account once on the Control Center. Once saved, his details will be synchronized throughout the entire deployment, and if he is also given the right permissions, he should be able to log into any Local Manager within 30-60 seconds. And six months later, when Sven is caught stealing people’s lunches from the break room, you can return to the Control Center, disable his account once, and he will lose access to every Local Manager you own (and by extension, every port on those Local Managers).
Other cool security things you can do on a large scale:
- Change users, groups, and privileges
- Configure third-party AAA like RADIUS, TACACS, and LDAP (and if the shared secret changes, you can update it once on the UCC and the change will trickle down)
- Configure strong password settings
- Audit all changes on some or all devices throughout the deployment via Reports
- Audit all user actions via Reports
- Change welcome and login banners
- Change the Local Manager’s functional account ID / password
Not only can the UCC sync these security settings across the deployment, but any new Local Manager that you install and point to the UCC will automatically inherit the settings as well.
Easier Automation & Management
Look, we all love a good CLI, but sometimes it just makes more sense to do things in a GUI. One place I’ve always preferred it is when creating custom rules for the Local Manager. If you do it via the CLI, you’re going to need a reference doc to remember all the fields we can evaluate for interfaces. On the Control Center, however, you get a nice dropdown list with every possible option.
The best part? Once you’ve created and saved the custom rule, it will become available on every Local Manager within 30-60 seconds . Need to tweak it? Make the change on the UCC and everyone gets updated.
Create once, use everywhere is how I think the saying goes.
Here are some other things we do to make automation and management easier:
- Single pane of glass for viewing alarms throughout deployment
- View events for some or all Local Managers
- View configuration changes on a port, Local Manager, or everywhere
- Store configuration files and their revisions
- Provide a centralized file repository for operating system images and configurations
- Provide OS Policies, allowing you to set a standard OS version for specific makes and models
Think of it like this: you’ve got all these monitors and alarms and events running in hundreds or thousands of locations. The Control Center is there to help aggregate that data and make sense of it. You can’t be logged into every Local Manager at the same time, but you can keep the Alarms page open and be notified when something goes wrong anywhere in your deployment.
Local Managers take their management relationship with the Control Center seriously. If the network goes down, they can spin up a cellular connection, connect to a VPN, and start trading information again. This allows the Control Center to maintain visibility into the site even when there is no network path. Alarms, events, and configuration changes continue to be synchronized. More importantly, connecting over the out-of-band channel gives the Local Manager an opportunity to report its new IP address. If it comes up in a private network that we can’t route to, we can spin up an optional Reverse SSH tunnel proxied through the Control Center so you can still log in and see what’s going on at the site.
Since a Local Manager is always trying to talk to the Control Center, we can use its Inventory list as an overview of the deployment. Local Managers communicating in-band will show up with a green icon. Those operating out-of-band will be orange. If a quick glance at the Inventory shows any gray icons, then you know those sites are having trouble.
Without some kind of network connection, the Control Center can’t synchronize. And if it can’t do that, then what did we all get dressed up for? If communication has stopped, we want you to know about it.
More deployment-wide network things to try out:
- Update DNS, NTP, and even the Control Center’s IP with just a few clicks
- Change IP address, subnet mask, and default gateway remotely
- Update Pulse server IP
- Quickly see which Local Managers are in-band or out-of-band
- Change APN and VPN settings
- Single-click Dial button that connects to Local Manager over POTS line
- Single-click SSH button that connects in-band, out-of-band, or through Reverse SSH
- Hourly, daily, weekly, or monthly report showing which Local Managers aren’t communicating
Personally, I like to sit on the Inventory page and watch the alarms pop on and off. If you see a group of Local Managers go gray at the same time, and they’re all located in the same datacenter or geographic location, that can be your first indication of a network problem. After they all establish their out-of-band connections and check back in, you’ll be able to log into one of them and verify.
Local Managers like to act all cool and aloof like they can do their job with minimal intervention, but the truth is, when you have a hundred or a thousand fully populated LM83Xs in your network, you need a way to keep tabs on them all at the same time with minimal effort. The Control Center does just that, allowing you to turn one instruction into thousands. Want to upgrade every Cisco 5506 in your network to the latest IOS version? The Control Center can do it. Want to see the startup and running configuration files from a site that was just destroyed in a freak atomic physics experiment? We’ve got them all backed up, along with the configuration file of the Local Manager that can no longer be used because it’s blue and phase-shifts to Mars every hour on the hour .
Really, the Control Center does way too much to cover in a single blog post. I’m happy to give you a tour if you’d like; just drop a note to firstname.lastname@example.org and we’ll put something on the calendar.
Oh, and if your answer to Who manages the managers was the Coast Guard, then we should be best friends.