Extending ADDM Discovery to Firewalls, Applications and Routers

Extending discovery to network devices and their relationships to your applications.

Presented by Wes Fitzpatrick – wfitzpatrick@cssdelivers.com

Applications, Firewalls & Routers

• ADDM is very good at mapping:• Application 2 software dependencies• Software 2 software, host dependencies• Host 2 host, neighbouring switch dependencies• Technical and operational dependencies

• Not so good for:• Switch and router neighbours• Firewall neighbours• Load balancer neighbours• Logical or functional application dependencies

ADDM Current Discovery Capability – pros and cons

Application Architecture as seen by ADDMApplication

Software Instances

HostsS

witches

Application Architecture as seen by the Organisation

https://rmohan.com/?p=436

Application

Load Balancers

Firewall/Routers

Hosts + Software Instances

Switches

• Multinational retailer• 1500 OSIs comprised of Windows, Unix, AS400s, Exadata and Netezza.• Application stack included F5 load balancers and AS400 messaging

subsystems.

• Tier 1 Investment bank• 10,000 OSIs• Decentralised ADDM deployments to Americas, EMEA, APAC datacentres.• BAM not used – single focus on remote firewalled connections.

Business Cases

Getting Load Balancers into the Model

• SNMP Only• Creates a NetworkDevice node• No direct relationship to SIs or BAIs.

• Solution• Trigger on a web server SI type• Create an link through DiscoveryAccess and update an attribute on the SI• Trigger on NetworkDevice• Create an SI for “F5 Load Balancer”• Reverse lookup DiscoveredNetworkConnection for port to process mapping• All communicating software!

Load Balancers

Getting Firewalls into the Model

• Can be discovered (unsupported device)• Custom TPL needed• SNMP?• No direct way to link to a Host or Router

Firewall/Routers

Getting Firewalls into the Model

Firewall/Routers

http://www.xpresslearn.com/networking/design/network-design-series-ii/#

• Bank Environment

Getting Firewalls into the Model

• Bank Environment• No TPL required (no application models)• No 3rd party software available• Scanning additional domains/zones not permitted• NMAP not permitted• SNMP login to firewalls/routers not permitted• Traceroute? Maybe….

Firewall/Routers

"Hop-count-trans" by Stagira - http://commons.wikimedia.org/wiki/File:Hop-count-trans.png#mediaviewer/File:Hop-count-trans.png

Getting Firewalls into the Model cont…

• Solution• Obtained a pre-defined list of “hand-off” routers• Started with pool of 100 dev hosts• TPL out of the question• Expanded to 1000 prod hosts• 200,000 remote IP addresses in ADDM (40,000 unique records)• Filtered to 7500 unique remote IPs, 230 outside of firewall• Output 4 csv files:

• Hosts with hand-off router connections• Hosts with no remote connections• Traceroute timings• Connection details

• Average 3 seconds per traceroute, 90 minutes to run.

Firewall/Routers

• Multinational retailer• In the process of mapping their additional applications.• Application models now considered core to move.

• Tier 1 Investment bank• 1st Stage proof of concept success.• Considering expanding script to other datacenters for holistic view.

Summary

• Application Models can be extended to include• Routers• Load Balancers• Firewalls

• ADDM is a ‘must-have’ tool for datacentre migrations• Provides visibility of ‘what’ is connected ‘where’• Important to understand how the application model differs from HLD

Summary

Questions?

https://communities.bmc.com/ideas/7623

http://www.slideshare.net/WesFitzpatrick/bmc-addm-cheat-sheet-css-delivers-37644290