Recommendations for Running a NetMRI Trial

Because NetCraftsmen was offering a free 30 dial trial of Netcordia’s NetMRI software, we have had some recent discussions on the best way to run a trial.

Here is my summary of the recommendations from the discussions:

1. If you plan to run a trial, make sure you have time to install and configure the software. If needed, ask for help in getting it set up.  (NetCraftsmen can help!)
   • You also need to commit the  time to follow up. Check in on it at least weekly – is the software still running, or has someone repurposed your test machine?
2. You should follow your site procedures to let your security team know that you are placing a monitoring device in the network.
   • By default, the portscan function of NetMRI is disabled. You should confirm that it is off. If you enable it, your IDS/IPS systems should notice.
3. On our 30 day trial, you will be only be able to monitor up to 25 devices and 1000 interfaces. So, choose appropropriate devices that may be able to provide you some interesting information about your network status:
   • To speed up a trial, you can explicitly configure the IP addresses of the 25 devices.
     • This is likely the best option for a small trial.
   • Typically with NetMRI, you would set up the CIDR blocks that make up the network you want to monitor.
     • This is not a starting address/ending address, but a block of addresses based on an address and mask.
     • Given some time, NetMRI can learn the address of all the devices in the CIDR blocks.
     • You could then configure a device group (under the Groups tab of the Collections & Groups section) to set the priority of the devices you want to include in the trial.
   • To get a good view of your network, you may want to look at a wedge of the network from the center out:
     • Select a couple core level devices, a few of the attached distribution level devices, and several of the attached edge/access level devices.
   • If you have time, run a second test looking at all the devices in the core, as well as the most important distribution level devices.
4. You need to configure credentials such as the SNMP read-only community string or strings that you are using in your network.
   • If you are running TACACS in your environment, you will need to configure TACACS to allow NetMRI to login, and configure the CLI credentials in NetMRI.
5. You need to verify that any access lists limiting SNMP traffic are open enough to allow NetMRI to request and receive information.
   • Some site establish a small management subnet and allow any device in the subnet SNMP access. If this is the case in your environment, place the NetMRI device in that subnet.
   • Other sites control SNMP access by speicifc IP address. If this is the case in your organization, add the IP address of the NetMRI device to the ACL.
   • Some sites have no restriction on which devices can use SNMP to poll network devices. If this is the case at your site, you probably should consider adding some controls.
6. You will want to verify that NetNRI and your network is configured correctly, and that NetMRI can successfully poll the devices you want to monitor.
7. In addition to letting NetMRI gather data, a very key step is to go back and review the list of issues found. You will want to resolve the issues you can.
8. You can also test out the configuration capabilities of NetMRI, probably on non-production lab devices. For example, you can use a NetMRI script to add ACLs to a bunch of devices, first checking to make sure that the ACL has not already been added to a specific device, then adding the ACL if it is not present, and then using a ‘sh run’ to confirm that it is in the config.

I hope this gives you some good ideas on running your NetMRI trial!

— cwr