Presentation slides from October 2014 ADDM Discovery Interest Group.

1. Applications, Firewalls &
Routers
Extending discovery to network devices and their relationships to your
applications.
Presented by Wes Fitzpatrick – wfitzpatrick@cssdelivers.com

2. ADDM Current Discovery Capability – pros and cons
• ADDM is very good at mapping:
• Application 2 software dependencies
• Software 2 software, host dependencies
• Host 2 host, neighbouring switch dependencies
• Technical and operational dependencies
• Not so good for:
• Switch and router neighbours
• Firewall neighbours
• Load balancer neighbours
• Logical or functional application dependencies

3. Application Architecture as seen by ADDM

4. Application Architecture as seen by the Organisation
https://rmohan.com/?p=436

5. Business Cases
• Multinational retailer
• 1500 OSIs comprised of Windows, Unix, AS400s, Exadata and Netezza.
• Application stack included F5 load balancers and AS400 messaging
subsystems.
• Tier 1 Investment bank
• 10,000 OSIs
• Decentralised ADDM deployments to Americas, EMEA, APAC datacentres.
• BAM not used – single focus on remote firewalled connections.

6. Getting Load Balancers into the Model
• SNMP Only
• Creates a NetworkDevice node
• No direct relationship to SIs or BAIs.
• Solution
• Trigger on a web server SI type
• Create an link through DiscoveryAccess and update an attribute on the SI
• Trigger on NetworkDevice
• Create an SI for “F5 Load Balancer”
• Reverse lookup DiscoveredNetworkConnection for port to process mapping
• All communicating software!

7. Getting Firewalls into the Model
• Can be discovered (unsupported device)
• Custom TPL needed
• SNMP?
• No direct way to link to a Host or Router

8. Getting Firewalls into the Model
http://www.xpresslearn.com/networking/design/network-design-series-ii/#
• Bank Environment

9. Getting Firewalls into the Model
• Bank Environment
• No TPL required (no application models)
• No 3rd party software available
• Scanning additional domains/zones not permitted
• NMAP not permitted
• SNMP login to firewalls/routers not permitted
• Traceroute? Maybe….
"Hop-count-trans" by Stagira - http://commons.wikimedia.org/wiki/File:Hop-count-trans.png#mediaviewer/File:Hop-count-trans.png

10. Getting Firewalls into the Model cont…
• Solution
• Obtained a pre-defined list of “hand-off” routers
• Started with pool of 100 dev hosts
• TPL out of the question
• Expanded to 1000 prod hosts
• 200,000 remote IP addresses in ADDM (40,000 unique records)
• Filtered to 7500 unique remote IPs, 230 outside of firewall
• Output 4 csv files:
• Hosts with hand-off router connections
• Hosts with no remote connections
• Traceroute timings
• Connection details
• Average 3 seconds per traceroute, 90 minutes to run.

11. Summary
• Multinational retailer
• In the process of mapping their additional applications.
• Application models now considered core to move.
• Tier 1 Investment bank
• 1st Stage proof of concept success.
• Considering expanding script to other datacenters for holistic view.

12. Summary
• Application Models can be extended to include
• Routers
• Load Balancers
• Firewalls
• ADDM is a ‘must-have’ tool for datacentre migrations
• Provides visibility of ‘what’ is connected ‘where’
• Important to understand how the application model differs from HLD

13. Questions?
https://communities.bmc.com/ideas/7623
http://www.slideshare.net/WesFitzpatrick/bmc-addm-cheat-sheet-css-delivers-
37644290