S4.2 Contemporary Network Management

Download Report

Transcript S4.2 Contemporary Network Management 

NATO
Advanced Networking Workshop
S4.2 Contemporary Network Management
[email protected]
September 18th, 2001
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
1
Buying a Network Management System
should be easy…
Sigma Systems
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
2
ISO Architecture for Network Management
Configuration
Management
Fault
Management
Security
Management
Performance
Management
Accounting
Management
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
3
Network Life Cycle
Planning &
Organizing
S
E
C
U
Analyzing
Changes
MONITORING
Design
R
I
T
Y
Implement
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
4
TMN Open Reference Architecture
Fulfillment
Customer Interface
Assurance
Partner
Cisco
Billing
Workflow
Order
Handling
Sales
Problem
Resolution
Perf./SLA
Reporting
• Process
workflow
• Application
integration
Invoicing
and Rating
Customer Care
Service
Creation
Service
Inventory
Service
Provisioning
Data
Service
Quality
Mediation
Aggregation
Element
Network
Maintenance
Management Provisioning Restoration
Network
Monitoring
Network and Systems Management
Plug-and-Play, Configuration, Policy, Instrumentation
Cisco Network Devices
Programmable and Physical Network Layers
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Integration Bus
Service Product Development and Maintenance
Network
Planning
• CIM/DEN
Model
• Caching/state
• Repository
Security
• Author/authent
• RADIUS,
Kerberos,
TACACS+, PKI
Location
• Location
• Registration
• Naming
IP Address Mgmt
• DNS
• DHCP
• Address mgmt.
Network
Services
5
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
6
Network Management Challenge
• 80% say managing your network is significantly
more important than 18 months before
• Why?
Your business relies more on the network
Your network is more complex than before
Your network is more visible than ever before
You can’t hire and keep enough good people
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
7
IT Organization Challenge
Network Management
Service Management
Facilitate High Reliability
Leverage the Organizational
Resources
Minimize Transmission Costs
Identifying opportunities to use
Information Technology to help
the corporation better compete
Utility
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
E-Commerce
Extranets & VPNs
VoIP
Strategic Asset
8
Evolution of Network Management
Network Traffic and
Network Technology
Growth
Network Resources
(Support Staff, $$)
Time
• Networks are increasing in scale and complexity—
there is a clear need for management functionality
• Management Technologies evolve along with the
technologies and services deployed in networks
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
9
Management Intranet
Heterogeneous Management Servers
xmlCIM
xmlCIM
Device ID
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
10
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
11
Network Management
Technology Basics
Telnet
Telnet
IP
MIB—RMON 1 and 2
SNMP Agent
Telnet
CDP
IP
ILMI
MIB
SNMP Agent
Syslog
IP
Telnet
CDP
Get, GetNext, Set, GetBulk
NTP
SNMP
Manager
(CW 2000)
IP
Connectivity
NCM-101
2973_05_2001_c1
CDP
IP
IP
MIB
SNMP Agent
Mini-RMON
Syslog Message
Syslog
© 2001, Cisco Systems, Inc. All rights reserved.
Syslog
Telnet
NTP
MIB
SNMP Agent
Syslog
NTP
Responses, SNMP Traps
SNMP
Traps/RMON
IP
RMON-MIB
CISCO-STACK-MIB
BRIDGE-MIB
...
Network
Time Protocol
CDP or
ILMI
12
The Syslog Facility
Console
Messages
RS-232
CatOS CatIOS IOS
syslog
514/udp
console
(optional)
facility severity level timestamp system log message
Syslog Server
logfile
Severity Level
config
Very basic reporting mechanism
Text messages over UDP
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Description
0
Emergencies
1
Alerts
2
Critical
3
Errors
4
Warnings
5
Notifications
6
Informational
7
Debugging
13
SNMP
The Management Entity, Agents, and Protocol
Network
Management
Station
IP Network
Get Request, Get-Next Request
Get-Bulk Request
Set Request
Management
Entity
SNMP
Manageable
Device
SNMP
AGENT
1000s of
Defined Objects
Get Response
Trap !
SNMP v1, SNMP v2
• Management entity collects data by generating requests; this
causes in-band traffic coexisting with production traffic
• Agents are information storehouses of object definitions
provided in many Management Information Bases (MIBs)
• SNMP protocol is used to transport the information requests
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
14
SNMP
Understanding Community Strings
Version
Frame
Header
IP
Header
Protocol
Number
UDP (17)
Community
String
UDP
Header
SNMP PDU
Port
161
SNMP
Message
Packet Payload
Frame Payload
C
R
C
• SNMP Protocol Data Units (PDUs) are processed as per the
access policy indicated by the community string
• Community strings are clear text and provide a trivial
authentication mechanism
• Avoid using the well known defaults:
Read-only agent access: public
Read-write agent access: private
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
15
MIBs: Management Information Bases
• A MIB defines the variables that reside in a managed node
Defined according to SMI (Structure of Management
Information) rules
Each managed object is described using an object identifier defined
in the SMI
• MIB I
114 standard objects
Objects included are considered essential for either fault or
configuration management
• MIB II
Extends MIB I
185 objects defined
• Other standard MIBs
RMON, host, router, ...
• Proprietary vendor MIBs
SNMP
AGENT
1000s of Manageable
Objects Defined
Following Rules Set
Out in the SMI
Standards
Extensions to standard MIBs
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
16
MIBs
Object Identifiers
ISO (1)
SNMP
AGENT
Organization (3)
DOD (6)
Internet (1)
Directory (1)
OID for System
1.3.6.1.2.1.1
Management (2)
• Hierarchically
structured
• Each object uniquely
identified
Experimental (3)
Private (4)
Enterprise (1)
MIB-2 (1)
System (1)
TCP (6)
Proteon (1)
Sun (42)
Interfaces (2)
UDP (7)
IBM (2)
Apple (63)
Address Translation (3)
EGP (8)
Cisco (9)
Microsoft (311)
IP (4)
CMOT (9)
HP (11)
ICMP (5)
Transmission (10)
Wellfleet (18)
..
.
Unassigned (9118)
SNMP (11)
Internet Activities Board (IAB) Administered
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Vendor Administered
17
What’s in a MIB?
How to Encode
and Interpret
this Variable
Mnemonic
sysUpTime OBJECT-TYPE
SYNTAX
TimeTicks
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"The time (in hundredths of a second) since the network
management portion of the system was last re-initialized."
::= { system 3 }
Parent
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
OID
18
Traps and Informs
Trap
Inform
Acknowledgement
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
19
SNMP Version Differences
Version 1
Version 2c
Version 3
Informs
No
Yes
Yes
RMON/Event
No
Yes*
Yes*
Community
Community
Users
No
No
Yes
IOS/CATOS
Supported
Supported
Supported
NMS Support
Ubiquitous
Pretty Good
Limited
Authentication
Privacy
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
20
Example Tool using SNMP MIB Polling
• Monitors traffic load
on network links
based on SNMP
statistics
• Generates real-time
HTML traffic reports
• Monitor any SNMP
variable you choose
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
21
Traffic Management for Multiservice Networks
VoIP
ERP
Low Latency
Low Bandwidth
Multimedia
VPN
Web/URL
Latency Tolerant
Bursty Bandwidth
Network Must Provide Each Application With Different
Service Level Characteristics Simultaneously
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
22
Remote Monitoring MIB
iso
org
.1
.2
.1
alMatrix
alHost
nlMatrix
nlHost
addressMap
.14
protocolDist
.16
.16
.15
.11
RMON
1. 3 . 6 .
1
. 2 . 1 . 16 …
iso.org.dod.internet.mgmt.mib-2.rmon ...
.2
.3
history
.4
alarm
.5
hosts
.6
hostTopN
.7
matrix
.8
filter
.9
capture
.10
events
NCM-101
2973_05_2001_c1
.17
.12
.1
statistics
.18
.13
protocolDir
RMON
.19
usrHistory
.6
internet
mib-2
probeConfig
.3
dod
mgmt
1
© 2001, Cisco Systems, Inc. All rights reserved.
tokenRing
Token Ring (RFC-1513)
23
Example Tool using RMON Data
• Collects RMON data
from intermediate
devices
• Analyzes data for
performance metrics
Netscout NGenius
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
24
NBAR
Network Based Application Recognition
• SW Feature in Routers
• Analyzes Data Portion
of packets to identify
applications
• Supports QoS
deployment
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
25
Service Assurance Agent
Corp. HQ/Data Center
SA
Agent
Regional
Aggregation
SA
Agent
SA
Agent
SA
Agent
Retail
Branch
Field
Office
SA
Agent
SA
Agent
•
•
•
•
Synthetic traffic for various protocols
Session Level Probe mechanism
Generates availability and threshold traps
Collects statistics
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
SA
Agent
Retail
Branch
Field
Office
26
Service Assurance
Agent Operation Types
Increasing Service Value
Voice
HTTP
Jitter
DLSw
Packet
Loss
Latency
DNS/
DHCP
Path
Echo
Latency
TCP
UDP
ICMP
IOS-Based
Service Assurance
Agent
Supports IP Precedence!!
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
27
Hop-by-Hop Response Time Report
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
28
ART MIB Functionality
• TCP protocols only (1.0)
• Based upon well-known
destination port
• Default protocols:
AOL
COMPUSRV
DLSW_RD
DLSW_WR
DNS_TCP
DOOM
FTP-CTRL
FTP-DATA
HTTP
HTTPS
NB_DGM_T
NB_NS_T
NB_SSN_T
NEWS_TCP
NCM-101
2973_05_2001_c1
NNTP
NOTESTCP
ORACLSQL
REALAUD
SMTP
SNA_TCP
SOCKET
SQLNET_N
SUNRPC_T
TELNET
XWINDOW
Application Level Response Time
Client Latency
Server Latency
C
Network Flight Time
S
Identify Application
Response Time
SEQ 101
Example: FTP
Packet Level Measurement
ACK 101
SEQ 102
SEQ 103
SEQ 104
ACK 104
SEQ 105
ACK 105
© 2001, Cisco Systems, Inc. All rights reserved.
29
ART MIB Example of Reporting
• Web accessible
For monitoring application
and web flows from
anywhere, anytime
• URL visibility
For control of your site
• Proactive management
Alarm on responsiveness of
the site or your mission
critical applications
• Seamless real-time
and historical
Current statistics with look
back capability
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
30
NetFlow Defined
• Flows are defined
by 7 keys:
Source Address
Destination Address
Source Port
Destination Port
Layer 3 Protocol
TOS byte (DSCP)
Input Interface
• Flows are unidirectional
• Flows are enabled on a per
input-interface basis
• Flows can be
configured “on-demand” or
continuous
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Flow Data
Exported to Management Application
31
NetFlow
Data Record per Flow
Usage
Device
Interface
QoS
• Packet Count
• Byte Count
• Input Interface
• Output Interface
• Type of Service
• TCP Flags
• Protocol
Usage
• Number of Flows
• Flow Size Distribution
Time
Stamp
• Start Timestamp
• End Timestamp
• Call Duration
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
• Source IP Address
• Destination IP Address
• Source Prefix Mask
• Destination Prefix Mask
• Source AS Number
• Destination AS Number
• Source TCP/UDP Port
• Destination TCP/UDP Port
Routing
and
Peering
Application
• Next Hop Address
• Lost Datagrams
32
NetFlow
Related Applications
Network Planning
RMON Probe
Accounting/Billing
Flow Profiling
Network Monitoring
NetFlow/
Data Export
NCM-101
2973_05_2001_c1
Flow
Collectors
© 2001, Cisco Systems, Inc. All rights reserved.
Management
Application
End-User
Information
33
Evolution of Data Exchange Standards
• SQL interfaces subject to
schema redefinition
• XML makes it easier to
exchange data between
computer systems
• Organizations rarely use a
standardized set
of tools
• Need to define a common
data model!
• Structured data can be
exchanged without APIs
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
34
CIM Components
CIM
Schema
v2.1
v2.2
v2.3
v2.4
DEN
LDAP
Mappings
CIM Specification V2.0
v2.1
v2.2
System
Meta
Model
MOF Parser and Editor
•
Output
HTML
SQL
Visio
ASCII
NCM-101
2973_05_2001_c1
Apps
User
© 2001, Cisco Systems, Inc. All rights reserved.
Policy
(DEN)
Core
Extension
Schema
Logical
Physical
Network
QoS
(DEN)
(DEN)
(DEN)
Device
IPSec
(DEN)
35
Transporting CIM: XML!
• XML = eXtensible Markup Language
• Over HTTP, XML enables access to
CIM objects
• Enables mixed vendor, distributed server environments!
<XML>CIM Data</XML>
HTTP/HTTPS
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
36
XML Components
• What makes up XML?
• XML document
• XML interpreter
or parser
• Document Type
Definition (DTD)
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
37
CIM Example: Inventory Data
CIM
CIM
////////////////////////////////////////////////////////
// Device: nmcpw1601.cisco.com
////////////////////////////////////////////////////////
instance of DEN_NetworkElement {
DeviceId = "133";
CommonName = "nmcpw1601";
DNSName = "cisco.com";
Description = "";
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
38
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
39
Designing for Management
Redundant Infrastructure
10.1.100.15
• High availability management
• Completely separates
management from
user data
SNMP Manager
10.1.100.12
10.1.100.13
10.1.100.14
• Management link is in
separate subnet, VLAN,
and switch
• Higher assurance for
management data delivery
during congestion or
convergence
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
10.1.100.10
10.1.100.11
40
Management Station Performance
• How fast is fast, and how slow is slow?
• Check Browsers, Virus Scan Options, Java
Releases….
• Customize Views
• Server CPU, Client RAM (and CPU)
• Be aware of the number of managed devices
• Be aware of the number of functions
• Don’t ask for information you won’t look at!
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
41
Integration and Growth Issues
CW2000
• What happens when
you need to run more
applications?
Service Mgmt
DNS / DHCP
Is the OS supported?
CPU or memory
constraints?
CiscoSecure
Conflicting databases?
HP NMM
Customer
Specific
MRTG
Conflicting ports used?
Multi-user access?
QoS Policy Manager
CiscoWorks
Blue
Cisco Voice
Manager
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
42
Centralized Network Management
Architecture
Central
NMS
Centralized
Database
NMS Queries
Site B
Site A
Site C
Enterprise
Network
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
43
Hierarchical Network Management
Architecture
Server
NMS
Central DB
NMS
Communication
Client
NMS
Client
NMS
Local
Query
Client
NMS
Local
Query
Local
Query
Site B
Site A
Site C
Enterprise
Network
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
44
Distributed Network Management
Architecture
Peer
NMS
Local DBC
NMS
Communication
Peer
NMS
Peer
NMS
Local DBC
Local DBC
Peer
NMS
Local
Query
Local DBC
Local
Query
Local
Query
Site B
Site A
Site C
Enterprise
Network
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
45
Micromuse NetCool Architecture
Web Browser Motif/NT Desktop
Event List
Event List
Info Server
Infoive View
WWW
Server
External
actions
Internal
actions
G
Impact
Jeld
CNM View
G
Trouble Ticket
G
Automations
Info Server
Actions
M
Triggers
M
G
DE-DUPLICATION
M
M
M
M
M
RDBMS
M
Reporter
SNMP
CMIP
NCM-101
2973_05_2001_c1
ASCII
(TL1)
Logfiles
DB
© 2001, Cisco Systems, Inc. All rights reserved.
API
FW-1
Fusion
ISM
NTSM
46
Internet OSS
Integration Bus/ Middleware / Northbound APIs
Intelligent Network Services
Directory
Billing Srv
Qos policy
Bandwidth
DNS
DHCP
Fault Mgr
Provisioning
Element Management and
Network Management Framework
Authntication
Authorization
Integrated Mgmt Applications
Integration BUS/Middleware Services
Network Elements & Intelligent Agents
…
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
47
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
48
Monitor Critical Links – forget the rest
Remote Offices
• Define key infrastructure
aggregation ports ( )
• Setup statistics collection
(RMON)
• Monitor “away” from the core
• Enable traps for link failure
and thresholds
• Monitor for performance and
fault conditions
Servers
Corp Network
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
49
NTP helps correlate information
NTP
• Defined in RFC 1305
• Used to synchronize system clocks on
network devices with an authoritative
time source
• Essential for manual troubleshooting
via Syslog
• Client/Server unicast or multicast options
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
50
Use two Clock sources
NTP
Authoritative Clock
ntp.nasa.gov (143.232.55.5)
Authoritative Clock
tick.usnogps.navy.mil (204.34.198.40)
Internet
Time Negotiation
Time Negotiation
STRATUM 2
RTR A
c75xx
RTR B
RTR C
ntp server 143.232.55.5
ntp server 204.34.198.40
ntp peer 192.168.100.2
ntp peer 192.168.100.3
ntp update-calendar
ntp server 143.232.55.5
ntp server 204.34.198.40
ntp peer 192.168.100.1
ntp peer 192.168.100.3
ntp server 143.232.55.5
ntp server 204.34.198.40
ntp peer 192.168.100.1
ntp peer 192.168.100.2
STRATUM 3
RTR 1
NCM-101
2973_05_2001_c1
...
...
RTR n
ntp server 192.168.100.1
ntp server 192.168.100.2
ntp server 192.168.100.3
© 2001, Cisco Systems, Inc. All rights reserved.
51
AAA – who can do what?
AAA/TACACS+
• Authentication, Authorization, and Accounting
• TACACS+ available in routers and switches—allows for
centralized username/password/priv administration
• Removes the requirement of having to config hundreds
of routers/switches when a user leaves
• Allows for accountability when each user has their
own login ID
• AAA implementation case study
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/a
aaisg/index.htm
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
52
DNS – know what you’re looking at
DNS
• At a minimum put your router loopback
addresses and switch sc0 interface
address in DNS
• Set hostname to match DNS nodename
• Forward/reverse lookups for interfaces?
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
53
Limit SNMP Abuse
• SNMP should only be accessible to NMS
• Use ACLs where appropriate
• Use SNMPv3 where available
• Limit available SNMP Data with “Views”
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
54
Community Strings Privacy
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
55
SNMP Views
enterprises
rttmon
mib-2
interfaces
bgp
ipRouteTable
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
56
SNMP Views
enterprises
rttmon
interfaces
bgp
ipRouteTable
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
57
Conserve Bandwidth
snmpwalk of
ipRouteTable
Snmp-server View
Enabled
Cisco 2621 w/ 64MB RAM and 4000 routes (EIGRP)
snmpwalk would have run for 25 ½ minutes unrestricted
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
58
Conserve Device Resources
SNMP Access
• Restrict access to certain MIBs
• Some NM apps poll IP route tables and
ARP caches—this can cause high CPU
load on low-end routers with many route
entries
• Use “snmp-server views” statements
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
59
Polling vs. Notifying
• Polling: NMS asks for status
• Notifying: Device actively notifies
NMS of problems
• Two types of notifications
Trap—unreliable, no state retained
INFORMs
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
60
Cost of Queries
Example:
1 manager, multiple managed devices
64 Kb access link
1 Request = 1KB packet (avg.)
1 Poll = getreq + getresp = 2KB
Assume 1 object polled/managed
device
# of Polled Stations
• Be Careful!
• Set polling interval wisely
• Bandwidth issues on lower speed links
% of Bandwidth Utilized
10
50
20
100 50
25
16
30
150 75
37
25
20
30
5
25
10
12.5 8.3
Polling Interval in Seconds
Network
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
61
Cost of Traps
• No queries
• But you may need to poll for other
reasons (performance metrics)
• SMART polling engines can really
make the difference!
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
62
Benefit of Traps
• Use trap-based polling
• Use RMON to define Traps
• Use RMON to set Thresholds
• Use RTT-Mon Traps for Timeouts,
Thresholds, Connection Changes
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
63
Limit the Amount of Information
WAN
Device
Duplicates
Overload!
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
64
Remove Duplicates and Correlate
WAN
Fault
Correlation
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
65
Hierarchical Mechanisms
Fault
Correlation
Fault
Correlation
Fault
Correlation
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
66
Security vs. Trust in the Network
Manageabilty, Ease of Access Concerns
• Ease of access vs
level of security is
always a tradeoff
• Every network
management feature
can be viewed as a
security vulnerability
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
S
e
c
u
r
i
t
y
Ease of Access
67
Management Traffic
What Options for Securing It?
• In-band clear text
• In-band encrypted
• Out-of-band
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
68
Management Protocol Security
Cleartext Transmissions
• SNMP
• TELNET
• RCP
• HTTP/XML
• TFTP
• CORBA, other special/
proprietary, etc.
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
69
Medium Trust Environment
• Higher concern for protecting managed devices
from unauthorized access
• Standard cleartext-based protocols may still be
acceptable
• Restrict access to devices as appropriate
access lists / ip permit lists for SNMP, TELNET
AAA for device access via TELNET
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
70
Low Trust Environment
Encryption of Management Traffic Needed
• Some protocols have secure option
SNMP: SNMPv3
TELNET: SSH
HTTP: SSL/HTTPS
RCP: SSH/SCP
• But what about ?
TFTP : ?
CORBA: ?
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
71
Low Trust Environment
Encryption of Management Traffic Needed
• IP Sec / VPN Tunnels
• Can cover ALL management protocols
• Useful for connections across public
WAN between sites
• Possible consideration for management
of individual devices (if all devices
support IPSec)
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
72
Network Management
Corporate Intranet
• Network management
subnet for all NMS hosts
and tools
Firewall
• Security point to control
access to subnet
• Firewall
NMS
• VPN aggregation point
VPN
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
73
Firewall Issues
• Need to consider not only traffic between
management workstation and devices, but also
between management workstation and clients
(management users)
• May be possible to filter based on ports
• Some products break—tools choose free ports
at random (CORBA, some other client and
server architectures)
Try telling firewall to permit larger port range
from management station
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
74
Firewall Issues
• NAT—no general solution
for SNMP
• Common workaround is
multihome management
station or DMZ when
necessary for one server
to manage both “inside”
and “outside” addresses
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
DMZ
NAT
Inside
NMS
Outside
75
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
76
Define your Policies
• Policies are Goal Statements
• Implementing Policies: Conditions and Actions
• Conditions
Packet header
External conditions
User
• Actions
Filter rules
Encryption requirements
Quality of service requirements
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
77
Define Methods and Metrics
Sampling Method
Synthetic
Observed
Collection Method
Embedded Agents
External Probes
Scope of Measurement
Device/Link
End-to-End/Path
Perspective of Measurement
User
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Network
78
Defining Demarcations
Corp. HQ/Data Center
SA
Agent
Regional
Aggregation
Retail
Branch
SA
Agent
SA
Agent
SP1
Enterprise
Domain
Service
Provider
Domain 1
SP2
Enterprise
Domain
Service
Provider
Domain 2
Enterprise
Domain
Other Domains
Network Hardware
Workstation Hardware
Application Software
Etc.
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
79
Example Policy
If service is HTTP
if destination is S
if source is H
service level = Premium
permit
else if source is N1 or N4
permit
if source is N4
use tunnel
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
80
Directory Enabled Networking - Why?
Policy-Based Networking
SAP
Call
Center
Voice
Video
Distance
Learning
Conferencing
Applications
Directory
Distance
Voice
 Name
Resolution  Authentication
Learning
 Authorization
Video
Oracle Location
SAP
Conferencing
Operating System
Services
Applications
Directory
Security
DHCP Authentication Voice
Name Resolution
 Authorization
 Location
QoS
DNS

DEN Services
Operating System
Services
OSPF
PIM
BGP4
L2TP
PGM
MPLS
other...
IP Routing Protocols
Network Device Layer
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
81
Directory Enabled Network Services
Benefits of Directory Enabled Networks
NCM-101
2973_05_2001_c1
End-Users
Single network logon
Personalized network services
Service
Providers
Enterprise
Customers
Application
Developers
© 2001, Cisco Systems, Inc. All rights reserved.
Rapidly create, provision and deploy advanced
networking services on a per user basis
Centralized management of network resources
Protect mission-critical traffic
Simplify and enhance network management
and provisioning
Easy access to advanced network services
Develop network-aware applications using
standard development interfaces and tools
82
Directory Protocols
• LDAP—standards-based query/update
• Kerberos—standard token-based
authentication
• ADSI—Active Directory Service Interface
(Microsoft AD)
• NDS/NDK—Novell Directory Services
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
83
QPM Architecture
QPM Mgmt
Consoles
Cisco / 3rd party apps
• Cisco CNR DHCP,...
• Policy & configuration
management via CLI and
COPS
• DiffServ and RSVP QoS
standards
• Directory-enabled
QPM Server
• policy
database
Import
device
data
LDAPv3
CiscoWorks
2000
Distributed QPM
Policy Servers
Directories
• Active Directory,
Sun/Netscape, NDS,...
• CiscoWorks 2000 device
import
CLI, SNMP, COPS
DiffServ
RSVP
Cisco Intelligent Network
NCM-101
2973_05_2001_c1
User-based policies
Export policies
DEN / CIM compliant
© 2001, Cisco Systems, Inc. All rights reserved.
Data, voice, video
applications
84
Common Open Policy Service
• Benefits of COPS
Policing & aggregate policies for RSVP
Multi-vendor, standards-based interoperability
Simplified support of new / upgraded devices
Policy abstraction of device specifics
• Standards
COPS-RSVP is a standard
COPS-PR not yet IETF RFC
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
85
Agenda
• Motivation for Network Management
• Evolution of Basic Technologies
• Designing for Network Management
• Best Practices
• Policy Management
• Summary and Recommended Reading
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
86
Summary
• Network Management is key to productivity
• Networks evolve – so do NMS technologies
• Design your NMS to support your goals
• Choose suitable architectures and tools
• Define Methods and Metrics
• Integrate
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
87
Recommended Reading
• Performance and Fault Management, Paul Della Maggiora et al.
2000, Cisco Press, ISBN 1-57870-180-5
• SNMP, SNMPv2, SNMPv3 and RMON 1 and 2,
Third Edition, by William Stallings
Addison Wesley Longman, Inc.
• Network Management: A Practical Perspective
Leinwand and Fang Conroy
• Network Management: Principles and Practice
Subramanian
• How to Manage Your Network Using SNMP: The Networking
Management Practicum
Rose and McCloghrie
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
88
Some useful Links
•
http://www.telecommagazine.com/
•
http://www.osswatch.com/
•
http://www.billingworld.com/
•
http://www.tmforum.org/
•
http://www.ietf.org/
•
http://www.ietf.org/html.charters/wg-dir.html#Operations_and_Management_Area
•
http://dmtf.org/
•
http://www.simple-times.org/
•
http://www.snmpworld.com/
•
http://www.stardust.com/policy/index.htm
•
http://dmoz.org/Computers/Software/Networking/Network_Performance/RMON_and_SNMP/
•
http://joe.lindsay.net/webbased.html
•
http://joe.lindsay.net/javamgmt.html
•
http://netman.cit.buffalo.edu/index.html
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
89
Questions?
NCM-101
2973_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
90