Transcript Policy-Based Network Management

Policy-Based Network Management
寬頻網路技術與應用
指導老師:陳明仕
姓名：劉原孝
Outline

ISP 網管系統目前的問題

Policy-Based Network Management

Policy-Based網管技術在ISP的應用

結論
ISP網管系統目前的問題
ISP 目前遇到的網管問題
New types
of services
New services
More options
per device
More devices
Configuration complexity
Dynamic
provisioning
of service
Policy-based
networking
Lack of qualified,
experienced
personnel
ISP 對網路管理的需求

以低成本實現網管服務自動化。

將商業政策轉換成網路政策簡化管理過程

將網路服務流程標準化隱含在網管系統中，
從而提高管理效能。

對異質網路與設備的管理能力，並提供對企
業網路SLA的實現。
ISP對網管五大功能的實現

組態管理(Configuration Management)
Tells you where everything is in the network .

故障管理(Fault Management)
Tells you what your network is doing.

品質管理(Performance Management)
Tells you how the network is doing.

計費管理(Accounting Management)
Tells you when your network is used.

安全管理(Security Management)
Tells you who is using your network.
Policy-Based Network
Management
Why Policy-Based Management? (1/2)
 Today, companies connect to the Internet to
create the business opportunities and to
transmit information.
 Ideally,
 all users can be trusted to access their resources
 the network have enough resources
 the network have enough bandwidth
 all application can be trust to use the resources they
needed
Why Policy-Based Management? (2/2)
 However,
 not all user can be trusted in the network
 the network have limited resources
 the network have limited bandwidth
 not all application can be trust to use the resources
they needed
 Technologies are needed to control the
network traffic
 Quality of service
 Security
Problem of the Current Networks
Video Conference
IP VPN
E-Commerce Firewall/Security
Service
Router
Firewall
Access
Server
Switch
Internet
The Definition of the PBNM
 PBNM (Policy-Based Network Management)
 Policies are rules which describe the overall company
intention as well as derived business, user, or
application specific behaviors
 The Level of the Policies
 Business-level policies
 Policy rules
 Abstract device policies
 Device configurations
The Level of the Policies (1/2)
 Business-level policies
 The Service Level Agreement (SLA)
 It writes by the human language.
 It defines the authority and responsibility between the
customer and service provider.
 The content of the SLA is easy to read and to understand
by the people.
 Policy rules
 The policies are specifies in a sequence of rules.
 Each rule combines the condition part and the action part.
 If (conditions) then (actions)
 Policies specifies in this fashion are easily to analyze than
the human language.
The Level of the Policies (2/2)
 Abstract device policies
 The policies are specified on a pre-device base.
 The policies are specified in some generic format.
 Device configuration
 This is the exact machine configuration of a
particular device.
 Different devices have different configuration format
 The network devices can read information defined by
such a format.
 Sometimes, it is hard to read and understand by the
people.
Policy Examples (1/3)
 Provide the JitterFreeMPEG1 video service for
authorized users between authorized points,
but only at agreed-upon times
 All employees can not access stock web site
from 8:00 to 17:00
 Deny all P2P connections
Policy Examples (2/3)
Policy
Rule
“Gold Service”
Rule
“Silver Service”
Condition
IP Address in
“Engineering Group"
Condition
Set priority := Height
Rule
“Bronze Service”
An example of QoS policy
Policy Examples (3/3)
Provide the JitterFreeMPEG1 video service for authorized users
between authorized points, but only at agreed-upon times
Content Provider
骨幹網路
接取網路
Backbone Network Access Network
Internet
Token Ring
DSL
FDDI
ISDN網路
ATM
EPON
SONET/SDH
無線通訊網路
DWDM
Policy-Based Network Management (1/2)
Customers
 SLA: Service Level Agreement, describe
services provided to customers, both in
qualitative and quantitative measures.
SLA
Services Provider
…...
Device
configuration
information
Network
 Device configuration
describes how and what the device is
to do on the network.
Policy-Based Network Management (2/2)
Automatically translate and distribute policies
Content Provider
骨幹網路
接取網路
Backbone Network Access Network
Internet
The Evolution of the PBNM (1/2)
 The term policy was first used for the routing
policies in the Internet
 In 1996, IETF develops a protocol called
Common Open Policy Service (COPS)
 For resource reservation (QoS)
 In 1998, Microsoft and Cisco propose the
Directory Enabled Networks (DEN)
 Drive the networks from a central repository
originally based on a directory.
The Evolution of the PBNM (2/2)
 At the end of 1998, the companies involved in
DEN decided to migrate the work to the DMTF
(Distributed Management Task Force).
 DMTF defines a common information model (CIM)
that was originally intended to be used to describe
the characteristics of a computer.
 http://www.dmtf.org
 The goal of the IETF activity was to define a
framework that could be used to specify
policies
DMTF v.s. IETF
 In the DMTF
 Information models
 In the IETF




Policy framework WG
RAP WG
IPSP (IPsec policy) WG
SNMPCONF WG
 IETF policy issues
 Policy specification
 System architecture and policy storage
 Policy transport protocols
Roles of the DMTF and the IETF
 DMTF is concerned about information
modeling independent of the underlying
implementation
 Exception: DEN
 IETF is concerned protocols, schema, and API
 Exception: policy needs information modeling
DMTF and IETF Interactions
IETF
Policy
Framework
DMTF
CIM
DEN
XML
LDAP
Policy MIB
Levels of
abstractions DiffServ Policy MIB
DiffServ MIB
SNMP
DiffServ PIB
COPS
RAP
DiffServ
SNMPCONF
Policy-base網路系統架構
 依循IETF Policy-base網路系統架構，
包括三個主要模組技術
 Policy Manager
提供管理者編輯、修改Policy資料
的應用系統，通常會透過一個容易
使用的管理界面來編輯網路政策，
並將編輯好的Policy資料轉成一定
格式，存於Policy Repository中。
 Policy Repository
Policy儲存機制，可以是一個目錄
系統，或是資料庫系統，主要用來
提供管理者儲存已編輯完成的網路
政策資料(Policy)，及其他系統相
關的網路設備資訊或設定參數等資
料。
Policy-base網路系統架構
 Policy Decision Point (PDP)
通常也稱為Policy Server，是整個系
統的決策中心，負責依管理者所設定
的Policy，分配網路管理政策至Policy
Enforcement Point (PEP)，以達到管
理需求。
 Policy Enforcement Point (PEP)
接受Policy管理的設備，可能是路由
器、Switch、防火牆等網路設備，這
些接受Policy管理的設備(PEP)的組合
就是一個 Policy Administrative
Domain。
Policy Management Tool
The Framework (1/2)
Policy Console
SLA
Policy Server
Repository
Policies
Directory Access Protocol
PDP
Policy Transaction Protocol
SLA: Service Level Agreement
Network Traffic
PEP
PEP
PDP: Policy Decision Point
PEP: Policy Enforcement Point
Policy Transaction Protocol: COPS (Common Open Policy Service), SNMP, CLI, CORBA
Directory Access Protocol: LDAP (Lightweight Directory Access Protocol)
The Framework (2/2)
Policy Console
Policy Server
Repository

LDAP
&

Policy management tool
 author new policy

SNMP

LDAP

 associate policy with PEP
 conflict detection
 store policy and association
 notify new policy
 PDP obtains the policy
PDP
COPS/SNMP/CLI/CORBA
 provide status for monitoring
PEP
3-tier Policy-Based Management system
Tier 1
LDAP
Policy Console
Policy Server
LDAP
Repository
SNMP
Tier 2
Policy Decision Point
COPS, SNMP, CLI, CORBA
PEP
Policy aware
Tier 3
Network Traffic
Policy Enforcement Point
PEP
Agent
Policy unaware
2-tier Policy-Based Management system
Tier 1
LDAP
Policy Console
Policy Server
LDAP
SNMP
Tier 2
PDP
Network Traffic
Policy Enforcement Point
Repository
Policy Conflict
 When the conditions of two or more policies
can be simultaneously satisfied, but the
actions of at least one of the policies can not
be simultaneously executed
 Conflict example
 Policy 1. Any access to WebServer gets silver service
 Policy 2. Any use of the network by John gets gold
service
 Conflict exists when John accesses WebServer
Types of Conflict
 Global conflict
 Conflict exists in the policies on different devices along a
flow
User A gets 512kbps
User
PC
Int1
Lan 
Network
Element A
Int2
Lan 
Int3
Network
Element B
Int4
Lan 
User A gets 64kbps
 Local conflict
 Multiple policies want to install conflicting configurations
on a given device
Policy 1
(srcIPaddr = 192.168.2.3)  drop
Policy 2
(srcIPsubnet = 192.168.2.0/24)  pass
The Advantage of the PBNM
 Unlike point-to-point management where
devices are configured one by one across the
network to attain the right security level,
policy-based management closely follows
business practices and requirements by
establishing rules and relations between
network entities such as users or networks.
 Offers three essential benefits
 Centralized response to network events and attacks
 Consistent, end-to-end, network security
 Lower cost of ongoing maintenance.
Policy-Based網管技術
在ISP的應用
Policy Rule 規劃
希望藉由Policy-based 網路管理架構，直接將企業領導者所
制定的政策目標以網路管理政策方式來表現。
Policy
Rule
“VPN Service”
Condition
VPN type1需求組合
Action
Rule
“Qos Service”
Rule
“TE service”
Auto-configuration
“VPN type1 Profile”
Policy-base網路系統架構
Network Manager
企業管理層
Policy Manager
Qos
VoIP
VPN
Policy
Repository
Backup
服務管理層
台北區PDP
Policy Server
台中區PDP
Policy Server
高雄區PDP
Policy Server
網路系統管理層
Policy protocol
(CLI,SNMP,COPS)
CE
P
VPN_B
P
10.2.0.0
PE
P
MPLS Core
P
Policy Client (PEP)
VPN_B
元件管理層
PE
CE
10.3.0.0
網管系統功能設計-組態自動設定
 加強網管系統跨異質網路的管理能力
一般ISP企業內部網路有各種不同廠牌或
型號及老舊設備存在的問題，為了能加強
此一網管系統跨異質網路的能力所以改用
CLI。
 增加網管系統的彈性與可擴充性
因為所有的網路設備皆支援標準
Command Line Interface (CLI)模式，可
直接使用telnet來將所有的組態指令，以
剪貼的方式，將資料傳送到設備上。
Policy Manager
Policy Adminstration
User Interface
Database
Access
Monitor Module
Command
Dispatcher
Report Module
Policy Server
Report Daemon
Command
Daemon
Collector Daemon
Database
Access
PDP Rule Locator
CLI telnet script
SNMP get / trap
PEP (agent)
網管系統功能設計-錯誤與品質監控
 網路設備品質與錯誤監控
網路設備CPU Loading
網路設備Memory Utilization
網路設備Uplink Port Status
網路設備Reachable
網路設備介面Packet Drop
網路設備介面Packets/sec
 網路線路品質與錯誤監控
Policy Manager
Policy Adminstration
User Interface
Database
Access
Monitor Module
Command
Dispatcher
Report Module
Policy Server
Report Daemon
Command
Daemon
Error (reliability)
Collector Daemon
Delay time/Packet Loss
Traffic Load
PDP Rule Locator
Database
Access
斷線(透過Trap)
 告警通知方式
Web display status
SMS / Email
CLI telnet script
SNMP get / trap
PEP (agent)
Conclusions
Conclusions
 達成網路資源集中管理，網路政策分散執行的目標
希望就直接透過網路進行設備的設定與管理，減少管理者須親臨
設備現場工作的成本。
 具有較好的可擴展性
可根據網路設備變化，而靈活的調整框架規模的大小，為網管部門
提供了經濟、有效的管理手段。
Conclusions
 對多廠商設備的管理，提供介面一致化
 通過簡單的 GUI輸入策略，對不同網路屬性，進行設置和管理，
而不必去關心設備來自不同的廠家。
 一體適用於管理不同設備平台，達成所謂跨設備的共通化。
 管理資料抽象化，簡化管理過程
 使網路管理人員由傳統的以網路和設備為中心的管理模式轉化為
以業務為中心的管理模式。
 將許多設定、管理的細節予以抽象化成管理策略(Policy)，簡化
管理決策流程。
 減輕管理者對特定領域的專業知識(如Security、QoS)的需求，同
時也減少企業對網管人員技術培訓的開銷。
 管理工作自動化
Thank You!!