Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
NATO Advanced Networking Workshop S4.2 Contemporary Network Management [email protected] September 18th, 2001 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 1 Buying a Network Management System should be easy… Sigma Systems NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 ISO Architecture for Network Management Configuration Management Fault Management Security Management Performance Management Accounting Management NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 Network Life Cycle Planning & Organizing S E C U Analyzing Changes MONITORING Design R I T Y Implement NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 TMN Open Reference Architecture Fulfillment Customer Interface Assurance Partner Cisco Billing Workflow Order Handling Sales Problem Resolution Perf./SLA Reporting • Process workflow • Application integration Invoicing and Rating Customer Care Service Creation Service Inventory Service Provisioning Data Service Quality Mediation Aggregation Element Network Maintenance Management Provisioning Restoration Network Monitoring Network and Systems Management Plug-and-Play, Configuration, Policy, Instrumentation Cisco Network Devices Programmable and Physical Network Layers NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Integration Bus Service Product Development and Maintenance Network Planning • CIM/DEN Model • Caching/state • Repository Security • Author/authent • RADIUS, Kerberos, TACACS+, PKI Location • Location • Registration • Naming IP Address Mgmt • DNS • DHCP • Address mgmt. Network Services 5 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 Network Management Challenge • 80% say managing your network is significantly more important than 18 months before • Why? Your business relies more on the network Your network is more complex than before Your network is more visible than ever before You can’t hire and keep enough good people NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 IT Organization Challenge Network Management Service Management Facilitate High Reliability Leverage the Organizational Resources Minimize Transmission Costs Identifying opportunities to use Information Technology to help the corporation better compete Utility NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. E-Commerce Extranets & VPNs VoIP Strategic Asset 8 Evolution of Network Management Network Traffic and Network Technology Growth Network Resources (Support Staff, $$) Time • Networks are increasing in scale and complexity— there is a clear need for management functionality • Management Technologies evolve along with the technologies and services deployed in networks NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 Management Intranet Heterogeneous Management Servers xmlCIM xmlCIM Device ID NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 Network Management Technology Basics Telnet Telnet IP MIB—RMON 1 and 2 SNMP Agent Telnet CDP IP ILMI MIB SNMP Agent Syslog IP Telnet CDP Get, GetNext, Set, GetBulk NTP SNMP Manager (CW 2000) IP Connectivity NCM-101 2973_05_2001_c1 CDP IP IP MIB SNMP Agent Mini-RMON Syslog Message Syslog © 2001, Cisco Systems, Inc. All rights reserved. Syslog Telnet NTP MIB SNMP Agent Syslog NTP Responses, SNMP Traps SNMP Traps/RMON IP RMON-MIB CISCO-STACK-MIB BRIDGE-MIB ... Network Time Protocol CDP or ILMI 12 The Syslog Facility Console Messages RS-232 CatOS CatIOS IOS syslog 514/udp console (optional) facility severity level timestamp system log message Syslog Server logfile Severity Level config Very basic reporting mechanism Text messages over UDP NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Description 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging 13 SNMP The Management Entity, Agents, and Protocol Network Management Station IP Network Get Request, Get-Next Request Get-Bulk Request Set Request Management Entity SNMP Manageable Device SNMP AGENT 1000s of Defined Objects Get Response Trap ! SNMP v1, SNMP v2 • Management entity collects data by generating requests; this causes in-band traffic coexisting with production traffic • Agents are information storehouses of object definitions provided in many Management Information Bases (MIBs) • SNMP protocol is used to transport the information requests NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 SNMP Understanding Community Strings Version Frame Header IP Header Protocol Number UDP (17) Community String UDP Header SNMP PDU Port 161 SNMP Message Packet Payload Frame Payload C R C • SNMP Protocol Data Units (PDUs) are processed as per the access policy indicated by the community string • Community strings are clear text and provide a trivial authentication mechanism • Avoid using the well known defaults: Read-only agent access: public Read-write agent access: private NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 MIBs: Management Information Bases • A MIB defines the variables that reside in a managed node Defined according to SMI (Structure of Management Information) rules Each managed object is described using an object identifier defined in the SMI • MIB I 114 standard objects Objects included are considered essential for either fault or configuration management • MIB II Extends MIB I 185 objects defined • Other standard MIBs RMON, host, router, ... • Proprietary vendor MIBs SNMP AGENT 1000s of Manageable Objects Defined Following Rules Set Out in the SMI Standards Extensions to standard MIBs NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 MIBs Object Identifiers ISO (1) SNMP AGENT Organization (3) DOD (6) Internet (1) Directory (1) OID for System 1.3.6.1.2.1.1 Management (2) • Hierarchically structured • Each object uniquely identified Experimental (3) Private (4) Enterprise (1) MIB-2 (1) System (1) TCP (6) Proteon (1) Sun (42) Interfaces (2) UDP (7) IBM (2) Apple (63) Address Translation (3) EGP (8) Cisco (9) Microsoft (311) IP (4) CMOT (9) HP (11) ICMP (5) Transmission (10) Wellfleet (18) .. . Unassigned (9118) SNMP (11) Internet Activities Board (IAB) Administered NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Vendor Administered 17 What’s in a MIB? How to Encode and Interpret this Variable Mnemonic sysUpTime OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time (in hundredths of a second) since the network management portion of the system was last re-initialized." ::= { system 3 } Parent NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. OID 18 Traps and Informs Trap Inform Acknowledgement NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 SNMP Version Differences Version 1 Version 2c Version 3 Informs No Yes Yes RMON/Event No Yes* Yes* Community Community Users No No Yes IOS/CATOS Supported Supported Supported NMS Support Ubiquitous Pretty Good Limited Authentication Privacy NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 Example Tool using SNMP MIB Polling • Monitors traffic load on network links based on SNMP statistics • Generates real-time HTML traffic reports • Monitor any SNMP variable you choose NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 Traffic Management for Multiservice Networks VoIP ERP Low Latency Low Bandwidth Multimedia VPN Web/URL Latency Tolerant Bursty Bandwidth Network Must Provide Each Application With Different Service Level Characteristics Simultaneously NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 Remote Monitoring MIB iso org .1 .2 .1 alMatrix alHost nlMatrix nlHost addressMap .14 protocolDist .16 .16 .15 .11 RMON 1. 3 . 6 . 1 . 2 . 1 . 16 … iso.org.dod.internet.mgmt.mib-2.rmon ... .2 .3 history .4 alarm .5 hosts .6 hostTopN .7 matrix .8 filter .9 capture .10 events NCM-101 2973_05_2001_c1 .17 .12 .1 statistics .18 .13 protocolDir RMON .19 usrHistory .6 internet mib-2 probeConfig .3 dod mgmt 1 © 2001, Cisco Systems, Inc. All rights reserved. tokenRing Token Ring (RFC-1513) 23 Example Tool using RMON Data • Collects RMON data from intermediate devices • Analyzes data for performance metrics Netscout NGenius NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 NBAR Network Based Application Recognition • SW Feature in Routers • Analyzes Data Portion of packets to identify applications • Supports QoS deployment NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 Service Assurance Agent Corp. HQ/Data Center SA Agent Regional Aggregation SA Agent SA Agent SA Agent Retail Branch Field Office SA Agent SA Agent • • • • Synthetic traffic for various protocols Session Level Probe mechanism Generates availability and threshold traps Collects statistics NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. SA Agent Retail Branch Field Office 26 Service Assurance Agent Operation Types Increasing Service Value Voice HTTP Jitter DLSw Packet Loss Latency DNS/ DHCP Path Echo Latency TCP UDP ICMP IOS-Based Service Assurance Agent Supports IP Precedence!! NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 Hop-by-Hop Response Time Report NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 ART MIB Functionality • TCP protocols only (1.0) • Based upon well-known destination port • Default protocols: AOL COMPUSRV DLSW_RD DLSW_WR DNS_TCP DOOM FTP-CTRL FTP-DATA HTTP HTTPS NB_DGM_T NB_NS_T NB_SSN_T NEWS_TCP NCM-101 2973_05_2001_c1 NNTP NOTESTCP ORACLSQL REALAUD SMTP SNA_TCP SOCKET SQLNET_N SUNRPC_T TELNET XWINDOW Application Level Response Time Client Latency Server Latency C Network Flight Time S Identify Application Response Time SEQ 101 Example: FTP Packet Level Measurement ACK 101 SEQ 102 SEQ 103 SEQ 104 ACK 104 SEQ 105 ACK 105 © 2001, Cisco Systems, Inc. All rights reserved. 29 ART MIB Example of Reporting • Web accessible For monitoring application and web flows from anywhere, anytime • URL visibility For control of your site • Proactive management Alarm on responsiveness of the site or your mission critical applications • Seamless real-time and historical Current statistics with look back capability NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 NetFlow Defined • Flows are defined by 7 keys: Source Address Destination Address Source Port Destination Port Layer 3 Protocol TOS byte (DSCP) Input Interface • Flows are unidirectional • Flows are enabled on a per input-interface basis • Flows can be configured “on-demand” or continuous NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Flow Data Exported to Management Application 31 NetFlow Data Record per Flow Usage Device Interface QoS • Packet Count • Byte Count • Input Interface • Output Interface • Type of Service • TCP Flags • Protocol Usage • Number of Flows • Flow Size Distribution Time Stamp • Start Timestamp • End Timestamp • Call Duration NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. • Source IP Address • Destination IP Address • Source Prefix Mask • Destination Prefix Mask • Source AS Number • Destination AS Number • Source TCP/UDP Port • Destination TCP/UDP Port Routing and Peering Application • Next Hop Address • Lost Datagrams 32 NetFlow Related Applications Network Planning RMON Probe Accounting/Billing Flow Profiling Network Monitoring NetFlow/ Data Export NCM-101 2973_05_2001_c1 Flow Collectors © 2001, Cisco Systems, Inc. All rights reserved. Management Application End-User Information 33 Evolution of Data Exchange Standards • SQL interfaces subject to schema redefinition • XML makes it easier to exchange data between computer systems • Organizations rarely use a standardized set of tools • Need to define a common data model! • Structured data can be exchanged without APIs NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 34 CIM Components CIM Schema v2.1 v2.2 v2.3 v2.4 DEN LDAP Mappings CIM Specification V2.0 v2.1 v2.2 System Meta Model MOF Parser and Editor • Output HTML SQL Visio ASCII NCM-101 2973_05_2001_c1 Apps User © 2001, Cisco Systems, Inc. All rights reserved. Policy (DEN) Core Extension Schema Logical Physical Network QoS (DEN) (DEN) (DEN) Device IPSec (DEN) 35 Transporting CIM: XML! • XML = eXtensible Markup Language • Over HTTP, XML enables access to CIM objects • Enables mixed vendor, distributed server environments! <XML>CIM Data</XML> HTTP/HTTPS NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 36 XML Components • What makes up XML? • XML document • XML interpreter or parser • Document Type Definition (DTD) NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 37 CIM Example: Inventory Data CIM CIM //////////////////////////////////////////////////////// // Device: nmcpw1601.cisco.com //////////////////////////////////////////////////////// instance of DEN_NetworkElement { DeviceId = "133"; CommonName = "nmcpw1601"; DNSName = "cisco.com"; Description = ""; NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 38 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 39 Designing for Management Redundant Infrastructure 10.1.100.15 • High availability management • Completely separates management from user data SNMP Manager 10.1.100.12 10.1.100.13 10.1.100.14 • Management link is in separate subnet, VLAN, and switch • Higher assurance for management data delivery during congestion or convergence NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10.1.100.10 10.1.100.11 40 Management Station Performance • How fast is fast, and how slow is slow? • Check Browsers, Virus Scan Options, Java Releases…. • Customize Views • Server CPU, Client RAM (and CPU) • Be aware of the number of managed devices • Be aware of the number of functions • Don’t ask for information you won’t look at! NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 41 Integration and Growth Issues CW2000 • What happens when you need to run more applications? Service Mgmt DNS / DHCP Is the OS supported? CPU or memory constraints? CiscoSecure Conflicting databases? HP NMM Customer Specific MRTG Conflicting ports used? Multi-user access? QoS Policy Manager CiscoWorks Blue Cisco Voice Manager NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 42 Centralized Network Management Architecture Central NMS Centralized Database NMS Queries Site B Site A Site C Enterprise Network NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 43 Hierarchical Network Management Architecture Server NMS Central DB NMS Communication Client NMS Client NMS Local Query Client NMS Local Query Local Query Site B Site A Site C Enterprise Network NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 44 Distributed Network Management Architecture Peer NMS Local DBC NMS Communication Peer NMS Peer NMS Local DBC Local DBC Peer NMS Local Query Local DBC Local Query Local Query Site B Site A Site C Enterprise Network NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 45 Micromuse NetCool Architecture Web Browser Motif/NT Desktop Event List Event List Info Server Infoive View WWW Server External actions Internal actions G Impact Jeld CNM View G Trouble Ticket G Automations Info Server Actions M Triggers M G DE-DUPLICATION M M M M M RDBMS M Reporter SNMP CMIP NCM-101 2973_05_2001_c1 ASCII (TL1) Logfiles DB © 2001, Cisco Systems, Inc. All rights reserved. API FW-1 Fusion ISM NTSM 46 Internet OSS Integration Bus/ Middleware / Northbound APIs Intelligent Network Services Directory Billing Srv Qos policy Bandwidth DNS DHCP Fault Mgr Provisioning Element Management and Network Management Framework Authntication Authorization Integrated Mgmt Applications Integration BUS/Middleware Services Network Elements & Intelligent Agents … NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 47 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 48 Monitor Critical Links – forget the rest Remote Offices • Define key infrastructure aggregation ports ( ) • Setup statistics collection (RMON) • Monitor “away” from the core • Enable traps for link failure and thresholds • Monitor for performance and fault conditions Servers Corp Network NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 49 NTP helps correlate information NTP • Defined in RFC 1305 • Used to synchronize system clocks on network devices with an authoritative time source • Essential for manual troubleshooting via Syslog • Client/Server unicast or multicast options NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 50 Use two Clock sources NTP Authoritative Clock ntp.nasa.gov (143.232.55.5) Authoritative Clock tick.usnogps.navy.mil (204.34.198.40) Internet Time Negotiation Time Negotiation STRATUM 2 RTR A c75xx RTR B RTR C ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.2 ntp peer 192.168.100.3 ntp update-calendar ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.1 ntp peer 192.168.100.3 ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.1 ntp peer 192.168.100.2 STRATUM 3 RTR 1 NCM-101 2973_05_2001_c1 ... ... RTR n ntp server 192.168.100.1 ntp server 192.168.100.2 ntp server 192.168.100.3 © 2001, Cisco Systems, Inc. All rights reserved. 51 AAA – who can do what? AAA/TACACS+ • Authentication, Authorization, and Accounting • TACACS+ available in routers and switches—allows for centralized username/password/priv administration • Removes the requirement of having to config hundreds of routers/switches when a user leaves • Allows for accountability when each user has their own login ID • AAA implementation case study http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/a aaisg/index.htm NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 52 DNS – know what you’re looking at DNS • At a minimum put your router loopback addresses and switch sc0 interface address in DNS • Set hostname to match DNS nodename • Forward/reverse lookups for interfaces? NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 53 Limit SNMP Abuse • SNMP should only be accessible to NMS • Use ACLs where appropriate • Use SNMPv3 where available • Limit available SNMP Data with “Views” NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 54 Community Strings Privacy NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 55 SNMP Views enterprises rttmon mib-2 interfaces bgp ipRouteTable NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 56 SNMP Views enterprises rttmon interfaces bgp ipRouteTable NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 57 Conserve Bandwidth snmpwalk of ipRouteTable Snmp-server View Enabled Cisco 2621 w/ 64MB RAM and 4000 routes (EIGRP) snmpwalk would have run for 25 ½ minutes unrestricted NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 58 Conserve Device Resources SNMP Access • Restrict access to certain MIBs • Some NM apps poll IP route tables and ARP caches—this can cause high CPU load on low-end routers with many route entries • Use “snmp-server views” statements NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 59 Polling vs. Notifying • Polling: NMS asks for status • Notifying: Device actively notifies NMS of problems • Two types of notifications Trap—unreliable, no state retained INFORMs NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 60 Cost of Queries Example: 1 manager, multiple managed devices 64 Kb access link 1 Request = 1KB packet (avg.) 1 Poll = getreq + getresp = 2KB Assume 1 object polled/managed device # of Polled Stations • Be Careful! • Set polling interval wisely • Bandwidth issues on lower speed links % of Bandwidth Utilized 10 50 20 100 50 25 16 30 150 75 37 25 20 30 5 25 10 12.5 8.3 Polling Interval in Seconds Network NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 61 Cost of Traps • No queries • But you may need to poll for other reasons (performance metrics) • SMART polling engines can really make the difference! NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 62 Benefit of Traps • Use trap-based polling • Use RMON to define Traps • Use RMON to set Thresholds • Use RTT-Mon Traps for Timeouts, Thresholds, Connection Changes NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 63 Limit the Amount of Information WAN Device Duplicates Overload! NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 64 Remove Duplicates and Correlate WAN Fault Correlation NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 65 Hierarchical Mechanisms Fault Correlation Fault Correlation Fault Correlation NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 66 Security vs. Trust in the Network Manageabilty, Ease of Access Concerns • Ease of access vs level of security is always a tradeoff • Every network management feature can be viewed as a security vulnerability NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. S e c u r i t y Ease of Access 67 Management Traffic What Options for Securing It? • In-band clear text • In-band encrypted • Out-of-band NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 68 Management Protocol Security Cleartext Transmissions • SNMP • TELNET • RCP • HTTP/XML • TFTP • CORBA, other special/ proprietary, etc. NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 69 Medium Trust Environment • Higher concern for protecting managed devices from unauthorized access • Standard cleartext-based protocols may still be acceptable • Restrict access to devices as appropriate access lists / ip permit lists for SNMP, TELNET AAA for device access via TELNET NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 70 Low Trust Environment Encryption of Management Traffic Needed • Some protocols have secure option SNMP: SNMPv3 TELNET: SSH HTTP: SSL/HTTPS RCP: SSH/SCP • But what about ? TFTP : ? CORBA: ? NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 71 Low Trust Environment Encryption of Management Traffic Needed • IP Sec / VPN Tunnels • Can cover ALL management protocols • Useful for connections across public WAN between sites • Possible consideration for management of individual devices (if all devices support IPSec) NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 72 Network Management Corporate Intranet • Network management subnet for all NMS hosts and tools Firewall • Security point to control access to subnet • Firewall NMS • VPN aggregation point VPN NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 73 Firewall Issues • Need to consider not only traffic between management workstation and devices, but also between management workstation and clients (management users) • May be possible to filter based on ports • Some products break—tools choose free ports at random (CORBA, some other client and server architectures) Try telling firewall to permit larger port range from management station NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 74 Firewall Issues • NAT—no general solution for SNMP • Common workaround is multihome management station or DMZ when necessary for one server to manage both “inside” and “outside” addresses NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. DMZ NAT Inside NMS Outside 75 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 Define your Policies • Policies are Goal Statements • Implementing Policies: Conditions and Actions • Conditions Packet header External conditions User • Actions Filter rules Encryption requirements Quality of service requirements NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 77 Define Methods and Metrics Sampling Method Synthetic Observed Collection Method Embedded Agents External Probes Scope of Measurement Device/Link End-to-End/Path Perspective of Measurement User NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Network 78 Defining Demarcations Corp. HQ/Data Center SA Agent Regional Aggregation Retail Branch SA Agent SA Agent SP1 Enterprise Domain Service Provider Domain 1 SP2 Enterprise Domain Service Provider Domain 2 Enterprise Domain Other Domains Network Hardware Workstation Hardware Application Software Etc. NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 79 Example Policy If service is HTTP if destination is S if source is H service level = Premium permit else if source is N1 or N4 permit if source is N4 use tunnel NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 80 Directory Enabled Networking - Why? Policy-Based Networking SAP Call Center Voice Video Distance Learning Conferencing Applications Directory Distance Voice Name Resolution Authentication Learning Authorization Video Oracle Location SAP Conferencing Operating System Services Applications Directory Security DHCP Authentication Voice Name Resolution Authorization Location QoS DNS DEN Services Operating System Services OSPF PIM BGP4 L2TP PGM MPLS other... IP Routing Protocols Network Device Layer NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 81 Directory Enabled Network Services Benefits of Directory Enabled Networks NCM-101 2973_05_2001_c1 End-Users Single network logon Personalized network services Service Providers Enterprise Customers Application Developers © 2001, Cisco Systems, Inc. All rights reserved. Rapidly create, provision and deploy advanced networking services on a per user basis Centralized management of network resources Protect mission-critical traffic Simplify and enhance network management and provisioning Easy access to advanced network services Develop network-aware applications using standard development interfaces and tools 82 Directory Protocols • LDAP—standards-based query/update • Kerberos—standard token-based authentication • ADSI—Active Directory Service Interface (Microsoft AD) • NDS/NDK—Novell Directory Services NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 83 QPM Architecture QPM Mgmt Consoles Cisco / 3rd party apps • Cisco CNR DHCP,... • Policy & configuration management via CLI and COPS • DiffServ and RSVP QoS standards • Directory-enabled QPM Server • policy database Import device data LDAPv3 CiscoWorks 2000 Distributed QPM Policy Servers Directories • Active Directory, Sun/Netscape, NDS,... • CiscoWorks 2000 device import CLI, SNMP, COPS DiffServ RSVP Cisco Intelligent Network NCM-101 2973_05_2001_c1 User-based policies Export policies DEN / CIM compliant © 2001, Cisco Systems, Inc. All rights reserved. Data, voice, video applications 84 Common Open Policy Service • Benefits of COPS Policing & aggregate policies for RSVP Multi-vendor, standards-based interoperability Simplified support of new / upgraded devices Policy abstraction of device specifics • Standards COPS-RSVP is a standard COPS-PR not yet IETF RFC NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 85 Agenda • Motivation for Network Management • Evolution of Basic Technologies • Designing for Network Management • Best Practices • Policy Management • Summary and Recommended Reading NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 86 Summary • Network Management is key to productivity • Networks evolve – so do NMS technologies • Design your NMS to support your goals • Choose suitable architectures and tools • Define Methods and Metrics • Integrate NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 87 Recommended Reading • Performance and Fault Management, Paul Della Maggiora et al. 2000, Cisco Press, ISBN 1-57870-180-5 • SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, Third Edition, by William Stallings Addison Wesley Longman, Inc. • Network Management: A Practical Perspective Leinwand and Fang Conroy • Network Management: Principles and Practice Subramanian • How to Manage Your Network Using SNMP: The Networking Management Practicum Rose and McCloghrie NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 88 Some useful Links • http://www.telecommagazine.com/ • http://www.osswatch.com/ • http://www.billingworld.com/ • http://www.tmforum.org/ • http://www.ietf.org/ • http://www.ietf.org/html.charters/wg-dir.html#Operations_and_Management_Area • http://dmtf.org/ • http://www.simple-times.org/ • http://www.snmpworld.com/ • http://www.stardust.com/policy/index.htm • http://dmoz.org/Computers/Software/Networking/Network_Performance/RMON_and_SNMP/ • http://joe.lindsay.net/webbased.html • http://joe.lindsay.net/javamgmt.html • http://netman.cit.buffalo.edu/index.html NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 89 Questions? NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 90