1 NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. NATO Advanced Networking Workshop S4.2 Contemporary Network Management September 18 th, 2001

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved Buying a Network Management System should be easy… Sigma Systems

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved ISO Architecture for Network Management Configuration Management Fault Management Security Management Performance Management Accounting Management

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved Planning & Organizing Design Implement Network Life Cycle S U R I E C T Y AnalyzingChangesMONITORING

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved TMN Open Reference Architecture Customer Interface FulfillmentAssurance Billing Sales Order Handling Problem Resolution Perf./SLA Reporting Invoicing and Rating Service Product Development and Maintenance Network and Systems Management Network Planning Element Management Network Provisioning Maintenance Restoration Network Monitoring Service Creation Service Inventory Service Provisioning Service Quality Mediation Aggregation Programmable and Physical Network Layers Plug-and-Play, Configuration, Policy, Instrumentation Cisco Network Devices Integration Bus Partner Cisco NetworkServices Data CIM/DEN Model Caching/state Repository Data CIM/DEN Model Caching/state Repository Security Author/authent RADIUS, Kerberos, TACACS+, PKI Security Author/authent RADIUS, Kerberos, TACACS+, PKI Location Registration Naming Location Registration Naming IP Address Mgmt DNS DHCP Address mgmt. IP Address Mgmt DNS DHCP Address mgmt. Workflow Process workflow Application integration Workflow Process workflow Application integration Customer Care

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved % say managing your network is significantly more important than 18 months before Why? Your business relies more on the network Your network is more complex than before Your network is more visible than ever before You can’t hire and keep enough good people Network Management Challenge

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved IT Organization Challenge Network ManagementService Management Utility Strategic Asset Facilitate High Reliability Leverage the Organizational Resources Minimize Transmission Costs Facilitate High Reliability Leverage the Organizational Resources Minimize Transmission Costs Identifying opportunities to use Information Technology to help the corporation better compete E-Commerce Extranets & VPNs VoIP Identifying opportunities to use Information Technology to help the corporation better compete E-Commerce Extranets & VPNs VoIP

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved Evolution of Network Management Networks are increasing in scale and complexity— there is a clear need for management functionality Management Technologies evolve along with the technologies and services deployed in networks Network Traffic and Network Technology Network Resources (Support Staff, $$) Growth Time

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 Heterogeneous Management Servers xmlCIM Device ID Management Intranet

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 SNMP Manager (CW 2000) Network Time Protocol NTP CDP or ILMI CDP ILMI CDP IP Connectivity IP MIB SNMP Agent Mini-RMON RMON-MIB CISCO-STACK-MIB BRIDGE-MIB... MIB SNMP Agent MIB—RMON 1 and 2 SNMP Agent Get, GetNext, Set, GetBulk Responses, SNMP Traps SNMP Traps/RMON MIB SNMP Agent Syslog Syslog Message Syslog Network Management Technology Basics Telnet

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 (optional) The Syslog Facility Console Messages RS-232 console syslog 514/udp Syslog Server config logfile system log message facility severity level timestamp system log message Severity LevelDescription 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging Text messages over UDP Very basic reporting mechanism CatOS CatIOS IOS

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 SNMP The Management Entity, Agents, and Protocol Management entity collects data by generating requests; this causes in-band traffic coexisting with production traffic Agents are information storehouses of object definitions provided in many Management Information Bases (MIBs) SNMP protocol is used to transport the information requestsSNMPAGENT Network Management Station IP Network SNMP Manageable Device ManagementEntity Get Request, Get-Next Request Get-Bulk Request Set Request Get Response Trap ! SNMP v1, SNMP v2 1000s of Defined Objects

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 SNMP Understanding Community Strings SNMP Protocol Data Units (PDUs) are processed as per the access policy indicated by the community string Community strings are clear text and provide a trivial authentication mechanism Avoid using the well known defaults: Read-only agent access: public Read-write agent access: private Frame Header CRCCRC UDP Header Port 161 SNMP Message IP Header Protocol Number UDP (17) Packet Payload Frame Payload Version Community String SNMP PDU

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 MIBs: Management Information Bases A MIB defines the variables that reside in a managed node Defined according to SMI (Structure of Management Information) rules Each managed object is described using an object identifier defined in the SMI MIB I 114 standard objects Objects included are considered essential for either fault or configuration management MIB II Extends MIB I 185 objects defined Other standard MIBs RMON, host, router,... Proprietary vendor MIBs Extensions to standard MIBs SNMP AGENT SNMP AGENT 1000s of Manageable Objects Defined Following Rules Set Out in the SMI Standards

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 Hierarchically structured Each object uniquely identified MIBs Object Identifiers OID for System OID for System SNMP AGENT SNMP AGENT Internet Activities Board (IAB) Administered SNMP (11) Transmission (10) CMOT (9) IP (4) Address Translation (3) Interfaces (2) System (1) MIB-2 (1) EGP (8) UDP (7) TCP (6) ICMP (5) Experimental (3) Directory (1)Management (2)Private (4) Internet (1)DOD (6) Organization (3) ISO (1)... Unassigned (9118) Microsoft (311) Enterprise (1) Sun (42) Apple (63) Cisco (9) HP (11) IBM (2) Proteon (1) Vendor Administered Wellfleet (18)

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 sysUpTime OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time (in hundredths of a second) since the network management portion of the system was last re-initialized." ::= { system 3 } What’s in a MIB? Mnemonic Parent OID How to Encode and Interpret this Variable

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 Trap Inform Acknowledgement Traps and Informs

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 Version 1 Version 2c Version 3 Informs No Yes RMON/Event No Yes* Authentication Community Users Privacy No Yes IOS/CATOS Supported NMS Support Ubiquitous Pretty Good Limited SNMP Version Differences

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 Example Tool using SNMP MIB Polling Monitors traffic load on network links based on SNMP statistics Generates real-time HTML traffic reports Monitor any SNMP variable you choose

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 Low Latency Low Bandwidth VoIP ERP Multimedia VPN Web/URL Latency Tolerant Bursty Bandwidth Network Must Provide Each Application With Different Service Level Characteristics Simultaneously Network Must Provide Each Application With Different Service Level Characteristics Simultaneously Traffic Management for Multiservice Networks

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 dod mgmt RMON internet mib-2 org iso RMON RMON … … iso.org.dod.internet.mgmt.mib-2.rmon... tokenRing events capture filter matrix hostTopN hosts alarm history statistics RMON-1 (RFC-1757) Token Ring (RFC-1513) probeConfig usrHistory alMatrix alHost nlMatrix nlHost addressMap protocolDist protocolDir RMON-2 (RFC-2021) Remote Monitoring MIB

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 Example Tool using RMON Data Collects RMON data from intermediate devices Analyzes data for performance metrics Netscout NGenius

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 NBAR Network Based Application Recognition SW Feature in Routers Analyzes Data Portion of packets to identify applications Supports QoS deployment

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 Corp. HQ/Data Center SA Agent Regional Aggregation Retail Branch Field Office Retail Branch Field Office Synthetic traffic for various protocols Session Level Probe mechanism Generates availability and threshold traps Collects statistics Service Assurance Agent SA Agent

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 HTTP DLSw Voice Jitter Voice Jitter Packet Loss Packet Loss Path Echo Path Echo ICMP IOS-Based Service Assurance Agent TCP Latency UDP Latency DNS/ DHCP DNS/ DHCP Service Assurance Agent Operation Types Increasing Service Value Supports IP Precedence!!

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 Hop-by-Hop Response Time Report

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 SEQ 101 ACK 101 SEQ 102 SEQ 103 SEQ 104 ACK 104 SEQ 105 ACK 105 Example: FTP Identify Application Response Time Packet Level Measurement C Network Flight Time Server Latency Client Latency Application Level Response Time NNTP COMPUSRV NOTESTCP DLSW_RD ORACLSQL DLSW_WR REALAUD DNS_TCP SMTP DOOM SNA_TCP FTP-CTRL SOCKET FTP-DATA SQLNET_N HTTP SUNRPC_T HTTPS TELNET NB_DGM_T XWINDOW NB_NS_T NB_SSN_T NEWS_TCP AOL SS ART MIB Functionality TCP protocols only (1.0) Based upon well-known destination port Default protocols:

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 © 2001, Cisco Systems, Inc. All rights reserved. 30 © 2001, Cisco Systems, Inc. All rights reserved. 30 ART MIB Example of Reporting Web accessible For monitoring application and web flows from anywhere, anytime URL visibility For control of your site Proactive management Alarm on responsiveness of the site or your mission critical applications Seamless real-time and historical Current statistics with look back capability

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 © 2001, Cisco Systems, Inc. All rights reserved. 31 © 2001, Cisco Systems, Inc. All rights reserved. 31 Flow Data Exported to Management Application Flow Data Exported to Management Application NetFlow Defined Flows are defined by 7 keys: Source Address Destination Address Source Port Destination Port Layer 3 Protocol TOS byte (DSCP) Input Interface Flows are unidirectional Flows are enabled on a per input-interface basis Flows can be configured “on-demand” or continuous

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 © 2001, Cisco Systems, Inc. All rights reserved. 32 © 2001, Cisco Systems, Inc. All rights reserved. 32 Number of Flows Flow Size Distribution Number of Flows Flow Size Distribution Packet Count Byte Count Packet Count Byte Count Input Interface Output Interface Input Interface Output Interface Type of Service TCP Flags Protocol Type of Service TCP Flags Protocol Source TCP/UDP Port Destination TCP/UDP Port Source TCP/UDP Port Destination TCP/UDP Port Source IP Address Destination IP Address Source Prefix Mask Destination Prefix Mask Source AS Number Destination AS Number Source IP Address Destination IP Address Source Prefix Mask Destination Prefix Mask Source AS Number Destination AS Number Device Interface Application Routing and Peering QoS Usage Start Timestamp End Timestamp Call Duration Start Timestamp End Timestamp Call Duration Next Hop Address Lost Datagrams Next Hop Address Lost Datagrams Time Stamp Usage NetFlow Data Record per Flow

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 33 © 2001, Cisco Systems, Inc. All rights reserved. 33 © 2001, Cisco Systems, Inc. All rights reserved. 33 NetFlow Related Applications Flow Profiling Accounting/Billing Network Planning Network Monitoring Flow Collectors Management Application Management Application End-User Information End-User Information NetFlow/ Data Export NetFlow/ Data Export RMON Probe

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 34 © 2001, Cisco Systems, Inc. All rights reserved. 34 © 2001, Cisco Systems, Inc. All rights reserved. 34 Evolution of Data Exchange Standards SQL interfaces subject to schema redefinition XML makes it easier to exchange data between computer systems Organizations rarely use a standardized set of tools Need to define a common data model! Structured data can be exchanged without APIs

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 35 © 2001, Cisco Systems, Inc. All rights reserved. 35 © 2001, Cisco Systems, Inc. All rights reserved. 35 CIM Schema v2.1CIM Schema v2.2CIM Schema v2.3 MOF Parser and Editor CIM Specification V2.0 Extension Schema System Apps Core Physical(DEN) Device Logical Network (DEN) Meta Model CIM Specification v2.1 User Policy (DEN) Output HTML SQL Visio ASCII CIM Specification v2.2 CIM Schema v2.4 QoS (DEN) IPSec (DEN) DEN LDAP Mappings CIM Components

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 36 © 2001, Cisco Systems, Inc. All rights reserved. 36 © 2001, Cisco Systems, Inc. All rights reserved. 36 Transporting CIM: XML! XML = eXtensible Markup Language Over HTTP, XML enables access to CIM objects Enables mixed vendor, distributed server environments! CIM Data HTTP/HTTPS

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 37 © 2001, Cisco Systems, Inc. All rights reserved. 37 © 2001, Cisco Systems, Inc. All rights reserved. 37 XML Components What makes up XML? XML document XML interpreter or parser Document Type Definition (DTD)

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 38 © 2001, Cisco Systems, Inc. All rights reserved. 38 © 2001, Cisco Systems, Inc. All rights reserved. 38 CIM //////////////////////////////////////////////////////// // Device: nmcpw1601.cisco.com //////////////////////////////////////////////////////// instance of DEN_NetworkElement { DeviceId = "133"; CommonName = "nmcpw1601"; DNSName = "cisco.com"; Description = ""; CIM CIM Example: Inventory Data

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 39 © 2001, Cisco Systems, Inc. All rights reserved. 39 © 2001, Cisco Systems, Inc. All rights reserved. 39 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 40 © 2001, Cisco Systems, Inc. All rights reserved. 40 © 2001, Cisco Systems, Inc. All rights reserved. 40 Designing for Management Redundant Infrastructure High availability management Completely separates management from user data Management link is in separate subnet, VLAN, and switch Higher assurance for management data delivery during congestion or convergence SNMP Manager

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 41 © 2001, Cisco Systems, Inc. All rights reserved. 41 © 2001, Cisco Systems, Inc. All rights reserved. 41 Management Station Performance How fast is fast, and how slow is slow? Check Browsers, Virus Scan Options, Java Releases…. Customize Views Server CPU, Client RAM (and CPU) Be aware of the number of managed devices Be aware of the number of functions Don’t ask for information you won’t look at!

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 42 © 2001, Cisco Systems, Inc. All rights reserved. 42 © 2001, Cisco Systems, Inc. All rights reserved. 42 Service Mgmt CiscoSecure HP NMM QoS Policy Manager DNS / DHCP CiscoWorks Blue Cisco Voice Manager Integration and Growth Issues What happens when you need to run more applications? Is the OS supported? CPU or memory constraints? Conflicting databases? Conflicting ports used? Multi-user access? Customer Specific MRTG CW2000

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 43 © 2001, Cisco Systems, Inc. All rights reserved. 43 © 2001, Cisco Systems, Inc. All rights reserved. 43 Centralized Network Management Architecture Enterprise Network Site C Site B Site A Centralized Database Central NMS NMS Queries

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 44 © 2001, Cisco Systems, Inc. All rights reserved. 44 © 2001, Cisco Systems, Inc. All rights reserved. 44 Hierarchical Network Management Architecture Enterprise Network Local Query Client NMS NMS Communication Site C Site B Site A Client NMS Central DB Server NMS

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 45 © 2001, Cisco Systems, Inc. All rights reserved. 45 © 2001, Cisco Systems, Inc. All rights reserved. 45 Distributed Network Management Architecture Enterprise Network Local Query Local DBC Peer NMS NMS Communication Site C Site B Site A Local DBC Peer NMS Local DBC Peer NMS Local DBC Peer NMS

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 46 © 2001, Cisco Systems, Inc. All rights reserved. 46 © 2001, Cisco Systems, Inc. All rights reserved. 46 Micromuse NetCool Architecture G Info Server G Trouble Ticket SNMPCMIP M ASCII(TL1) M LogfilesDB M API M FW-1 M Fusion M ISM M NTSM M Motif/NT Desktop Event List Infoive View WWW Server Jeld Web Browser Event List G RDBMS Info Server DE-DUPLICATION CNM View G Automations ActionsTriggers External actions Internal actions Reporter Impact

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 47 © 2001, Cisco Systems, Inc. All rights reserved. 47 © 2001, Cisco Systems, Inc. All rights reserved. 47 Internet OSS Element Management and Network Management Framework Integrated Mgmt Applications Network Elements & Intelligent Agents … Intelligent Network Services Authorization Authntication Provisioning Fault Mgr DHCP DNS Qos policy Billing Srv Directory Bandwidth Integration BUS/Middleware Services Integration Bus/ Middleware / Northbound APIs

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 48 © 2001, Cisco Systems, Inc. All rights reserved. 48 © 2001, Cisco Systems, Inc. All rights reserved. 48 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 49 © 2001, Cisco Systems, Inc. All rights reserved. 49 © 2001, Cisco Systems, Inc. All rights reserved. 49 Monitor Critical Links – forget the rest Define key infrastructure aggregation ports ( ) Setup statistics collection (RMON) Monitor “away” from the core Enable traps for link failure and thresholds Monitor for performance and fault conditions Remote Offices Corp Network Servers

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 50 © 2001, Cisco Systems, Inc. All rights reserved. 50 © 2001, Cisco Systems, Inc. All rights reserved. 50 NTP helps correlate information Defined in RFC 1305 Used to synchronize system clocks on network devices with an authoritative time source Essential for manual troubleshooting via Syslog Client/Server unicast or multicast options NTP

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 51 © 2001, Cisco Systems, Inc. All rights reserved. 51 © 2001, Cisco Systems, Inc. All rights reserved. 51 Use two Clock sources NTP RTR A c75xx RTR B RTR 1... RTR n Authoritative Clock ntp.nasa.gov ( ) ntp server ntp server ntp peer ntp peer ntp update-calendar RTR C ntp server ntp server ntp peer ntp peer ntp server ntp server ntp peer ntp peer Authoritative Clock tick.usnogps.navy.mil ( ) ntp server ntp server ntp server STRATUM 2 STRATUM 3 Time Negotiation Internet

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 52 © 2001, Cisco Systems, Inc. All rights reserved. 52 © 2001, Cisco Systems, Inc. All rights reserved. 52 AAA – who can do what? Authentication, Authorization, and Accounting TACACS+ available in routers and switches—allows for centralized username/password/priv administration Removes the requirement of having to config hundreds of routers/switches when a user leaves Allows for accountability when each user has their own login ID AAA implementation case study aaisg/index.htm AAA/TACACS+

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 53 © 2001, Cisco Systems, Inc. All rights reserved. 53 © 2001, Cisco Systems, Inc. All rights reserved. 53 DNS – know what you’re looking at At a minimum put your router loopback addresses and switch sc0 interface address in DNS Set hostname to match DNS nodename Forward/reverse lookups for interfaces? DNS

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 54 © 2001, Cisco Systems, Inc. All rights reserved. 54 © 2001, Cisco Systems, Inc. All rights reserved. 54 Limit SNMP Abuse SNMP should only be accessible to NMS Use ACLs where appropriate Use SNMPv3 where available Limit available SNMP Data with “Views”

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 55 © 2001, Cisco Systems, Inc. All rights reserved. 55 © 2001, Cisco Systems, Inc. All rights reserved. 55 Community Strings Privacy

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 56 © 2001, Cisco Systems, Inc. All rights reserved. 56 © 2001, Cisco Systems, Inc. All rights reserved. 56 SNMP Views enterprises rttmon interfaces bgp ipRouteTable mib-2

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 57 © 2001, Cisco Systems, Inc. All rights reserved. 57 © 2001, Cisco Systems, Inc. All rights reserved. 57 SNMP Views enterprises rttmon interfaces bgp ipRouteTable

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 58 © 2001, Cisco Systems, Inc. All rights reserved. 58 © 2001, Cisco Systems, Inc. All rights reserved. 58 Conserve Bandwidth snmpwalk of ipRouteTable Snmp-server View Enabled Cisco 2621 w/ 64MB RAM and 4000 routes (EIGRP) snmpwalk would have run for 25 ½ minutes unrestricted

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 59 © 2001, Cisco Systems, Inc. All rights reserved. 59 © 2001, Cisco Systems, Inc. All rights reserved. 59 Conserve Device Resources Restrict access to certain MIBs Some NM apps poll IP route tables and ARP caches—this can cause high CPU load on low-end routers with many route entries Use “snmp-server views” statements SNMP Access

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 60 © 2001, Cisco Systems, Inc. All rights reserved. 60 © 2001, Cisco Systems, Inc. All rights reserved. 60 Polling vs. Notifying Polling: NMS asks for status Notifying: Device actively notifies NMS of problems Two types of notifications Trap—unreliable, no state retained INFORMs

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 61 © 2001, Cisco Systems, Inc. All rights reserved. 61 © 2001, Cisco Systems, Inc. All rights reserved. 61 Be Careful! Set polling interval wisely Bandwidth issues on lower speed links Cost of Queries Network % of Bandwidth Utilized Polling Interval in Seconds # of Polled Stations Example: 1 manager, multiple managed devices 64 Kb access link 1 Request = 1KB packet (avg.) 1 Poll = getreq + getresp = 2KB Assume 1 object polled/managed device

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 62 © 2001, Cisco Systems, Inc. All rights reserved. 62 © 2001, Cisco Systems, Inc. All rights reserved. 62 Cost of Traps No queries But you may need to poll for other reasons (performance metrics) SMART polling engines can really make the difference!

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 63 © 2001, Cisco Systems, Inc. All rights reserved. 63 © 2001, Cisco Systems, Inc. All rights reserved. 63 Benefit of Traps Use trap-based polling Use RMON to define Traps Use RMON to set Thresholds Use RTT-Mon Traps for Timeouts, Thresholds, Connection Changes

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 64 © 2001, Cisco Systems, Inc. All rights reserved. 64 © 2001, Cisco Systems, Inc. All rights reserved. 64 WAN Overload! Device Duplicates Limit the Amount of Information

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 65 © 2001, Cisco Systems, Inc. All rights reserved. 65 © 2001, Cisco Systems, Inc. All rights reserved. 65 Fault Correlation Remove Duplicates and Correlate WAN

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 66 © 2001, Cisco Systems, Inc. All rights reserved. 66 © 2001, Cisco Systems, Inc. All rights reserved. 66 Hierarchical Mechanisms Fault Correlation

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 67 © 2001, Cisco Systems, Inc. All rights reserved. 67 © 2001, Cisco Systems, Inc. All rights reserved. 67 Security vs. Trust in the Network Ease of access vs level of security is always a tradeoff Every network management feature can be viewed as a security vulnerability Manageabilty, Ease of Access Concerns SecuritySecurity Ease of Access

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 68 © 2001, Cisco Systems, Inc. All rights reserved. 68 © 2001, Cisco Systems, Inc. All rights reserved. 68 Management Traffic In-band clear text In-band encrypted Out-of-band What Options for Securing It?

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 69 © 2001, Cisco Systems, Inc. All rights reserved. 69 © 2001, Cisco Systems, Inc. All rights reserved. 69 Management Protocol Security SNMP TELNET RCP HTTP/XML TFTP CORBA, other special/ proprietary, etc. Cleartext Transmissions

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 70 © 2001, Cisco Systems, Inc. All rights reserved. 70 © 2001, Cisco Systems, Inc. All rights reserved. 70 Medium Trust Environment Higher concern for protecting managed devices from unauthorized access Standard cleartext-based protocols may still be acceptable Restrict access to devices as appropriate access lists / ip permit lists for SNMP, TELNET AAA for device access via TELNET

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 71 © 2001, Cisco Systems, Inc. All rights reserved. 71 © 2001, Cisco Systems, Inc. All rights reserved. 71 Low Trust Environment Some protocols have secure option SNMP: SNMPv3 TELNET: SSH HTTP: SSL/HTTPS RCP: SSH/SCP But what about ? TFTP : ? CORBA: ? Encryption of Management Traffic Needed

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 72 © 2001, Cisco Systems, Inc. All rights reserved. 72 © 2001, Cisco Systems, Inc. All rights reserved. 72 Low Trust Environment IP Sec / VPN Tunnels Can cover ALL management protocols Useful for connections across public WAN between sites Possible consideration for management of individual devices (if all devices support IPSec) Encryption of Management Traffic Needed

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 73 © 2001, Cisco Systems, Inc. All rights reserved. 73 © 2001, Cisco Systems, Inc. All rights reserved. 73 Network Management Network management subnet for all NMS hosts and tools Security point to control access to subnet Firewall VPN aggregation point Firewall NMS Corporate Intranet VPN

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 74 © 2001, Cisco Systems, Inc. All rights reserved. 74 © 2001, Cisco Systems, Inc. All rights reserved. 74 Firewall Issues Need to consider not only traffic between management workstation and devices, but also between management workstation and clients (management users) May be possible to filter based on ports Some products break—tools choose free ports at random (CORBA, some other client and server architectures) Try telling firewall to permit larger port range from management station

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 75 © 2001, Cisco Systems, Inc. All rights reserved. 75 © 2001, Cisco Systems, Inc. All rights reserved. 75 Firewall Issues NAT—no general solution for SNMP Common workaround is multihome management station or DMZ when necessary for one server to manage both “inside” and “outside” addresses NAT DMZ NMS Outside Inside

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 © 2001, Cisco Systems, Inc. All rights reserved. 76 © 2001, Cisco Systems, Inc. All rights reserved. 76 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 77 © 2001, Cisco Systems, Inc. All rights reserved. 77 © 2001, Cisco Systems, Inc. All rights reserved. 77 Define your Policies Policies are Goal Statements Implementing Policies: Conditions and Actions Conditions Packet header External conditions User Actions Filter rules Encryption requirements Quality of service requirements

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 78 © 2001, Cisco Systems, Inc. All rights reserved. 78 © 2001, Cisco Systems, Inc. All rights reserved. 78 Synthetic Observed Sampling Method Embedded Agents External Probes Collection Method Device/Link End-to-End/Path Scope of Measurement User Network Perspective of Measurement Define Methods and Metrics

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 79 © 2001, Cisco Systems, Inc. All rights reserved. 79 © 2001, Cisco Systems, Inc. All rights reserved. 79 Corp. HQ/Data Center Regional Aggregation Retail Branch Service Provider Domain 1 Service Provider Domain 2 Enterprise Domain Other Domains Network Hardware Workstation Hardware Application Software Etc. Defining Demarcations SA Agent SP1 SA Agent SP2

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 80 © 2001, Cisco Systems, Inc. All rights reserved. 80 © 2001, Cisco Systems, Inc. All rights reserved. 80 Example Policy If service is HTTP if destination is S if source is H service level = Premium permit else if source is N1 or N4 permit if source is N4 use tunnel

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 81 © 2001, Cisco Systems, Inc. All rights reserved. 81 © 2001, Cisco Systems, Inc. All rights reserved. 81 Policy-Based Networking Directory Enabled Networking - Why? Network Device Layer IP Routing ProtocolsOperating System ServicesApplications OSPF BGP4 PIM PGM L2TPMPLS other... SAP Oracle Voice Video Distance Learning Conferencing  Name Resolution  Location  Authentication  Authorization Directory Operating System Services Applications SAP Call Center Voice Video Distance Learning Conferencing  Name Resolution  Location  Authentication  Authorization Directory DEN Services QoS Voice DNS DHCP Security

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 82 © 2001, Cisco Systems, Inc. All rights reserved. 82 © 2001, Cisco Systems, Inc. All rights reserved. 82 Rapidly create, provision and deploy advanced networking services on a per user basis Centralized management of network resources Single network logon Personalized network services Easy access to advanced network services Develop network-aware applications using standard development interfaces and tools Protect mission-critical traffic Simplify and enhance network management and provisioning Benefits of Directory Enabled Networks Enterprise Customers ServiceProviders End-Users Application Developers Directory Enabled Network Services

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 83 © 2001, Cisco Systems, Inc. All rights reserved. 83 © 2001, Cisco Systems, Inc. All rights reserved. 83 Directory Protocols LDAP—standards-based query/update Kerberos—standard token-based authentication ADSI—Active Directory Service Interface (Microsoft AD) NDS/NDK—Novell Directory Services

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 84 © 2001, Cisco Systems, Inc. All rights reserved. 84 © 2001, Cisco Systems, Inc. All rights reserved. 84 CLI, SNMP, COPS QPM Architecture Data, voice, video applications RSVP LDAPv3 Directories Active Directory, Sun/Netscape, NDS,... CiscoWorks 2000 Import device data DiffServ Cisco / 3rd party apps Cisco CNR DHCP,... QPM Mgmt Consoles Distributed QPM Policy Servers QPM Server policy database Cisco Intelligent Network Policy & configuration management via CLI and COPS DiffServ and RSVP QoS standards Directory-enabled User-based policies Export policies DEN / CIM compliant CiscoWorks 2000 device import

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 85 © 2001, Cisco Systems, Inc. All rights reserved. 85 © 2001, Cisco Systems, Inc. All rights reserved. 85 Common Open Policy Service Benefits of COPS Policing & aggregate policies for RSVP Multi-vendor, standards-based interoperability Simplified support of new / upgraded devices Policy abstraction of device specifics Standards COPS-RSVP is a standard COPS-PR not yet IETF RFC

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 86 © 2001, Cisco Systems, Inc. All rights reserved. 86 © 2001, Cisco Systems, Inc. All rights reserved. 86 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 87 © 2001, Cisco Systems, Inc. All rights reserved. 87 © 2001, Cisco Systems, Inc. All rights reserved. 87 Summary Network Management is key to productivity Networks evolve – so do NMS technologies Design your NMS to support your goals Choose suitable architectures and tools Define Methods and Metrics Integrate

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 88 © 2001, Cisco Systems, Inc. All rights reserved. 88 © 2001, Cisco Systems, Inc. All rights reserved. 88 Recommended Reading Performance and Fault Management, Paul Della Maggiora et al. 2000, Cisco Press, ISBN SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, Third Edition, by William Stallings Addison Wesley Longman, Inc. Network Management: A Practical Perspective Leinwand and Fang Conroy Network Management: Principles and Practice Subramanian How to Manage Your Network Using SNMP: The Networking Management Practicum Rose and McCloghrie

NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 89 © 2001, Cisco Systems, Inc. All rights reserved. 89 © 2001, Cisco Systems, Inc. All rights reserved. 89 Some useful Links

90 NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Questions?