Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. NATO Advanced Networking Workshop S4.2 Contemporary Network Management

Published byRandy Smither Modified over 9 years ago

Similar presentations

Presentation on theme: "1 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. NATO Advanced Networking Workshop S4.2 Contemporary Network Management"— Presentation transcript:

1 1 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. NATO Advanced Networking Workshop S4.2 Contemporary Network Management rkrueger@cisco.com September 18 th, 2001

2 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 2 2 Buying a Network Management System should be easy… Sigma Systems

3 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 3 3 ISO Architecture for Network Management Configuration Management Fault Management Security Management Performance Management Accounting Management

4 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 4 4 Planning & Organizing Design Implement Network Life Cycle S U R I E C T Y AnalyzingChangesMONITORING

5 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 5 5 TMN Open Reference Architecture Customer Interface FulfillmentAssurance Billing Sales Order Handling Problem Resolution Perf./SLA Reporting Invoicing and Rating Service Product Development and Maintenance Network and Systems Management Network Planning Element Management Network Provisioning Maintenance Restoration Network Monitoring Service Creation Service Inventory Service Provisioning Service Quality Mediation Aggregation Programmable and Physical Network Layers Plug-and-Play, Configuration, Policy, Instrumentation Cisco Network Devices Integration Bus Partner Cisco NetworkServices Data CIM/DEN Model Caching/state Repository Data CIM/DEN Model Caching/state Repository Security Author/authent RADIUS, Kerberos, TACACS+, PKI Security Author/authent RADIUS, Kerberos, TACACS+, PKI Location Registration Naming Location Registration Naming IP Address Mgmt DNS DHCP Address mgmt. IP Address Mgmt DNS DHCP Address mgmt. Workflow Process workflow Application integration Workflow Process workflow Application integration Customer Care

6 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 6 6 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

7 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 7 7 80% say managing your network is significantly more important than 18 months before Why? Your business relies more on the network Your network is more complex than before Your network is more visible than ever before You can’t hire and keep enough good people Network Management Challenge

8 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 8 8 IT Organization Challenge Network ManagementService Management Utility Strategic Asset Facilitate High Reliability Leverage the Organizational Resources Minimize Transmission Costs Facilitate High Reliability Leverage the Organizational Resources Minimize Transmission Costs Identifying opportunities to use Information Technology to help the corporation better compete E-Commerce Extranets & VPNs VoIP Identifying opportunities to use Information Technology to help the corporation better compete E-Commerce Extranets & VPNs VoIP

9 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 9 9 Evolution of Network Management Networks are increasing in scale and complexity— there is a clear need for management functionality Management Technologies evolve along with the technologies and services deployed in networks Network Traffic and Network Technology Network Resources (Support Staff, $$) Growth Time

10 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 © 2001, Cisco Systems, Inc. All rights reserved. 10 Heterogeneous Management Servers xmlCIM Device ID Management Intranet

11 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 © 2001, Cisco Systems, Inc. All rights reserved. 11 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

12 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 © 2001, Cisco Systems, Inc. All rights reserved. 12 SNMP Manager (CW 2000) Network Time Protocol NTP CDP or ILMI CDP ILMI CDP IP Connectivity IP MIB SNMP Agent Mini-RMON RMON-MIB CISCO-STACK-MIB BRIDGE-MIB... MIB SNMP Agent MIB—RMON 1 and 2 SNMP Agent Get, GetNext, Set, GetBulk Responses, SNMP Traps SNMP Traps/RMON MIB SNMP Agent Syslog Syslog Message Syslog Network Management Technology Basics Telnet

13 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 © 2001, Cisco Systems, Inc. All rights reserved. 13 (optional) The Syslog Facility Console Messages RS-232 console syslog 514/udp Syslog Server config logfile system log message facility severity level timestamp system log message Severity LevelDescription 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging Text messages over UDP Very basic reporting mechanism CatOS CatIOS IOS

14 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 © 2001, Cisco Systems, Inc. All rights reserved. 14 SNMP The Management Entity, Agents, and Protocol Management entity collects data by generating requests; this causes in-band traffic coexisting with production traffic Agents are information storehouses of object definitions provided in many Management Information Bases (MIBs) SNMP protocol is used to transport the information requestsSNMPAGENT Network Management Station IP Network SNMP Manageable Device ManagementEntity Get Request, Get-Next Request Get-Bulk Request Set Request Get Response Trap ! SNMP v1, SNMP v2 1000s of Defined Objects

15 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 © 2001, Cisco Systems, Inc. All rights reserved. 15 SNMP Understanding Community Strings SNMP Protocol Data Units (PDUs) are processed as per the access policy indicated by the community string Community strings are clear text and provide a trivial authentication mechanism Avoid using the well known defaults: Read-only agent access: public Read-write agent access: private Frame Header CRCCRC UDP Header Port 161 SNMP Message IP Header Protocol Number UDP (17) Packet Payload Frame Payload Version Community String SNMP PDU

16 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 © 2001, Cisco Systems, Inc. All rights reserved. 16 MIBs: Management Information Bases A MIB defines the variables that reside in a managed node Defined according to SMI (Structure of Management Information) rules Each managed object is described using an object identifier defined in the SMI MIB I 114 standard objects Objects included are considered essential for either fault or configuration management MIB II Extends MIB I 185 objects defined Other standard MIBs RMON, host, router,... Proprietary vendor MIBs Extensions to standard MIBs SNMP AGENT SNMP AGENT 1000s of Manageable Objects Defined Following Rules Set Out in the SMI Standards

17 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 © 2001, Cisco Systems, Inc. All rights reserved. 17 Hierarchically structured Each object uniquely identified MIBs Object Identifiers OID for System 1.3.6.1.2.1.1 OID for System 1.3.6.1.2.1.1 SNMP AGENT SNMP AGENT Internet Activities Board (IAB) Administered SNMP (11) Transmission (10) CMOT (9) IP (4) Address Translation (3) Interfaces (2) System (1) MIB-2 (1) EGP (8) UDP (7) TCP (6) ICMP (5) Experimental (3) Directory (1)Management (2)Private (4) Internet (1)DOD (6) Organization (3) ISO (1)... Unassigned (9118) Microsoft (311) Enterprise (1) Sun (42) Apple (63) Cisco (9) HP (11) IBM (2) Proteon (1) Vendor Administered Wellfleet (18)

18 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 © 2001, Cisco Systems, Inc. All rights reserved. 18 sysUpTime OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time (in hundredths of a second) since the network management portion of the system was last re-initialized." ::= { system 3 } What’s in a MIB? Mnemonic Parent OID How to Encode and Interpret this Variable

19 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 © 2001, Cisco Systems, Inc. All rights reserved. 19 Trap Inform Acknowledgement Traps and Informs

20 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 © 2001, Cisco Systems, Inc. All rights reserved. 20 Version 1 Version 2c Version 3 Informs No Yes RMON/Event No Yes* Authentication Community Users Privacy No Yes IOS/CATOS Supported NMS Support Ubiquitous Pretty Good Limited SNMP Version Differences

21 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 © 2001, Cisco Systems, Inc. All rights reserved. 21 Example Tool using SNMP MIB Polling Monitors traffic load on network links based on SNMP statistics Generates real-time HTML traffic reports Monitor any SNMP variable you choose

22 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 © 2001, Cisco Systems, Inc. All rights reserved. 22 Low Latency Low Bandwidth VoIP ERP Multimedia VPN Web/URL Latency Tolerant Bursty Bandwidth Network Must Provide Each Application With Different Service Level Characteristics Simultaneously Network Must Provide Each Application With Different Service Level Characteristics Simultaneously Traffic Management for Multiservice Networks

23 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 © 2001, Cisco Systems, Inc. All rights reserved. 23 dod mgmt RMON internet mib-2 org iso 1.3.6.1.2.1.16 RMON RMON 1. 3. 6. 1. 2. 1. 16 … 1. 3. 6. 1. 2. 1. 16 … iso.org.dod.internet.mgmt.mib-2.rmon... tokenRing events capture filter matrix hostTopN hosts alarm history statistics.1.2.3.4.5.6.7.8.9.10 RMON-1 (RFC-1757) Token Ring (RFC-1513) probeConfig usrHistory alMatrix alHost nlMatrix nlHost addressMap protocolDist protocolDir.11.12.13.14.15.16.18.19.17 RMON-2 (RFC-2021) Remote Monitoring MIB

24 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 © 2001, Cisco Systems, Inc. All rights reserved. 24 Example Tool using RMON Data Collects RMON data from intermediate devices Analyzes data for performance metrics Netscout NGenius

25 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 © 2001, Cisco Systems, Inc. All rights reserved. 25 NBAR Network Based Application Recognition SW Feature in Routers Analyzes Data Portion of packets to identify applications Supports QoS deployment

26 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 © 2001, Cisco Systems, Inc. All rights reserved. 26 Corp. HQ/Data Center SA Agent Regional Aggregation Retail Branch Field Office Retail Branch Field Office Synthetic traffic for various protocols Session Level Probe mechanism Generates availability and threshold traps Collects statistics Service Assurance Agent SA Agent

27 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 © 2001, Cisco Systems, Inc. All rights reserved. 27 HTTP DLSw Voice Jitter Voice Jitter Packet Loss Packet Loss Path Echo Path Echo ICMP IOS-Based Service Assurance Agent TCP Latency UDP Latency DNS/ DHCP DNS/ DHCP Service Assurance Agent Operation Types Increasing Service Value Supports IP Precedence!!

28 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 © 2001, Cisco Systems, Inc. All rights reserved. 28 Hop-by-Hop Response Time Report

29 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 © 2001, Cisco Systems, Inc. All rights reserved. 29 SEQ 101 ACK 101 SEQ 102 SEQ 103 SEQ 104 ACK 104 SEQ 105 ACK 105 Example: FTP Identify Application Response Time Packet Level Measurement C Network Flight Time Server Latency Client Latency Application Level Response Time NNTP COMPUSRV NOTESTCP DLSW_RD ORACLSQL DLSW_WR REALAUD DNS_TCP SMTP DOOM SNA_TCP FTP-CTRL SOCKET FTP-DATA SQLNET_N HTTP SUNRPC_T HTTPS TELNET NB_DGM_T XWINDOW NB_NS_T NB_SSN_T NEWS_TCP AOL SS ART MIB Functionality TCP protocols only (1.0) Based upon well-known destination port Default protocols:

30 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 © 2001, Cisco Systems, Inc. All rights reserved. 30 © 2001, Cisco Systems, Inc. All rights reserved. 30 ART MIB Example of Reporting Web accessible For monitoring application and web flows from anywhere, anytime URL visibility For control of your site Proactive management Alarm on responsiveness of the site or your mission critical applications Seamless real-time and historical Current statistics with look back capability

31 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 © 2001, Cisco Systems, Inc. All rights reserved. 31 © 2001, Cisco Systems, Inc. All rights reserved. 31 Flow Data Exported to Management Application Flow Data Exported to Management Application NetFlow Defined Flows are defined by 7 keys: Source Address Destination Address Source Port Destination Port Layer 3 Protocol TOS byte (DSCP) Input Interface Flows are unidirectional Flows are enabled on a per input-interface basis Flows can be configured “on-demand” or continuous

32 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 © 2001, Cisco Systems, Inc. All rights reserved. 32 © 2001, Cisco Systems, Inc. All rights reserved. 32 Number of Flows Flow Size Distribution Number of Flows Flow Size Distribution Packet Count Byte Count Packet Count Byte Count Input Interface Output Interface Input Interface Output Interface Type of Service TCP Flags Protocol Type of Service TCP Flags Protocol Source TCP/UDP Port Destination TCP/UDP Port Source TCP/UDP Port Destination TCP/UDP Port Source IP Address Destination IP Address Source Prefix Mask Destination Prefix Mask Source AS Number Destination AS Number Source IP Address Destination IP Address Source Prefix Mask Destination Prefix Mask Source AS Number Destination AS Number Device Interface Application Routing and Peering QoS Usage Start Timestamp End Timestamp Call Duration Start Timestamp End Timestamp Call Duration Next Hop Address Lost Datagrams Next Hop Address Lost Datagrams Time Stamp Usage NetFlow Data Record per Flow

33 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 33 © 2001, Cisco Systems, Inc. All rights reserved. 33 © 2001, Cisco Systems, Inc. All rights reserved. 33 NetFlow Related Applications Flow Profiling Accounting/Billing Network Planning Network Monitoring Flow Collectors Management Application Management Application End-User Information End-User Information NetFlow/ Data Export NetFlow/ Data Export RMON Probe

34 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 34 © 2001, Cisco Systems, Inc. All rights reserved. 34 © 2001, Cisco Systems, Inc. All rights reserved. 34 Evolution of Data Exchange Standards SQL interfaces subject to schema redefinition XML makes it easier to exchange data between computer systems Organizations rarely use a standardized set of tools Need to define a common data model! Structured data can be exchanged without APIs

35 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 35 © 2001, Cisco Systems, Inc. All rights reserved. 35 © 2001, Cisco Systems, Inc. All rights reserved. 35 CIM Schema v2.1CIM Schema v2.2CIM Schema v2.3 MOF Parser and Editor CIM Specification V2.0 Extension Schema System Apps Core Physical(DEN) Device Logical Network (DEN) Meta Model CIM Specification v2.1 User Policy (DEN) Output HTML SQL Visio ASCII CIM Specification v2.2 CIM Schema v2.4 QoS (DEN) IPSec (DEN) DEN LDAP Mappings CIM Components

36 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 36 © 2001, Cisco Systems, Inc. All rights reserved. 36 © 2001, Cisco Systems, Inc. All rights reserved. 36 Transporting CIM: XML! XML = eXtensible Markup Language Over HTTP, XML enables access to CIM objects Enables mixed vendor, distributed server environments! CIM Data HTTP/HTTPS

37 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 37 © 2001, Cisco Systems, Inc. All rights reserved. 37 © 2001, Cisco Systems, Inc. All rights reserved. 37 XML Components What makes up XML? XML document XML interpreter or parser Document Type Definition (DTD)

38 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 38 © 2001, Cisco Systems, Inc. All rights reserved. 38 © 2001, Cisco Systems, Inc. All rights reserved. 38 CIM //////////////////////////////////////////////////////// // Device: nmcpw1601.cisco.com //////////////////////////////////////////////////////// instance of DEN_NetworkElement { DeviceId = "133"; CommonName = "nmcpw1601"; DNSName = "cisco.com"; Description = ""; CIM CIM Example: Inventory Data

39 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 39 © 2001, Cisco Systems, Inc. All rights reserved. 39 © 2001, Cisco Systems, Inc. All rights reserved. 39 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

40 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 40 © 2001, Cisco Systems, Inc. All rights reserved. 40 © 2001, Cisco Systems, Inc. All rights reserved. 40 Designing for Management Redundant Infrastructure High availability management Completely separates management from user data Management link is in separate subnet, VLAN, and switch Higher assurance for management data delivery during congestion or convergence SNMP Manager 10.1.100.12 10.1.100.13 10.1.100.14 10.1.100.1010.1.100.11 10.1.100.15

41 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 41 © 2001, Cisco Systems, Inc. All rights reserved. 41 © 2001, Cisco Systems, Inc. All rights reserved. 41 Management Station Performance How fast is fast, and how slow is slow? Check Browsers, Virus Scan Options, Java Releases…. Customize Views Server CPU, Client RAM (and CPU) Be aware of the number of managed devices Be aware of the number of functions Don’t ask for information you won’t look at!

42 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 42 © 2001, Cisco Systems, Inc. All rights reserved. 42 © 2001, Cisco Systems, Inc. All rights reserved. 42 Service Mgmt CiscoSecure HP NMM QoS Policy Manager DNS / DHCP CiscoWorks Blue Cisco Voice Manager Integration and Growth Issues What happens when you need to run more applications? Is the OS supported? CPU or memory constraints? Conflicting databases? Conflicting ports used? Multi-user access? Customer Specific MRTG CW2000

43 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 43 © 2001, Cisco Systems, Inc. All rights reserved. 43 © 2001, Cisco Systems, Inc. All rights reserved. 43 Centralized Network Management Architecture Enterprise Network Site C Site B Site A Centralized Database Central NMS NMS Queries

44 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 44 © 2001, Cisco Systems, Inc. All rights reserved. 44 © 2001, Cisco Systems, Inc. All rights reserved. 44 Hierarchical Network Management Architecture Enterprise Network Local Query Client NMS NMS Communication Site C Site B Site A Client NMS Central DB Server NMS

45 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 45 © 2001, Cisco Systems, Inc. All rights reserved. 45 © 2001, Cisco Systems, Inc. All rights reserved. 45 Distributed Network Management Architecture Enterprise Network Local Query Local DBC Peer NMS NMS Communication Site C Site B Site A Local DBC Peer NMS Local DBC Peer NMS Local DBC Peer NMS

46 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 46 © 2001, Cisco Systems, Inc. All rights reserved. 46 © 2001, Cisco Systems, Inc. All rights reserved. 46 Micromuse NetCool Architecture G Info Server G Trouble Ticket SNMPCMIP M ASCII(TL1) M LogfilesDB M API M FW-1 M Fusion M ISM M NTSM M Motif/NT Desktop Event List Infoive View WWW Server Jeld Web Browser Event List G RDBMS Info Server DE-DUPLICATION CNM View G Automations ActionsTriggers External actions Internal actions Reporter Impact

47 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 47 © 2001, Cisco Systems, Inc. All rights reserved. 47 © 2001, Cisco Systems, Inc. All rights reserved. 47 Internet OSS Element Management and Network Management Framework Integrated Mgmt Applications Network Elements & Intelligent Agents … Intelligent Network Services Authorization Authntication Provisioning Fault Mgr DHCP DNS Qos policy Billing Srv Directory Bandwidth Integration BUS/Middleware Services Integration Bus/ Middleware / Northbound APIs

48 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 48 © 2001, Cisco Systems, Inc. All rights reserved. 48 © 2001, Cisco Systems, Inc. All rights reserved. 48 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

49 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 49 © 2001, Cisco Systems, Inc. All rights reserved. 49 © 2001, Cisco Systems, Inc. All rights reserved. 49 Monitor Critical Links – forget the rest Define key infrastructure aggregation ports ( ) Setup statistics collection (RMON) Monitor “away” from the core Enable traps for link failure and thresholds Monitor for performance and fault conditions Remote Offices Corp Network Servers

50 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 50 © 2001, Cisco Systems, Inc. All rights reserved. 50 © 2001, Cisco Systems, Inc. All rights reserved. 50 NTP helps correlate information Defined in RFC 1305 Used to synchronize system clocks on network devices with an authoritative time source Essential for manual troubleshooting via Syslog Client/Server unicast or multicast options NTP

51 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 51 © 2001, Cisco Systems, Inc. All rights reserved. 51 © 2001, Cisco Systems, Inc. All rights reserved. 51 Use two Clock sources NTP RTR A c75xx RTR B RTR 1... RTR n Authoritative Clock ntp.nasa.gov (143.232.55.5) ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.2 ntp peer 192.168.100.3 ntp update-calendar RTR C ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.1 ntp peer 192.168.100.3 ntp server 143.232.55.5 ntp server 204.34.198.40 ntp peer 192.168.100.1 ntp peer 192.168.100.2 Authoritative Clock tick.usnogps.navy.mil (204.34.198.40) ntp server 192.168.100.1 ntp server 192.168.100.2 ntp server 192.168.100.3 STRATUM 2 STRATUM 3 Time Negotiation Internet

52 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 52 © 2001, Cisco Systems, Inc. All rights reserved. 52 © 2001, Cisco Systems, Inc. All rights reserved. 52 AAA – who can do what? Authentication, Authorization, and Accounting TACACS+ available in routers and switches—allows for centralized username/password/priv administration Removes the requirement of having to config hundreds of routers/switches when a user leaves Allows for accountability when each user has their own login ID AAA implementation case study http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/a aaisg/index.htm AAA/TACACS+

53 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 53 © 2001, Cisco Systems, Inc. All rights reserved. 53 © 2001, Cisco Systems, Inc. All rights reserved. 53 DNS – know what you’re looking at At a minimum put your router loopback addresses and switch sc0 interface address in DNS Set hostname to match DNS nodename Forward/reverse lookups for interfaces? DNS

54 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 54 © 2001, Cisco Systems, Inc. All rights reserved. 54 © 2001, Cisco Systems, Inc. All rights reserved. 54 Limit SNMP Abuse SNMP should only be accessible to NMS Use ACLs where appropriate Use SNMPv3 where available Limit available SNMP Data with “Views”

55 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 55 © 2001, Cisco Systems, Inc. All rights reserved. 55 © 2001, Cisco Systems, Inc. All rights reserved. 55 Community Strings Privacy

56 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 56 © 2001, Cisco Systems, Inc. All rights reserved. 56 © 2001, Cisco Systems, Inc. All rights reserved. 56 SNMP Views enterprises rttmon interfaces bgp ipRouteTable mib-2

57 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 57 © 2001, Cisco Systems, Inc. All rights reserved. 57 © 2001, Cisco Systems, Inc. All rights reserved. 57 SNMP Views enterprises rttmon interfaces bgp ipRouteTable

58 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 58 © 2001, Cisco Systems, Inc. All rights reserved. 58 © 2001, Cisco Systems, Inc. All rights reserved. 58 Conserve Bandwidth snmpwalk of ipRouteTable Snmp-server View Enabled Cisco 2621 w/ 64MB RAM and 4000 routes (EIGRP) snmpwalk would have run for 25 ½ minutes unrestricted

59 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 59 © 2001, Cisco Systems, Inc. All rights reserved. 59 © 2001, Cisco Systems, Inc. All rights reserved. 59 Conserve Device Resources Restrict access to certain MIBs Some NM apps poll IP route tables and ARP caches—this can cause high CPU load on low-end routers with many route entries Use “snmp-server views” statements SNMP Access

60 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 60 © 2001, Cisco Systems, Inc. All rights reserved. 60 © 2001, Cisco Systems, Inc. All rights reserved. 60 Polling vs. Notifying Polling: NMS asks for status Notifying: Device actively notifies NMS of problems Two types of notifications Trap—unreliable, no state retained INFORMs

61 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 61 © 2001, Cisco Systems, Inc. All rights reserved. 61 © 2001, Cisco Systems, Inc. All rights reserved. 61 Be Careful! Set polling interval wisely Bandwidth issues on lower speed links Cost of Queries Network % of Bandwidth Utilized Polling Interval in Seconds # of Polled Stations 10 50 25 12.5 8.3 20 100 50 25 16 30 150 75 37 25 5 10 20 30 Example: 1 manager, multiple managed devices 64 Kb access link 1 Request = 1KB packet (avg.) 1 Poll = getreq + getresp = 2KB Assume 1 object polled/managed device

62 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 62 © 2001, Cisco Systems, Inc. All rights reserved. 62 © 2001, Cisco Systems, Inc. All rights reserved. 62 Cost of Traps No queries But you may need to poll for other reasons (performance metrics) SMART polling engines can really make the difference!

63 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 63 © 2001, Cisco Systems, Inc. All rights reserved. 63 © 2001, Cisco Systems, Inc. All rights reserved. 63 Benefit of Traps Use trap-based polling Use RMON to define Traps Use RMON to set Thresholds Use RTT-Mon Traps for Timeouts, Thresholds, Connection Changes

64 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 64 © 2001, Cisco Systems, Inc. All rights reserved. 64 © 2001, Cisco Systems, Inc. All rights reserved. 64 WAN Overload! Device Duplicates Limit the Amount of Information

65 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 65 © 2001, Cisco Systems, Inc. All rights reserved. 65 © 2001, Cisco Systems, Inc. All rights reserved. 65 Fault Correlation Remove Duplicates and Correlate WAN

66 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 66 © 2001, Cisco Systems, Inc. All rights reserved. 66 © 2001, Cisco Systems, Inc. All rights reserved. 66 Hierarchical Mechanisms Fault Correlation

67 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 67 © 2001, Cisco Systems, Inc. All rights reserved. 67 © 2001, Cisco Systems, Inc. All rights reserved. 67 Security vs. Trust in the Network Ease of access vs level of security is always a tradeoff Every network management feature can be viewed as a security vulnerability Manageabilty, Ease of Access Concerns SecuritySecurity Ease of Access

68 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 68 © 2001, Cisco Systems, Inc. All rights reserved. 68 © 2001, Cisco Systems, Inc. All rights reserved. 68 Management Traffic In-band clear text In-band encrypted Out-of-band What Options for Securing It?

69 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 69 © 2001, Cisco Systems, Inc. All rights reserved. 69 © 2001, Cisco Systems, Inc. All rights reserved. 69 Management Protocol Security SNMP TELNET RCP HTTP/XML TFTP CORBA, other special/ proprietary, etc. Cleartext Transmissions

70 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 70 © 2001, Cisco Systems, Inc. All rights reserved. 70 © 2001, Cisco Systems, Inc. All rights reserved. 70 Medium Trust Environment Higher concern for protecting managed devices from unauthorized access Standard cleartext-based protocols may still be acceptable Restrict access to devices as appropriate access lists / ip permit lists for SNMP, TELNET AAA for device access via TELNET

71 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 71 © 2001, Cisco Systems, Inc. All rights reserved. 71 © 2001, Cisco Systems, Inc. All rights reserved. 71 Low Trust Environment Some protocols have secure option SNMP: SNMPv3 TELNET: SSH HTTP: SSL/HTTPS RCP: SSH/SCP But what about ? TFTP : ? CORBA: ? Encryption of Management Traffic Needed

72 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 72 © 2001, Cisco Systems, Inc. All rights reserved. 72 © 2001, Cisco Systems, Inc. All rights reserved. 72 Low Trust Environment IP Sec / VPN Tunnels Can cover ALL management protocols Useful for connections across public WAN between sites Possible consideration for management of individual devices (if all devices support IPSec) Encryption of Management Traffic Needed

73 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 73 © 2001, Cisco Systems, Inc. All rights reserved. 73 © 2001, Cisco Systems, Inc. All rights reserved. 73 Network Management Network management subnet for all NMS hosts and tools Security point to control access to subnet Firewall VPN aggregation point Firewall NMS Corporate Intranet VPN

74 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 74 © 2001, Cisco Systems, Inc. All rights reserved. 74 © 2001, Cisco Systems, Inc. All rights reserved. 74 Firewall Issues Need to consider not only traffic between management workstation and devices, but also between management workstation and clients (management users) May be possible to filter based on ports Some products break—tools choose free ports at random (CORBA, some other client and server architectures) Try telling firewall to permit larger port range from management station

75 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 75 © 2001, Cisco Systems, Inc. All rights reserved. 75 © 2001, Cisco Systems, Inc. All rights reserved. 75 Firewall Issues NAT—no general solution for SNMP Common workaround is multihome management station or DMZ when necessary for one server to manage both “inside” and “outside” addresses NAT DMZ NMS Outside Inside

76 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 © 2001, Cisco Systems, Inc. All rights reserved. 76 © 2001, Cisco Systems, Inc. All rights reserved. 76 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

77 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 77 © 2001, Cisco Systems, Inc. All rights reserved. 77 © 2001, Cisco Systems, Inc. All rights reserved. 77 Define your Policies Policies are Goal Statements Implementing Policies: Conditions and Actions Conditions Packet header External conditions User Actions Filter rules Encryption requirements Quality of service requirements

78 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 78 © 2001, Cisco Systems, Inc. All rights reserved. 78 © 2001, Cisco Systems, Inc. All rights reserved. 78 Synthetic Observed Sampling Method Embedded Agents External Probes Collection Method Device/Link End-to-End/Path Scope of Measurement User Network Perspective of Measurement Define Methods and Metrics

79 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 79 © 2001, Cisco Systems, Inc. All rights reserved. 79 © 2001, Cisco Systems, Inc. All rights reserved. 79 Corp. HQ/Data Center Regional Aggregation Retail Branch Service Provider Domain 1 Service Provider Domain 2 Enterprise Domain Other Domains Network Hardware Workstation Hardware Application Software Etc. Defining Demarcations SA Agent SP1 SA Agent SP2

80 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 80 © 2001, Cisco Systems, Inc. All rights reserved. 80 © 2001, Cisco Systems, Inc. All rights reserved. 80 Example Policy If service is HTTP if destination is S if source is H service level = Premium permit else if source is N1 or N4 permit if source is N4 use tunnel

81 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 81 © 2001, Cisco Systems, Inc. All rights reserved. 81 © 2001, Cisco Systems, Inc. All rights reserved. 81 Policy-Based Networking Directory Enabled Networking - Why? Network Device Layer IP Routing ProtocolsOperating System ServicesApplications OSPF BGP4 PIM PGM L2TPMPLS other... SAP Oracle Voice Video Distance Learning Conferencing  Name Resolution  Location  Authentication  Authorization Directory Operating System Services Applications SAP Call Center Voice Video Distance Learning Conferencing  Name Resolution  Location  Authentication  Authorization Directory DEN Services QoS Voice DNS DHCP Security

82 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 82 © 2001, Cisco Systems, Inc. All rights reserved. 82 © 2001, Cisco Systems, Inc. All rights reserved. 82 Rapidly create, provision and deploy advanced networking services on a per user basis Centralized management of network resources Single network logon Personalized network services Easy access to advanced network services Develop network-aware applications using standard development interfaces and tools Protect mission-critical traffic Simplify and enhance network management and provisioning Benefits of Directory Enabled Networks Enterprise Customers ServiceProviders End-Users Application Developers Directory Enabled Network Services

83 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 83 © 2001, Cisco Systems, Inc. All rights reserved. 83 © 2001, Cisco Systems, Inc. All rights reserved. 83 Directory Protocols LDAP—standards-based query/update Kerberos—standard token-based authentication ADSI—Active Directory Service Interface (Microsoft AD) NDS/NDK—Novell Directory Services

84 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 84 © 2001, Cisco Systems, Inc. All rights reserved. 84 © 2001, Cisco Systems, Inc. All rights reserved. 84 CLI, SNMP, COPS QPM Architecture Data, voice, video applications RSVP LDAPv3 Directories Active Directory, Sun/Netscape, NDS,... CiscoWorks 2000 Import device data DiffServ Cisco / 3rd party apps Cisco CNR DHCP,... QPM Mgmt Consoles Distributed QPM Policy Servers QPM Server policy database Cisco Intelligent Network Policy & configuration management via CLI and COPS DiffServ and RSVP QoS standards Directory-enabled User-based policies Export policies DEN / CIM compliant CiscoWorks 2000 device import

85 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 85 © 2001, Cisco Systems, Inc. All rights reserved. 85 © 2001, Cisco Systems, Inc. All rights reserved. 85 Common Open Policy Service Benefits of COPS Policing & aggregate policies for RSVP Multi-vendor, standards-based interoperability Simplified support of new / upgraded devices Policy abstraction of device specifics Standards COPS-RSVP is a standard COPS-PR not yet IETF RFC

86 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 86 © 2001, Cisco Systems, Inc. All rights reserved. 86 © 2001, Cisco Systems, Inc. All rights reserved. 86 Agenda Motivation for Network Management Evolution of Basic Technologies Designing for Network Management Best Practices Policy Management Summary and Recommended Reading

87 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 87 © 2001, Cisco Systems, Inc. All rights reserved. 87 © 2001, Cisco Systems, Inc. All rights reserved. 87 Summary Network Management is key to productivity Networks evolve – so do NMS technologies Design your NMS to support your goals Choose suitable architectures and tools Define Methods and Metrics Integrate

88 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 88 © 2001, Cisco Systems, Inc. All rights reserved. 88 © 2001, Cisco Systems, Inc. All rights reserved. 88 Recommended Reading Performance and Fault Management, Paul Della Maggiora et al. 2000, Cisco Press, ISBN 1-57870-180-5 SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, Third Edition, by William Stallings Addison Wesley Longman, Inc. Network Management: A Practical Perspective Leinwand and Fang Conroy Network Management: Principles and Practice Subramanian How to Manage Your Network Using SNMP: The Networking Management Practicum Rose and McCloghrie

89 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 89 © 2001, Cisco Systems, Inc. All rights reserved. 89 © 2001, Cisco Systems, Inc. All rights reserved. 89 Some useful Links http://www.telecommagazine.com/ http://www.osswatch.com/ http://www.billingworld.com/ http://www.tmforum.org/ http://www.ietf.org/ http://www.ietf.org/html.charters/wg-dir.html#Operations_and_Management_Area http://dmtf.org/ http://www.simple-times.org/ http://www.snmpworld.com/ http://www.stardust.com/policy/index.htm http://dmoz.org/Computers/Software/Networking/Network_Performance/RMON_and_SNMP/ http://joe.lindsay.net/webbased.html http://joe.lindsay.net/javamgmt.html http://netman.cit.buffalo.edu/index.html

90 90 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Questions?

Download ppt "1 NCM-101 2973_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. NATO Advanced Networking Workshop S4.2 Contemporary Network Management"

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Implementing a Highly Available Network

Implementing a Highly Available Network
PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.

PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.

William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.
Remote Network Monitoring (RMON)

Remote Network Monitoring (RMON)
Agenda SNMP Review SNMP Manager Management Information Base (MIB)

Agenda SNMP Review SNMP Manager Management Information Base (MIB)
Guide to TCP/IP, Third Edition Chapter 11: Monitoring and Managing IP Networks.

Guide to TCP/IP, Third Edition Chapter 11: Monitoring and Managing IP Networks.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Chapter 6 Overview Simple Network Management Protocol

Chapter 6 Overview Simple Network Management Protocol
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Chapter 2  Overview of Network Management 1 Chapter 2 Overview  Why is network mgmt necessary?  Network managers job  Network management vocabulary.

Chapter 2  Overview of Network Management 1 Chapter 2 Overview  Why is network mgmt necessary?  Network managers job  Network management vocabulary.
SNMP In Depth. SNMP u Simple Network Management Protocol –The most popular network management protocol –Hosts, firewalls, routers, switches…UPS, power.

SNMP In Depth. SNMP u Simple Network Management Protocol –The most popular network management protocol –Hosts, firewalls, routers, switches…UPS, power.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.

Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
SNMP ( Simple Network Management Protocol ) based Network Management.

SNMP ( Simple Network Management Protocol ) based Network Management.

Similar presentations

Ads by Google