Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser...
-
Upload
beverly-gordon -
Category
Documents
-
view
224 -
download
0
Transcript of Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser...
![Page 1: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/1.jpg)
Policy-Based Management with SNMP and Comparison with COPS-PR
Steve Waldbusser
5/16/01
![Page 2: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/2.jpg)
Policy Based Management
A policy binds an action (simple or complex) to a filter
rule that determines what elements the action should
be applied to
I.e. if (an element has certain characteristics) then
(apply operation to that element)
Alternately: if (policyFilter) then (policyAction)
![Page 3: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/3.jpg)
A Conceptual policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
Trunk AND Ethernet AND 100Mb:Trunk
EthernetGold
100Mb
TrunkEthernet
100Mb
TrunkEthernet
Silver100Mb
AutonegotiateOff
AutonegotiateOff
AutonegotiateOff
![Page 4: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/4.jpg)
A Conceptual policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
Ethernet AND Access AND Gold:Access
EthernetGold10Mb
AccessEthernet
Gold100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
DSCP = 5
DSCP = 5
DSCP = 5 DSCP = 5
.
![Page 5: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/5.jpg)
The Policy-Based Management MIB
The Policy Management MIB (PM MIB) provides a way to describe and install policies for any domain:– QOS
– Security
– Routing
– etc.
PM MIB Policies can manage any type of element– Interfaces
– Circuits
– Queues
– Processes
– Software
– others...
![Page 6: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/6.jpg)
PM MIB Goals
Leverage existing infrastructure and tools– Resulting simplicity will accelerate time to market
Leverage existing MIBs– Don’t start from scratch in our data models
Flexibility for real-world policy– Simple or complex filters– Simple or complex actions
Meet operational requirements– Policy-based management is *very* different– End-users will need new tools and practices
![Page 7: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/7.jpg)
Policy Operation
Existing SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policies
(Usually local operations in which SNMP packets on network are unnecessary)
![Page 8: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/8.jpg)
Elements of the Policy MIB Architecture
PolicyScript Language– Interpreted language that policy filters and actions are
expressed in
Accessor Function Library– Standard set of library functions available for PolicyScript code
PM MIB– Objects and attributes that describe policies, schedules and
supporting information
![Page 9: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/9.jpg)
PolicyScript Language
Least Common Denominator of C, Perl, C++, TCL,
Python, and Javascript
No pointers, structures, typed variables, objects,
classes, etc.
Does contain expressions, variables, looping
![Page 10: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/10.jpg)
Accessor Function Library
Library of 41 standard functions for policy processing– Convenience SNMP Functions
• getvar, exists, setvar, searchcolumn, setRowStatus, counterRate, ...
– General SNMP Functions• newPDU, readVar, writeVar, snmpsend
– Policy Functions• roleMatch, elementName, setScratchPad, getScratchPad, signalException, getParameters
– Utility Functions• regexp, regexp_replace, oidlen, oidncmp, insubtree, subid, substr, ...
– Library Functions• strncmp, strncasecmp, strlen, random, sprintf, sscanf
Extensible– Vendors and others can add new accessor functions (e.g., setCLI())
![Page 11: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/11.jpg)
policyFilter PseudoCode
Pseudocode:
(is an ethernet
AND is operational
AND gets gold or silver service)
Scripted As:
(getvar(“ifType.$*”) == ethernet-csmacd
&& getvar(“ifOperStatus.$*”) == up
&& (roleMatch("gold") || roleMatch("silver")))
![Page 12: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/12.jpg)
Execution Example
Filter:(getvar(“ifType.$*”) == ethernet-csmacd
&& !(roleMatch("gold") ||
roleMatch("silver")))
Action:
setvar(“ifAdminStatus.$*”, down(2), Integer)
Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Up4 Ethernet Silver Up5 Ethernet Silver Up
Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Down4 Ethernet Silver Up5 Ethernet Silver Up
![Page 13: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/13.jpg)
Example Policy
Web Hosting Provider gives shell accounts but prohibits long-running programs
Filter:
// if it's an application and it's
// consumed more than 5 minutes of CPU time
(getvar("hrSWRunType.$*") == 4 // app, not OS or driver
&& getvar("hrSWRunPerfCPU.$*") > 30000) // 300 seconds
Action:
// Kill it setvar("hrSWRunStatus.$*", invalid(4), Integer); // invalid(4) kills it
![Page 14: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/14.jpg)
MIB Objects
Policy Table: Contains filter, action, scheduling info, execution instructions, debugging info, etc.– Policy installation consists of creating rows in this table
Index PolicyFilter PolicyAction Description
1 (ifType == ethernet &&!roleMatch(“connected”))
IfAdminStatus = off For security reasons, shut offall unused ports
2 (ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
3 (sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
Other Tables in PM MIB for scheduling, roles and capabilities, operational tools, debugging, etc.
...
![Page 15: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/15.jpg)
Initial Configuration
Config Req (Get/Getnext)
Config Data
Policy Installation (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
![Page 16: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/16.jpg)
Policy Change
Policy Install/Modify (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
![Page 17: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/17.jpg)
Config State Change
Ack
State Change (Inform)
Policy Install/Modify (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
![Page 18: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/18.jpg)
Features of Policy MIB
Scripting– Very flexible and understandable way to express policy– IT Personnel like the power of scripting– Much more flexible than string matching
Policies based on operational status– Capabilities, status of interface, utilization, etc.– Allows much more rich sets of policies than using human-input strings
Scheduling– Business calendars: “M-F 9-5” or “Last Friday of every month”– Videoconference from 12PM to 1PM
Conflict resolution– Follows a precedence tree to find best policy in case of conflict– COPS punts conflict resolution to the manager
Error Recovery– Scripting allows you to fallback to an alternate mechanism, an alternate policy, or to raise an alarm
![Page 19: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/19.jpg)
Operational Requirements
Tools for Policy Creation– Need to allow an engineer to test a policy– Answer question: will this filter match the proper elements?
Tools for Ongoing Operations– Notifications if a policy undergoes errors– When debugging a problem, want to know: what policies are
managing this element– May want to disable a policy on an element so operator can
take back control (“limp-home mode”) until policy is fixed• Must document this ad-hoc decision
![Page 20: Policy-Based Management with SNMP and Comparison with COPS-PR Steve Waldbusser waldbusser@nextbeacon.com 5/16/01.](https://reader036.fdocuments.net/reader036/viewer/2022082409/56649f575503460f94c7b93f/html5/thumbnails/20.jpg)
Advantages of the PM MIB
Built with existing infrastructure and tools
Leverages existing MIBs
Flexibility
Complete Architecture– Includes operational tools