policy-based management mib steve waldbusser jon saperia thippanna hongal
TRANSCRIPT
![Page 1: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/1.jpg)
Policy-Based Management
MIB
Steve Waldbusser
Jon Saperia
Thippanna Hongal
![Page 2: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/2.jpg)
Infrastructure
SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policy Table
![Page 3: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/3.jpg)
Infrastructure
SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policy Table
Role Table
Capabilities Table
Time Objects
![Page 4: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/4.jpg)
PolicyTable
PmPolicyEntry ::= SEQUENCE {
pmPolicyIndex Integer32,
pmPolicyFilter OCTET STRING,
pmPolicyAction OCTET STRING,
pmPolicyCalendar RowPointer,
pmPolicyDescription SnmpAdminString,
pmPolicyMatches Gauge32,
pmPolicyStatus RowStatus
}
![Page 5: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/5.jpg)
Policy Expression Language
Derivative of C
Subsetted by a BNF Grammar
Used for both Filters and Actions
![Page 6: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/6.jpg)
policyFilter PseudoCode
(is an interface
AND is an ethernet
AND is an access port
AND gets gold or silver service)
![Page 7: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/7.jpg)
policyFilter PseudoCode
(!strcmp(ifTable, elementName())
&& getint(ifType.$1) == ethernet-csmacd
&& roleMatch("access")
&& (roleMatch("gold") || roleMatch("silver")))
![Page 8: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/8.jpg)
policyFilter Code
(!strncmp("1.3.6.1.2.1.2.1.2", elementName(), 17)
&& getint("1.3.6.1.2.1.2.2.1.3.$1") == 6
&& roleMatch("access")
&& (roleMatch("gold") || roleMatch("silver")))
![Page 9: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/9.jpg)
policyFilter/Action Example
Filter(!strcmp(ifTable, elementName())&& getint(ifType.$1) == ethernet-csmacd&& roleMatch("connected"))
Actionsetint("ifAdminStatus.$1", 2)
OR
setint("1.3.6.1.2.1.2.2.1.7.$1", 2)
![Page 10: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/10.jpg)
Complex Actions
Compound Statements– setint(OID1, 2); setstring(OID2, “String”); setint(OID3, 5)
Conditional Statements– (!strcmp(getstring(sysDescr.0), “ACME”)
?(setint(AcmeQOSKnob1.$1, 17);setint(AcmeQOSKnob2.$1, 2345))
:(setint(diffServMIBKnob1.$1, 34);setint(diffServMIBKnob2.$1, 754)))
![Page 11: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/11.jpg)
Accessor Functions
getint
getstring
exists
elementName
strcmp
lc_strcmp
roleMatch
capMatch
setint
setstring
setoid
![Page 12: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/12.jpg)
![Page 13: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/13.jpg)
PolicyTable
Index policyFilter policyAction Description policyMatches
1 (type == interface && ifType == ethernet && !roleMatch(“connected”))
IfAdminStatus = off; For security reasons, shutoff all unused ports
22
2 (type == interface && ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
8
3 (type == CPU&& sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
1
Index policyFilter policyAction Description policyMatches
1 (type == interface && ifType == ethernet && !roleMatch(“connected”))
IfAdminStatus = off; For security reasons, shutoff all unused ports
22
2 (type == interface && ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
8
3 (type == CPU&& sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
1
![Page 14: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/14.jpg)
Role Table
element string
ifIndex.1 gold
ifIndex.1 access
ifIndex.1 headquarters
ifIndex.99 trunk
status
active
active
active
active
PmRoleESTable
Purpose:
Writable table that allows strings to be downloaded to agent:
Multiple strings can be assigned to any element
![Page 15: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/15.jpg)
Role Table
PmRoleESEntry ::= SEQUENCE {
pmRoleESElement OBJECT IDENTIFIER,
pmRoleESString SnmpAdminString,
pmRoleESStatus RowStatus
}
PmRoleSEEntry ::= SEQUENCE {
pmRoleSEString SnmpAdminString,
pmRoleSEElement OBJECT IDENTIFIER
}
![Page 16: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/16.jpg)
Role Table
Accessor Function:– Need an accessor function for use in
policyFilter– Something like roleMatch(“argument”)– Returns true if the element has that role
string defined
![Page 17: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/17.jpg)
CapabilitiesTable
index
1
2
3
type subType
WFQ
Pentium
RoundRobinQ
AcmeWFQ
Purpose:
We want policies to be executed only on devices that have certain capabilities
Need those capabilities to be in a MIB so that policy servers can determine which policies to download
Values for type are assigned by the working group
Values for subType are assignable by the implementor
![Page 18: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/18.jpg)
Capabilities Table
Accessor Function:– Need an accessor function for use in policyFilter– Something like capMatch(“argument”)– Returns true if the element has that capability
NOTE:– capabilitiesTable not referenced by element– Only used to determine which filters to download– On the other hand, capMatch has a per-element resolution– It must apply policies to only the proper elements
![Page 19: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/19.jpg)
Time
We want policies to be executed only at certain times
Need time to be in a MIB so that filters can read them
Needs to provide two views of time– Globally consistent (i.e., UTCTime)– Local “Business Time” (i.e., M-F 9-5 local time)
![Page 20: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/20.jpg)
Time
Three choices:
policyCalendarPtr - points to rfc2591
Accessor Function– Like: If (dayOfWeek(“MTWTF”)) then (policyAction)
Three mib objects– timeOfDay– dayofWeek– dayOfMonth– ...– if (timeOfDay.0 > 9 && timeOfDay.0 < 17)
![Page 21: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/21.jpg)
Operational Requirements
Policy Creation– Need to allow an engineer to “debug” a policy– policyActions can be debugged in a lab– Debugging of policyFilters consists of ensuring that the filter
selects the intended set of elements (not more, not less)– Need to see where a policy would be executed– Table that shows where a policy is executed
• For debugging, set policyAction to no-op
![Page 22: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/22.jpg)
pmPolicyDebugPETable
PEPolicyIndex
1
1
1
PEElement PEStatus
ifIndex.4
ifIndex.8
ifIndex.9
ON
ON
ON
2 ifIndex.4 ON
2 ifIndex.8 ON
![Page 23: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/23.jpg)
Operational Requirements
Troubleshooting in Field– Engineers will occasionally find that a device is misconfigured
due to policy
– Need to find out which policy is causing the misconfiguration– Need to see where policies are bound
• Table that shows what policies are executed here
Ad-hoc disabling of a policy binding– Granularity: 1 policy on 1 element– Turn status off in pmPolicyDebugEPTable– Need to provide facility so that this is documented in
policyServer
![Page 24: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/24.jpg)
pmPolicyDebugEPTable
PEPolicyIndex
1
2
1
PEElement PEStatus
ifIndex.4
ifIndex.4
ifIndex.8
ON
ON
ON
2ifIndex.8 ON
1ifIndex.9 ON
![Page 25: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/25.jpg)
Advantages of the Approach
Built with existing infrastructure and tools
Leverages existing MIBs
Flexibility
Complete Architecture– Includes operational tools
![Page 26: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/26.jpg)
Architectural Drawings
created during meeting
![Page 27: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/27.jpg)
Policy Management MIB
PMMIB
Instance-Independence
ServicesInstance-
Independent
Instance-Dependent
![Page 28: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/28.jpg)
QOS Policy MIB
QOS PolicyMIB
Mechanism-Independence
ServicesMechanism-Independent
Mechanism-Dependent
![Page 29: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/29.jpg)
Instance DependentMechanism Dependent
NMS
Managed System
QOS PolicyMIB
PMMIB
![Page 30: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/30.jpg)
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance IndependentMechanism Dependent
![Page 31: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/31.jpg)
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance DependentMechanism Independent
![Page 32: Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal](https://reader036.vdocuments.net/reader036/viewer/2022081514/5697bfd61a28abf838cada44/html5/thumbnails/32.jpg)
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance IndependentMechanism Independent