Upload
hahanh
View
246
Download
2
Embed Size (px)
Citation preview
BRKNMS-2845
Best Network Management Practice in Cisco Device Instrumentation: what (not) to do?
Marisol Palmero, Technical Leader
Benoit Claise, Distinguished Engineer
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 3
Abstract
“What are the management features that every Cisco device should enable?
This level 2 session presents guidelines, with the intention to build a default configuration for Network Cisco Devices, an ideal configuration from a management point of view, addressing the different functional areas of Network Management.
The session will bring a combination of Best Practices, including existing, but not well known features, and a series of new features.
Technical details of the features will be covered with configuration examples, show commands, tricks, and discussion about the advantages and disadvantages.
Some of the topics covered during this session are: Configuration Replace and Rollback, Source IP address in traps and Syslog, best practice in Syslog and SNMP, a single management interface?, Embedded Resource Manager, the notion of user (admin vs operator), among others.”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 4
Introduction
Technology
Platform
Scope / Domain
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 5
Introduction
Domain
Device
Management Cpu
Memory
buffer, …
Network
Management Availability
Jitter
Packet loss
Delay
…
Application
Management Video Monitoring
Voice Monitoring
WAN Acceleration
Load Balancing
…
Technology Area
Access Core Backbone
Aggregation/ Distribution
Service / Wan Edge
Service Provider
Data Center
Enterprise
Technology
Scope/Domain
Platform
Platform/Device
IOS IOS-XR IOS-XE (*) NX-OS
(*) IOS-XE part of IOS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 6
Introduction Our “Goal”
Technology
Platform
Scope / Domain
Our ―Goal‖ is to provide a
DEFAULT
CONFIGURATION
&
BEST PRACTICES (*)
ACROSS CISCO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 7
Service Strategies
• Service Portfolio
• Service Economics
• IT Financial Management
• IT Demand Management
• Out-, In-, Co-sourcing
Service Operation
• Service Request Management
• Event Management
• Incident Management
• Problem Management
• Access Management
Service Design
• Service Portfolio Design
• Service Catalog Management
• Service Level Management
• Supplier Management
• Capacity Management
• Availability & Continuity Management
• Information Security Management
Service Transition
• Change Management
• Asset & Configuration Management
• Knowledge Management
• Release Management
• Deployment, Decommission & Transfer
Source: www.itil.org ITSM v3
Source: www.cisco.com/go/services
Source: www.w3.org/TR/wslc
Source: www.opengroup.org/togaf/
Introduction Our “Model”
Our ―Goal‖ is to
provide a
DEFAULT
CONFIGURATION
&
BEST PRACTICES (*)
ACROSS CISCO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 8
Agenda
Manageability
Configuration Management
Fault Management
Accounting Management
Performance Management
Security Management
“Best Network Management Practice in Cisco Device Instrumentation: what (not) to do?”
Use Cases
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 9
What DoesThis Session (NOT) Provide?
(New) Features and Best Practices
- Usage: different functions within FCAPS
- Benefits / Caveats
MUST have | Good to know | nice to have
- Including show commands or even options available in exec mode.
- At the end … applicable per Use Case
It is NOT about ALL manageability features
It is NOT about in depth covering of individual features
- However, contain some references
Win – Win:
- Education to customers versus inventory across trains/platforms for internal use
- However, we need your feedback
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 10
Following a “Pattern”
Name Convention from Feature Navigator (www.cisco.com/go/fn)
Feature (short description)
Usage
Benefits
Drawbacks (if any)
Take aways
IOS IOS-XR IOS-XE NX-OS
x
Since …
Reference:
http://www.cisco.com/...
Leading Practice
router(config)# … <related configuration>
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 11
Default Config Example, with some Basic Features
router(config)# hostname CL_London
CL_London(config)# interface loopback0
CL_London(config-if)# ip address 1.1.1.1 255.255.255.255
CL_London(config)# service timestamps log datetime show-timezone
CL_London(config)# service timestamps debug datetime show-timezone
CL_London(config)# aaa new-model
CL_London(config)# aaa authentication login default tacacs+ enable
CL_London(config)# aaa authentication enable default tacacs+ enable
CL_London(config)# tacacs-server host <ip address of TACACS+ server>
CL_London(config)# ip tacacs source-interface loopback0
CL_London(config)# service password-encryption
CL_London(config)# enable secret <password>
Unique IP address for all
management traffic
AAA is used as Secured method to access the router
Enabled password is defined
For Your Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 12
Default Config Example, with some Basic Features
CL_London(config)# line console 0
CL_London(config-line)# exec-timeout 30 0
CL_London(config-line)# line aux 0
CL_London(config-line)# no exec
CL_London(config-line)# transport input all
CL_London(config-line)# line vty 0 4
CL_London(config-line)# access-list 1 in
CL_London(config-line)# exec-timeout 30 0
CL_London(config-line)# no service udp-small-servers
CL_London(config-line)# no service tcp-small-servers
30-minute time-out shall be
standard on all console and
virtual terminal lines.
When services are not
needed, they should be
disabled
For Your Reference
Manageability
IOS IOS-XR IOS-XE NX-OS
Interface Index Persistence
Reserve Memory for Console
Access
Warm Reload/Upgrade/ISSU
Configuration Generation
Performance Enhancement
Configuration Partitioning
Call Home vs. Smart Call Home
Interface History
Logging synchronous
SNMP-server manager
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 14
Interface Index Persistence (1/3)
ifIndex persistence: the mapping between the ifDescr (or ifName) and ifIndex object values from the IF-MIB is retained across reboots.
Usage
- SNMP: monitoring the interfaces counters
- NetFlow/Flexible NetFlow: reporting of the interface ifIndex
Note: specific flow can send the (ifIndex, ifName) mappings
- RMON: events/alarms based on specific interfaces
- EXPRESSION/EVENT MIB: creation of a new MIB variable based on interface counters
25 bytes of NVRAM storage are used by this feature per interface.
http://www.cisco.com/en/US/partner/products/ps6441/products_feature_guide09186a008054d7c8.html
CL_London(conf)# snmp-server ifindex persist
CL_London(conf-if)# snmp-server ifindex persist
Configuration can be
enabled globally or per
interface
Feth1/1
IfIndex=0
Ser 0/1
IfIndex=1
Loopback0
IfIndex=2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 15
Interface Index Persistence (2/3) … And other Feature Persistence
How and what is safe in the NVRAM?
CL_London(config)# snmp mib persist circuit
CL_London(config)# snmp mib persist cbqos
CL_London# dir nvram:
Directory of nvram:/
1 -rw- 0 <no date> ifIndex-table
2 -rw- 0 <no date> cbqos-mib
Leading Practice
354
283
CL_London(config)# snmp-server entityindex persist
CL_London(config)# snmp mib persist event
CL_London(config)# snmp mib persist expression
CL_London(config)# snmp mib persist v3mibs
CIRCUIT-MIB
CISCO-CLASS-BASED-QOS-MIB
Entity-MIB, in IOS-XR (not in IOS)
Event-MIB
Expression-MIB
v3 mibs persistence in IOS-XE 2.4 only
CL_London# write mib-data OR
CL_London# copy running startup
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 16
Interface Index Persistence(3/3)
IOS IOS-XR IOS-XE NX-OS
Always had ifindex
persistence. It cannot be
disabled.
CL_London_IOSXR# show snmp interface
CL_London_IOS_IOSXE# show snmp mib ifmib ifindex
3.5
12.1(5)T 2.0
CL_London_NXOS# show inter snmp-ifindex
Note: Enabled by default on most switches
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 17
Reserve Memory for Console Access (1/2)
Cisco IOS software reserves a default of 256 kilobyte (KB) of memory for console access.
Reserve sufficient memory to log in to the router console
- Perform administrative tasks and troubleshooting
- When the router is running low on memory
- When the memory is heavily fragmented
- Typical example: memory leak
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_mem-reserve.html
ACCESS
DENIED
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 18
Reserve Memory for Console Access (2/2)
Recommendation: Use a value greater than 3 times the number of the used bytes in NVRAM. (dir nvram: command)
- Example: if the total number of used bytes of NVRAM displayed in the command dir nvram: output is 129016 bytes, the nearest kilobyte value rounded off is 129 KB. This value multiplied by 3 is 387 KB
Leading Practice
IOS IOS-XR IOS-XE NX-OS
x x x
12.4(15)T
CL_London_IOS(config)# memory reserved console 387
<number-of-kilobytes>
< 1KB-4096 KB>
CL_London_IOS# show memory console reserved
Memory reserved for console is 262144 bytes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 19
Warm Reload & Warm Upgrade (1/5)
Enables significant reduction in device reboot time by lowering the Mean Time To Repair (MTTR) for software failures
- During re-run executing begins from the start address with previously saved, pre-initialized variables
- Particularly applicable to single processor systems
Boot Process prior to Warm
Reload&Upgrade
Warm Reload&Upgrade
Process
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 20
Warm Reload (2/5)
Savings from reading and decompressing of image
Additional memory consumption to store a compressed copy of initialized variables in read-only section – typically 1-2 MB
Benefits:
– Quicker Router Reload
– Flash Card Removal
Hardware failure will force a ‗cold‘ reboot
CL_London(config)# warm-reboot [count] [uptime]
CL_London# reload [warm] …
CL_London# show warm-reboot
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/warm_reload.html
Leading Practice
To schedule a [warm] reload
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 23
Warm Reload/Warm Upgrade/ISSU (5/5)
Note: Warm Upgrade is a ―single-box‖ ISSU
IOS IOS-XR IOS-XE NX-OS
(ISSU) X(ISSU) (ISSU) X(ISSU)
Warm Reload
Since 12.3(2)T
4.2 4.2
ISSU since 2.1
Warm Upgrade
Since 12.3(11)T
Some hidden slides
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 24
Configuration Generation Performance Enhancement
The parser cache is used to speed up the ―parsing‖ of that IOS configuration when the configuration is accessed and processed by the router.
- Keep the IOS configuration in memory,
- Be more effective as repetition increases and as the configuration gets larger: Reduces the execution time for NVGEN processes.
- Especially useful for managing large configuration files that contain numerous interface configurations
CL_London(config)# parser config cache interface
CL_London# show parser statistics
IOS IOS-XR IOS-XE NX-OS
(*) (*)
12.3(7)T, 12.2(25)S,
12.2(33)SRC,
12.2(33)SB, 12.2(33)SXI
Leading Practice
Covered natively in IOS-XR & NX-OS.
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/config_cache.html
2.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 25
When you issue a show running-config command, it polls and retrieves every component and interface and every command; it queries every interface on the router and then compiles all this information into a total configuration.
Benefit: 50% time savings.
Configuration Partitioning
CL_London(config)# parser config partition
IOS IOS-XR IOS-XE NX-OS
(*) (*)
12.2(33)SRB
12.2(33)SB
12.2(33)SXI
2.1
Covered natively in IOS-
XR & NX-OS.
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_partition.html#wp1054823
Enabled by default
CL_London# show running partition <part>
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 26
Configuration Enabled “by default”
―show running-config‖ hide the default and encryption keys
―show run all‖ doesn‘t
CL_London# sh run | inc parser
CL_London# sh run all | inc parser
CL_London# parser cache
CL_London# parser config partition
CL_London# parser command serial
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s5_72.html#wp1288017
IOS IOS-XR IOS-XE NX-OS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 27
Call Home vs. Smart Call Home (1/2)
When configuring Smart Call Home Feature, Customer is winning:
- Message correlation
- Remediation/Recommendation
- Automatic SR Opening Capability
- Field Notice, End of Sales, PSIRT, etc. Customer can enable Call Home without using Smart Call home.
Configure Smart Call Home whenever possible.
Configure Call Home on a given device to send alerts to themselves via an internal mail server. This way, the messages never get sent to the Cisco back-end, but the customer still sees email alerts coming through in the form of a system notification:
IOS IOS-XR IOS-XE NX-OS
12.4(24)T
4.1
Leading Practice
4.0 2.6
System Notification From SmartCallHome - environment:minor - 2010-10-11
03:16:44 GMT+00:00
http://www.cisco.com/en/US/products/ps7334/serv_home.htm
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 28
Call Home vs. Smart Call Home (2/2)
SCH Portal Email
Fwd:
CL_London# show run all | beg CiscoTAC-1
profile "CiscoTAC-1"
no active
no anonymous-reporting-only
destination preferred-msg-format xml
destination message-size-limit 3145728
no destination transport-method http
destination transport-method email
destination address email [email protected]
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
subscribe-to-alert-group crash
subscribe-to-alert-group environment severity minor
subscribe-to-alert-group syslog severity major pattern ".*"
subscribe-to-alert-group configuration periodic monthly 19 16:13
subscribe-to-alert-group inventory periodic monthly 19 15:58
Customer
Network Internet
CiscoTAC1 profile is
predefined but INACTIVE
Call Home
SmartCall Home
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 29
Call Home vs. Smart Call Home (2/2)
SCH Portal Email
Fwd:
CL_London(config)# service call-home
CL_London(config)# call-home
CL_London(cfg-call-home)# mail-server <address> priority 1
CL_London(cfg-call-home)# contact-email-addr [email protected]
CL_London(cfg-call-home)# profile TEST
CL_London(cfg-call-home-profile)# destination transport-method email
CL_London(cfg-call-home-profile)# destination address email
CL_London(cfg-call-home-profile)# destination preferred-msg-format long-text
CL_London(cfg-call-home-profile)# subscribe-to-alert-group inventory
CL_London(cfg-call-home-profile)# active
CL_London(cfg-call-home-profile)# exit
CL_London(cfg-call-home)# exit
CL_London(config)#
Customer
Network Internet
default message
format is XML diagnostic failure
notification, environment
alarms, config change, …
Call Home
SmartCall Home
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 32
Logging Synchronous
Tired of being interrupted by a syslog or error message when using the CLI of Cisco IOS while trying to configure the device?
- Solution: No more syslog or error message while typing commands
IOS IOS-XR IOS-XE NX-OS
X X
10.0
CL_London(config)# line console 0
CL_London(config-line)# logging synchronous
http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html#wp1033117
configuration per line
2.1
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 33
“SNMP-server manager”
Device will be able to:
- query other SNMP agents and
- process incoming SNMP traps or notifications
―snmp-server manager‖ was a feature designed to be used by other IOS applications:
- not really a feature designed for customer use
Note: tclsh supports snmp get/set since 12.3(7)T in IOS
SNMP
Manager SNMP
Agent
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_16.html
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 34
SNMP-Server Manager
IOS IOS-XR IOS-XE NX-OS
X X
CL_London(config)# snmp-server manager
CL_London # snmp get v2c 10.10.10.10 public oid system.6.0
SNMP Response reqid 47, errstat 0, erridx 0
system.6.0 =
CL_London # snmp set v2c 10.10.10.10 private oid system.6.0 string London
SNMP Response reqid 48, errstat 0, erridx 0
system.6.0 = London
CL_London # snmp get v2c 10.10.10.10 public oid system.6.0
SNMP Response reqid 49, errstat 0, erridx 0
system.6.0 = London
CL_London # snmp get-next v2c 10.10.10.10 public oid system.6.0
SNMP Response reqid 50, errstat 0, erridx 0
system.7.0 = 78 sysServices
sysLocation
11.3T
2.1
Configuration Management
IOS IOS-XR IOS-XE NX-OS
Contextual Config Diff Utility
Config Change Notification and
logging
Config Logger Persistence
Config Locking
Config Replace & Rollback
Interface range
Login Monitoring
SNMP (SNMP Polling)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 36
Contextual Configuration Diff Utility
CL_London# show archive config differences [<file1> <file2>]
Contextual Config Diffs:
+no aaa new-model
line vty 0 4
+login
-username user1 privilege 15 password 0 user1
-aaa new-model
-aaa authentication login default local
-aaa authorization exec default local
+access-list 99 deny 2.2.2.2
!
!The following order-dependent line(s) were re-ordered
!access-list 99 permit 1.1.1.1
By default compare
―startup-config‖ and
―running-config‖
+ : added compared to file1
- : removed compared to file1
CL_London# show archive config incremental-diffs <file>
(!) descriptive comments: used to identify
order-sensitive configuration lines whose
location is different in file1 than in file2.
<file> compares with ―running-conf‖
CL_London_NXOS# show diff rollback-patch …
rollback subcommand
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 37
… At least three different ways to save configuration:
CL_London# copy running-config <destination-url>
CL_London(config)# archive
CL_London(config-archive)# path disk0:CL_London
CL_London(config-archive)# maximum 10
CL_London(config-archive)# write-memory
CL_London(config-archive)# time 60
Config Archive
the well known
―manual‖ way!!
Save config when
―write mem‖
Save config every 60
min
On the fly
Leading Practice
CL_London# archive config
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 38
CL_London(config)# archive
CL_London(config-archive)# log config
CL_London(config-archive-log-config)# logging enable
CL_London(config-archive-log-config)# logging size 200
CL_London(config-archive-log-config)# hidekeys
CL_London(config-archive-log-config)# notify syslog
*Dec 30 04:04:24.840: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged
command:no notify syslog
Configuration Change Notification & Logging
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger.html
CL_London# show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 200
4 2 user1@vty0 | interface loopback10
7 4 user1@vty0 | snmp-server community xxxx
With ―hidekeys‖
IOS IOS-XR IOS-XE NX-OS
(*) (*)
2.1
Possibility to filter per
user, per session
if you are monitoring
through syslog
2.0 CL_London_IOSXR# show configuration commit changes
CL_London_IOSXR# show configuration commit list
CL_London_NXOS# show accounting log
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 39
Configuration Logger Persistence
Provides a quick-save mechanism to store the startup configuration:
- Cisco software saves just the commands entered since the last startup-config file was generated, rather than saving the entire startup configuration.
The time to save changes from the startup configuration is proportional to the size of the incremental changes that need to be saved.
Prerequisites: need to have disk0: configured and an external flash card inserted on the router
CL_London(config)# archive
CL_London(config-archive)#log config
CL_London(config-archive-log-cfg )# logging persistent {auto | manual}
CL_London(config-archive-log-cfg )# logging persistent reload
CL_London(config-archive-log-cfg )# logging size <entries>
:
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/config-logger-6149.html
IOS IOS-XR IOS-XE NX-OS
X 12.4(11)T,
12.2(33)SRA
default is 100
on demand, ―archive log config
persistent save‖
By default the last 100 configuration
commits are saved persistent.
2.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 40
If another session is started meanwhile one session is locked:
CL_London(config)# configuration mode exclusive [manual | auto]
CL_London# conf t
CL_London(config)# configuration terminal lock
… apply changes to the configuration …
CL_London(config)# end
The auto keyword automatically
locks the configuration session
whenever the configure terminal
command is used. This is the
default.
The manual keyword allows you
to choose to lock the
configuration session manually
or leave it unlocked
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-lock_ps6441_TSD_Products_Configuration_Guide_Chapter.html
IOS IOS-XR IOS-XE NX-OS
X
12.4(11)T
CL_London# show configuration lock
Leading Practice
Exclusive Configuration Change Access & Access Session Locking
CL_London(config)# conf t
Configuration mode is locked by process '499' user 'admin' from
terminal '2'. Please try later.
2.0
CL_London_IOSXR# config exclusive
CL_London_IOSXR(config)#
2.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 42
Configuration Replace & Rollback Option 1
Critical config changes to remote devices may result in loss of connectivity, requiring a reload
- In this example, we´ll replace the running configuration with the latest good archive after 15 minutes – unless the change made is confirmed
CL_London# show archive
There are currently 4 archive configurations saved.
The next archive file will be named disk0:/config-archive-4
Archive # Name
0 disk0:/config-archive-1
1 disk0:/config-archive-2 <- Most Recent
CL_London# config replace disk0:/config-archive-2 time 15
:
... your Config Change work here ...
:
CL_London# no config replace disk0:/config-archive-2
<1-120> in minutes
12.3(7)T, 12.2(25)S, IOS-XE 2.1
Internet ACCESS
DENIED
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 43
In this 2nd example, revert to previous configuration in 2 min
CL_London# config terminal revert time 2
Rollback Confirmed Change: Backing up current running config to
flash:bk-2
Enter configuration commands, one per line. End with CNTL/Z.
:
... your Config Change work here ...
:
CL_London# hostname oops
oops(config)# end
oops# Rollback Confirmed Change: Rollback will begin in one minute.
Enter "configure confirm" if you wish to keep what you've configured
Configuration Replace & Rollback Option 2
oops# Rollback Confirmed Change:
rolling to:flash:bk-2
Total number of passes: 1
Rollback Done
CL_London#
oops# config confirm
oops# or
IOS IOS-XR IOS-XE NX-OS
Checkpoint 12.4(23)T,
12.2(33)S
2.1 4.2.1 2.0
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 44
Configuration Rollback NX-OS Checkpoint
To take a snapshot of the current running configuration in the file system in ASCII format
Up to 10 checkpoints
NX-OS automatically generates a system checkpoint when disabling a feature or license expiration could cause loss of configuration information.
To Rollback to a user checkpoint
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-
os/system_management/configuration/guide/sm_7rollback.html#wp1064018
CL_London_NXOS# checkpoint stable description 30Dec2011
CL_London_NXOS# show checkpoint stable
CL_London_NXOS# show diff rollback-patch checkpoint stable running-config
Displays the differences between the source and destination checkpoint selections.
CL_London_NXOS# rollback running-config checkpoint stable
•atomic—Implement a rollback only if no errors occur (By default)
•best-effort—Implement a rollback and skip any errors.
•stop-at-first-failure—Implement a rollback that stops if an error occurs.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 45
Configuration “Safety” Features
IOS IOS-XR IOS-XE NX-OS
Contextual Config Diff
Utility (*)
Config Change
Notification and logging (*) (*)
Config Logger Persistence (*) x
Config Locking x
Config Replace & Rollback (*) (*)
12.3(4)T,
12.2(25)S
12.3(4)T,
12.2(25)S
12.3(7)T,
12.2(25)S
12.3(14)T,
12.2(25)S
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 46
Interface Range
Makes configuration easier:
- same configuration doesn´t need to be re-applied to each interface
- interface range can be saved as ―macros‖ in IOS
CL_London_IOSXR(config)# snmp-server interface subset 10 regular-expression "^Gig[a-zA-Z]+[0-9/]+\."
CL_London_IOSXR(config-snmp-if-subset)# notification linkupdown disable
IOS IOS-XR IOS-XE NX-OS
(*)
3.9.0
12.1(5)T
CL_London(config)# define interface-range macro1 fastethernet5/1–4
CL_London(config)# interface range fastethernet5/1–4
CL_London(config-if)# no logging event link-status
can be replaced by
―macro1‖
covered by Port Profile feature
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 47
Login Monitoring
How to configure the device to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds?
All login requests are denied during the quiet period except hosts from the ACL "myacl."
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.html
IOS IOS-XR IOS-XE NX-OS
X X 12.3(4)T
12.2(25)S
12.2(33)SRA
12.2(33)SRB
12.2(33)SXH
CL_London(config)# login block-for 100 attempts 15 within 100
CL_London(config)# login quiet-mode access-class myacl
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 48
SNMP
IOS IOS-XR IOS-
XE
NX-OS
SNMP v1
SNMP v2 X X X X
SNMP v2c
SNMP v3
10.3
CL_London_IOS (config)#snmp-server contact Operations_NOC
CL_London_IOS (config)#snmp-server location Excell_London
CL_London_IOS (config)#snmp-server chassis-id chassis1234
CL_London_IOS (config)#snmp-server enable traps …
CL_London_IOS (config)#snmp-server system-shutdown
CL_London_IOS (config)#snmp-server tftp-server-list <IP_standard_ACL>
CL_London_IOS (config)#snmp ifmib ifalias long
By default, the system
can not be rebooted via
snmp
A manager can request
to load or save the
config from a tftp-
server
by default, interface-description is
limited to 64 characters. This
command changes to 256
10.3 – 11.2
11.3
12.0(3)T
[3DES&AES] 12.4T
5.2
2.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 49
SNMP Polling
SNMP v2c:
SNMP v3:
SNMP v1 SNMP v2c SNMP v3
Performance - -
Security X X
•Joe belongs to Joegroup (securityLevel is authNoPriv), no MIB View
•Bill belongs to Billgroup (securityLevel is noAuthNoPriv), has read access on MIB view
‗billview‘ which includes MIB-II and excludes private cisco MIB.
•The device is SNMPv1, SNMPv2c, and SNMPv3 capable
CL_London_IOS (config)# snmp-server engineID local 123456789012345678901234
CL_London_IOS (config)# snmp-server user joe joegroup v3 auth md5 joekey
CL_London_IOS (config)# snmp-server user bill billgroup v3
CL_London_IOS (config)# snmp-server group joegroup v3 auth
CL_London_IOS (config)# snmp-server group billgroup v3 noauth read billview
CL_London_IOS (config)# snmp-server view billview mib-2 included
CL_London_IOS (config)# snmp-server view billview cisco excluded
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
Community string: Could contain any value: spaces, any character, or hex values that are not printable, etc. But NOT always a good idea to use $, #, &, /,!, public, private, …
CL_London_IOS (config)# snmp-server community public RO
Fault Management
IOS IOS-XR IOS-XE NX-OS
SNMP Notifications
Logging: syslog
Reliable Delivery & Filtering
Embedded Syslog Manager(ESM)
Management Interface
NTP
Diagnostics: GOLD & OBFL
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 51
SNMP Notifications: Traps vs. Informs
SNMPv2c
SNMPv3
Does your management station support informs?
- Informs are nothing more than retried acknowledged notifications
- Not 100% guaranteed
CL_London(config)# snmp-server engineID remote 10.10.10.10 1234
CL_London(config)# snmp-server user bill billgroup remote 10.10.10.10 v3
CL_London(config)# snmp-server group billgroup v3 noauth
CL_London(config)# snmp-server host 10.10.10.10 [traps|inform] version 3
noauth bill <specific_notification>
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
CL_London(config)# snmp-server host 10.10.10.10 [traps|inform] version 2c
C1sc0123 <specific_notification>
Not the same as the polling/setting SNMP
community string
Leading Practice
CL_London(config)# snmp-server enable traps envmon
CL_London(config)# no snmp-server enable traps syslog
CL_London(config)# snmp-server enable traps
Valid for both traps and informs
Attention: will enabled ―syslog‖
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 52
Logging Syslog messages It is a Good Practice to send logging information to one or more remote syslog
servers. By doing so, it becomes possible to correlate and audit network and security events across network devices more effectively.
Syslog messages are transmitted unreliably by UDP and in cleartext.
Note: Syslog supported on TCP as well
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#logbest
CL_London(config)# logging host <ip-address_server1>
CL_London(config)# logging host <ip-address_server2>
CL_London(config)# logging buffered logging persistent url disk0:/syslog size 134217728 filesize 16384
CL_London(config)# no logging console
CL_London(config)# no logging monitor
CL_London(config)# logging buffered 16384
CL_London(config)# logging trap 5
CL_London(config)# logging source-interface loopback 0
CL_London(config)# service timestamps log datetime
localtime show-timezone
CL_London(config)# logging on
Syslog writing to Flash:
Messages saved on an ATA drive
persist after a router is rebooted
Leading Practice
IOS IOS-XR IOS-XE NX-OS
Default: information/6
Recommendation 256k buffers on
core devices and 64k elsewhere
time stamps in the format
MM DD HH:MM:SS,
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 56
Logging Reliable Delivery & Filtering
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_reliable_del_filter.html#wp1054676
CL_London(config)# logging discriminator filter1 facility includes facl357 rate-limit 100
CL_London(config)# logging buffered discriminator filter1 5
all messages with "facl357" in the
facility field will be delivered.
Enables logging to a local buffer and
specifies a message discriminator.
IOS IOS-XR IOS-XE NX-OS
X X
12.4(11)T
12.2(33)SRB
12.2(33)SB
12.2(33)SXI
not to exceed 100 messages per second
2.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 57
Syslog vs Traps
Syslog SNMP Notification
NMS Syslog Daemon Trap Receiver
Protocol/Port UDP 514 UDP 162
Filtering Yes Limited
Format easy-to-read format,
No MIB needed
More rigid format, parseable
Reliability RFC 3195 reliable syslog
with TCP
None with traps
Some with informs
(NOTIFICATION-LOG MIB)
CL_London(config)# interface Serial 1
CL_London(config-if)# no logging event link-status
CL_London(config-if)# no trap link-status syslog or traps
choose one of the
two
Note: More detailed information in BRKNMS-2031:
―SYSLOG Design, Methodology and Best Practices‖
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 59
Single Interface for Management?
A need for a single management/security interface?
L0
Network Mgmt Application
Eth0
S0
CL_London(config)# logging source-interface Loopback0
CL_London(config)# snmp-server source-interface [traps|inform] Loopback0
CL_London(config)# ip sla 1
CL_London(config-ip-sla)# path-jitter <destination> source-interface Loopback0
CL_London(config)# flow exporter <exporter>
CL_London(config-flow-exporter)# source Loopback0
Previous to 12.3T(11) ―snmp-server trap-source <interface>‖,
CL_London(config)# ip tacacs source-interface <interface>
CL_London(config)# ip radius source-interface <interface>
CL_London(config)# monitor session 1 <source_interface>
CL_London(config)# ip ftp source-interface <interface>
CL_London(config)# ip tftp source-interface <interface>
CL_London(config)# interface tunnel0
CL_London(config-if)# tunnel source <interface>
CL_London(config)# ip ssh source-interface <interface>
CL_London(config)# ip rcmd source-interface <interface>
CL_London(config)# ip kerberos source-interface <interface>
CL_London(config)# ip http client source-interface <interface>
CL_London(config)# ntp source <interface>
CL_London(config)# crypto ca trustpoint test
CL_London(config-crypto-ca)# source interface <interface>
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 60
To perform management tasks on the router, before a router has begun routing, or in troubleshooting scenarios.
This interface should not and often cannot forward network traffic but can otherwise access the router, via Telnet and SSH
Single Interface for Management?
CL-London_NXOS(config)# interface mgmt0
CL-London_NXOS(config-if)# ip address <ipv4-address>[/<mask-length>]
CL-London_NXOS(config-if)# exit
CL-London_NXOS(config)# vrf context management
CL-London_NXOS(config-vrf)# ip route <subnet/prefix length> <next-hop>
IOS IOS-XR IOS-XE NX-OS
X
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/Management_Ethernet.html
CL-London_IOSXE(config)#ip tftp source-interface Gigabitethernet 0
CL-London_IOSXE(config)# ntp server vrf Mgmt-intf A.B.C.D
CL-London_IOSXE(config)# logging host <ip-address> vrf Mgmt-intf
CL-London_IOSXE(config)# snmp-server source-interface traps gigabitEthernet 0
CL-London_IOSXE(config)# ip domain-name vrf Mgmt-intf cisco.com
CL-London_IOSXE(config)# ip name-server vrf Mgmt-intf IPv4-address
CL-London_IOSXE(config)# aaa group server tacacs+ hello
CL-London_IOSXE(config-sg-tacacs+)# ip vrf forwarding Mgmt-intf
In IOS-XE always:
• Gigabit Ethernet
Management port is
the mgmt-interface.
• Part of its own vrf
―Mgmt-intf‖
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 61
NTP A common, accurate “time of the day” is needed
- Network Measurement and Monitoring
- Consistent debugs and log files
- Intrusion detection event correlation
- Event synchronization across network elements
CL_London(config)# clock timezone UTC 0
CL_London(config)# ntp orphan 3
CL_London(config)# ntp update-calendar
CL_London(config)# ntp source Loopback0
CL_London(config)# ntp server CL_ServerA prefer
CL_London(config)# ntp server CL_ServerB
CL_London(config)# ntp trusted-key 10
CL_London(config)# ntp maxdistance [distance threshold]
CL_London(config)# ntp server <server_ip> burst iburst
allows NTP to update the
hardware calendar chip
set source ip address
for the NTP packet
Low-end platforms only SNTP:
sntp server ip_address
instead of ―ntp master 3”
reduce network jitter effects rapid time setting at system
startup or when an
association is configured
it controls the number of
packets needed for clock
update.
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 62
NTP version 4
- Never synchronize NTP IOS with Win32 time windows machine
- NTP authentication does not require all clients to use NTP authentication.
- Configures the access control groups/ACL for additional security: for the public servers and peers
IOS IOS-XR IOS-XE NX-OS
12.4(20)T
3.3 5.2 3.8
ntp orphan 2
ntp peer CL_ServerA
ntp server x.x.x.x
ntp trusted-key 10 - 50
ntp orphan 2
ntp peer CL_ServerB
ntp server x.x.x.x
ntp trusted-key 10 – 50
ntp authenticate
CL_ServerB CL_ServerA
CL_London CL_Paris
Stratum 2
ntp server CL_Paris
ntp server CL_London
ntp server CL_Server_A prefer
ntp server CL_Server_B
ntp server CL_Server_B prefer
ntp server CL_Server_A
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml
Client_A Client_B
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 63
GOLD: Generic Online Diagnostics (1/2)
Use GOLD to verify functionality of a mis-behaving modules
- Bootup Diagnostics (upon bootup and Online Insertion and Removal-OIR)
- )
- Periodic Health Monitoring (during operation)
- OnDemand (from CLI)
- Scheduled Testing (from CLI)
GOLD Event Detector can trigger EEM actions based on GOLD test results
OIR or CLI Event Detector can trigger on-demand GOLD tests as post-validation of deployment or maintenance work
GOLD is also used in Smart Call Home for diagnostics reports
CL_London(config)# diagnostic schedule module 2 test 1 weekly MON 03:00
CL_London(config)# diagnostic monitor interval module 5 test 2 00:00:15 0 0
CL_London# diagnostic ondemand iterations 2
CL_London# diagnostic ondemand action-on-failure stop
CL_London# diagnostic start module 2 test 1
CL_London(config)# diagnostic bootup level ?
complete Complete level
minimal Minimal level
complete is recommended (by default)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 64
GOLD: Generic Online Diagnostics (2/2)
Schedule all non-disruptive tests periodically
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_11gold.html
IOS IOS-XR IOS-XE NX-OS
4.0(1)
CL_London# show diagnostic content
CL_London# show diagnostic result
3.4
12.2(14)SX
12.2(17d)SXB
12.2(33)SRA
12.2(33)SCC
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 67
How do I want to cache information
Which interface do I want to monitor?
What data do I want to meter?
Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address
Router(config-flow-record)# collect counter bytes
Where do I want my data sent? Router(config)# flow exporter my-exporter
Router(config-flow-exporter)# destination 1.1.1.1
Router(config)# flow monitor my-monitor
Router(config-flow-monitor)# exporter my-exporter
Router(config-flow-monitor)# record my-record
Router(config)# interface s3/0
Router(config-if)# ip flow monitor my-monitor input
1. Configure the Exporter
2. Configure the Flow Record
3. Configure the Flow Monitor
4. Apply to an Interface
Flexible NetFlow (FNF) Configuration Example
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 68
Flexible NetFlow (FNF) Flexible Flow Record: Key Fields
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 69
Multicast
Replication Factor*
RPF Check Drop*
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag: ACK
Source Port TCP Flag: CWR
ICMP Code TCP Flag: ECE
ICMP Type TCP Flag: FIN
IGMP Type* TCP Flag: PSH
TCP ACK Number TCP Flag: RST
TCP Header Length TCP Flag: SYN
TCP Sequence Number TCP Flag: URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
Flexible NetFlow (FNF) Flexible Flow Record: Key Fields (Cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 70
Plus any of the potential ―key‖ fields: will be the value from the first packet in the flow
Counters
Bytes
Bytes Long
Bytes Square Sum
Bytes Square Sum Long
Packets
Packets Long
Timestamp
sysUpTime First Packet
sysUpTime First Packet
IPv4
Total Length Minimum (*)
Total Length Maximum (*)
TTL Minimum
TTL Maximum
(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX
IPv4 and IPv6
Total Length Minimum (**)
Total Length Maximum (**)
Flexible NetFlow (FNF) Flexible Flow Record: Non-Key Fields
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 71
Flexible NetFlow (FNF)
NetFlow Export became the de-facto PUSH mechanism for the Cisco
Flexible NetFlow
- New metering process, as opposed to traditional NetFlow
- Superset of many accounting features: IP accounting, BGP policy accounting
- Difficult to give a default config
Detailed support matrix in the session ―Advanced NetFlow‖ BRKNMS-3132
http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
IOS IOS-XR IOS-XE NX-OS
Performance Management (Device vs. Network level)
IOS IOS-XR IOS-XE NX-OS
RMON
CPU Threshold Notification
Memory Threshold Notification
Embedded Resource Manager
(ERM)
Data Collection Manager
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 73
Monitor Resources RMON (CLI or SNMP Configuration)
RMON can be applied to any SNMP variable: to Monitor CPU, Memory, link Utilization
Configure RMON to generate a trap if CPU utilization reaches 80%, and rearm the trap if utilization drops below 40%, sampling interval is 20 seconds
EEM can achieve more, but RMON is a MIB
CL_London(config)#rmon alarm 1 cpmCPUTotalEntry.3.0 20 absolute rising-
threshold 80 1 falling-threshold 40 2 owner me
CL_London(config)#rmon event 1 log Trap public description "cpu busy"
owner me
CL_London(config)#rmon event 2 log description "cpu not too busy"
IOS IOS-XR IOS-XE NX-OS
11.1
Trigering event #1 Trigering event #2
Rising condition T(sec)
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 74
Monitor Resources CPU Threshold Notification
CPU Threshold notification allows you to configure CPU utilization thresholds that, when crossed, trigger a notification
In this example when total CPU utilization, which at one point had risen above 80 percent and triggered a rising threshold notification, falls below 70 percent for a period of 5 seconds or longer, a falling threshold notification is sent.
CL_London(config)# process cpu threshold type total rising 80
interval 5 falling 70 interval 5
CL_London(config)# snmp-server enable traps cpu threshold
CL_London(config)# snmp-server host 10.10.10.1 traps public cpu
IOS IOS-XR IOS-XE NX-OS
(*) x Since 12.3(4)T, 12.0(26)S,
12.2(25)S
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cpu_thresh_notif_ps6441_TSD_Products_Configuration_Guide_Chapter.html
CL_London_IOSXR(config)# watch monitor cpu-hog persistent
timeout
If wdsysmon detects a
CPU hog on IOS-XR, it
resets the node after 30
seconds
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 75
Monitor Resources Memory Threshold Notifications (1/2)
• If available free processor or I/O memory falls below the specified thresholds, the router will generate a syslog message
• Reserves the specified amount of memory in kilobytes so that the router can issue critical notifications
• This feature has been superseded by Embedded Resource Manager (ERM), but not in IOS-XR
CL_London(config)# memory free low-watermark processor 20000
CL_London(config)# memory free low-watermark io 20000
CL_London(config)# memory reserve critical 1000
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1838/products_feature_guide09186a00801b1bee.html
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 76
Monitor Resources: Memory Threshold Notifications (2/2)
IOS IOS-XR IOS-XE NX-OS
(*) x
Since 12.0(26)S,
12.2(18)S,
12.3(4)T
memory reserved critical 1000
0
5
10
15
20
25
30
35
40
45
50
0 15 30 45
Memory Free
memory free low-watermark processor 20000
TIME
Memory (Mb) 000029: *Aug 12 22:31:19.559: %SYS-4-FREEMEMLOW:
Free Memory has dropped below 20000k
Pool: Processor Free: 66814056 freemem_lwm: 204800000
000032: *Aug 12 22:33:29.411: %SYS-5-FREEMEMRECOVER:
Free Memory has recovered 20000k
Pool: Processor Free: 66813960 freemem_lwm: 0
Rising Memory will
trigger at 5%
Above low watermark
CL_London_IOSXR(config)# watchdog threshold memory
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 77
ERM framework provides availability to monitor resources:
CPU, buffer , memory and IPC utilization.
It also provides a mechanism to carry out a set of actions when thresholds (rising/falling) are crossed to either the mitigate the risk of the box going down,
or notify admins. resource policy
policy my-erm-policy-1 type iosprocess
system
cpu total
critical rising 90 interval 15 falling 20 interval 10 global
major rising 70 interval 15 falling 15 interval 10 global
minor rising 60 interval 15 falling 10 interval 10 global
Jan 17 13:32:18.283: %SYS-4-CPURESRISING: System is seeing global cpu util
62% at total level more than the configured minor limit 60%
Embedded Resource Manager (ERM)
If Total CPU usage count rises
above 90% at an interval of 15s, a
Critical Up notification is sent
Option: ―cpu interrupt‖, ―cpu process‖, ―cpu total‖,
buffer, ―memory io‖, ―memory processor‖.
http://www.cisco.com/en/US/docs/ios-xml/ios/erm/configuration/15-1s/nm-erm-resource.html
IOS IOS-XR IOS-XE NX-OS
X (*) X (*) 12.3(14)T
3.6
EEM partially covers ERM
functionality: for memory (memory
ED) and for CPU (SNMP ED)
Leading Practice
Security Management
IOS IOS-XR IOS-XE NX-OS
SNMP v2c vs. v3(already covered)
Auto Secure
CDP
Mgmt Plane Protection/CPP/CoPP/CoPPr
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 81
AutoSecure
Disables Global Services
Disables per Interface Services
Enables Global Services
Secures access to the Router
Security Logging
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_autosecure.html
IOS IOS-XR IOS-XE NX-OS
X X 12.3(1), 12.2(18)S
12.3(8)T, 12.2(27)SBC
CL_London_IOS # auto secure [management | forwarding] [no-interact | full]
[ntp | login | ssh | firewall | tcp-intercept]
CL_London_IOS (config)# security passwords min-length length
CL_London_IOS (config)# enable password {password | [encryption-type]
encrypted-password}
CL_London_IOS (config)# security authentication failure rate threshold-
rate log
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 82
CDP (version 2)
It is used by Network Management applications for Topology discovery.
Also used as a troubleshooting tool
Recommendation:
- enable it on all internally facing interfaces and
- disable it on all externally facing interfaces
http://www.cisco.com/en/US/tech/tk962/technologies_tech_note09186a00801aa000.shtml
CL_London(config)# cdp run
CL_London(config)# interface serial 1
CL_London(config-if)#no cdp enable
enabled by default
disable per interface
There are some other timers and settings:
cdp timer: Specifies frequency of transmission of
CDP updates.
cdp holdtime: Specifies the amount of time a
receiving device should hold the information sent by
your device before discarding it.
cdp advertise-v2; Enables CDP Version-2
advertising functionality on a device
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 83
Management Plane Protection
Provides the capability to restrict the interfaces on which network management packets are allowed to enter a device
- Today, a router accepts network management traffic on any device's interface with a network address
- Management protocols:
BEEP, FTP, HTTP, HTTPS, SSHv1, SSHv2, SNMP (all versions), Telnet, TFTP, TL1, TLS
CL_London# configure terminal
CL_London(config) # control-plane host
CL_London(config-cp-host) # management-interface interface allow ftp ssh snmp
IOS IOS-XR IOS-XE NX-OS
X 12.4(6)T
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html
3.5
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 84
Control Plane Policing & Control Plane Protection
Control Plane Policing (CoPP) is a Cisco IOS control-plane feature that offers rate limiting of all control-plane traffic. CoPP allows to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets.
Control Plane Protection (CoPPr) is the framework
IOS IOS-XR IOS-XE NX-OS
(*) Since 2.0: Local Packet
Transport Services
(LPTS)
CL_London(config)#class-map type logging match-all logclass
CL_London(config-cmap)# match packets dropped
CL_London(config-cmap)# policy-map type logging MPP_test
CL_London(config-pmap)# class logclass
CL_London(config-pmap-c)# log
CL_London(config)# control-plane host
CL_London(config-cp-host)# service-policy type logging input MPP_test
Leading Practice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 86
ERM/EEM: Manageability Resources Consumption (Cont.)
NMS ERM/EEM
ERM/EEM
ERM/EEM
CL_London(config)# resource policy
CL_London(config-erm)# policy mgmt-cpu-policy type task
CL_London(config-erm-policy)# system
CL_London(config-erm-policy-node)# cpu process
CL_London(config-owner-cpu)# critical rising 80 interval 20 falling 70 interval 20
CL_London(config-owner-cpu)# major rising 70 interval 20 falling 50 interval 20
CL_London(config-owner-cpu)# minor rising 20 interval 20 falling 10 interval 205
CL_London(config-erm)# user group my-mgmt-group type task
CL_London(config-res-group)# instance Exec
CL_London(config-res-group)# instance "IP Input"
CL_London(config-res-group)# instance "IP SNMP"
CL_London(config-res-group)# instance "SNMP ENGINE"
CL_London(config-res-group)# instance "EEM ED SNMP"
CL_London(config-res-group)# instance "IP SLAs XOS Event Processor"
CL_London(config-res-group)# instance "IP SLAs Responder"
CL_London(config-res-group)# policy mgmt-cpu-policy
CL_London(config)# snmp-server community C!sc0 RO
CL_London(config)# snmp-server enable traps resource-policy
CL_London(config)# snmp-server host <ip_address> version 2c C!sc0
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 87
ERM/EEM: Manageability Resources Consumption
CL_London(config)# event manager applet catch-mgmt-cpu
CL_London(config-applet)# event resource policy "mgmt-cpu-policy"
CL_London(config-applet)# action 000 if $_resource_level eq "critical"
CL_London(config-applet)# action 001 cli command "enable"
CL_London(config-applet)# action 002 cli command "show proc cpu sorted 5min"
CL_London(config-applet)# action 003 set lines 0
CL_London(config-applet)# action 004 foreach line "$_cli_result" "\n"
CL_London(config-applet)# action 005 if $lines gt 6
CL_London(config-applet)# action 006 break
CL_London(config-applet)# action 007 end
CL_London(config-applet)# action 008 append output $line
CL_London(config-applet)# action 009 increment lines
CL_London(config-applet)# action 010 end
CL_London(config-applet)# action 011 syslog msg "Top five processes: $output"
CL_London(config-applet)# action 012 else
CL_London(config-applet)# action 013 break
CL_London(config-applet)# action 014 end
NMS ERM/EEM
ERM/EEM
ERM/EEM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 88
Archive Config
Use Embedded Event Manager (EEM) with a Syslog ED and a TCL Applet to only archive new modified configuration files
This script is available from www.cisco.com/go/ciscobeyond
CL_London(config)# event manager environment filename <myfile>
CL_London(config)# event manager directory user policy "flash:/TCL"
CL_London(config)# event manager policy archive.tcl type user
CL_London(config)# archive
CL_London(config-archive)# path flash:disk0
CL_London(config-archive)# maximum 14 Configure Archive
Location and Size0
Register EEM TCL Script
Define EEM Environment Variable
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1103
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 89
NetFlow/NBAR – CPE
CL_London(config)# flow record app_record
CL_London(config-flow-record)# match interface input
CL_London(config-flow-record)# match ipv4 source address
CL_London(config-flow-record)# match ipv4 destination address
CL_London(config-flow-record)# match ipv4 protocol
CL_London(config-flow-record)# match transport source
CL_London(config-flow-record)# match transport destination
CL_London(config-flow-record)# match application name
CL_London(config-flow-record)# collect counter packets
CL_London(config-flow-record)# collect counter bytes
CL_London(config)# flow exporter app_collector
CL_London(config-flow-monitor)# destination <ip address>
CL_London(config-flow-monitor)# option interface-table
CL_London(config-flow-monitor)# option application-table
CL_London(config)# flow monitor app_monitor
CL_London(config-flow-monitor)# record app_record
CL_London(config-flow-monitor)# exporter app_collector
CL_London(config)# interface eth0/0
CL_London(config-if)# ip flow monitor app_monitor in
MC/BR
BR
BR
HQ
Internet / Datacenter, Webex DC
WAN1
WAN2
Branch Office
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 90
Embedded Automation Systems (EASy)
Embedded Automation Systems (EASy)
1. Browse and Download EASy Packages www.cisco.com/go/easy
2. Make Sure to also download EASy Installer
3. Browse Other Embedded Automations www.cisco.com/go/ciscobeyond
4. Learn About The Technology Under The Hood www.cisco.com/go/instrumentation www.cisco.com/go/eem www.cisco.com/go/pec
5. Discuss, Ask Questions, Suggest Answers supportforums.cisco.com supportforums.cisco.mobi
6. Upload your own Examples to CiscoBeyond www.cisco.com/go/ciscobeyond
7. Engage via [email protected]
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 92
IOS IOS-XR IOS-XE NX-OS
Manageability Interface Index Persistence
Reserve Memory for Console Access x x x
Warm Reload/Upgrade/ISSU (ISSU) ISSU (ISSU) ISSU
Configuration Generation Performance
Enhancement
Configuration Partitioning
Call Home vs. Smart Call Home
Interface History x x
Logging synchronous x x
Snmp-server manager x x
Configuration Contextual Config Diff Utility
Config Change Notification and logging
Config Logger Persistence x
Config Locking x
Config Replace & Rollback
Interface range
Login Monitoring x x
SNMP (Polling)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 93
IOS IOS-XR IOS-XE NX-OS
Fault Management SNMP Notifications
Logging: syslog
Reliable Delivery & Filtering x x
Management Interface x
NTP
Diagnostics: GOLD
Diagnostics: OBFL x x
Accounting
Management
Flexible NetFlow
Performance
Management
RMON
CPU Threshold Notification x
Memory Threshold Notification x
Embedded Resource Manager (ERM) x x
Data Collection Manager x
Security Management Auto Secure x x
CDP
Mgmt Plane
Protection/CPP/CoPP/CoPPr Only
CoPP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 94
Take aways!
Software releases are approaching consistency across different Platforms for Manageability Features: IOS, IOS-XR, IOS-XE & NX-OS
However, difficult to have a single default configuration
- We covered FCAPS
- Use Cases and features have been shared to address Best Practice recommendations per specific Domains.
Give us feedback
- Benoit Claise, [email protected]
- Marisol Palmero, [email protected]
Technology
Scope/Domain
Platform
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 95
We value your Feedback
Benoit Claise
Marisol Palmero
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 96
NMS Sessions London 2012 Session
ID
Title Day Time
BRKNMS-2005 DataCenter & Virtualization Management Overview Wednesday 09:00:00
BRKNMS-2009 Simplify the Deployment of Cisco Platforms and Technologies Wednesday 09:00:00
BRKNMS-3133 Advanced - Using the UCS XML API Wednesday 09:00:00
BRKNMS-2465 13 Smart Automations to Monitor Your Cisco IOS Network Wednesday 13:30:00
BRKNMS-2847
Ethernet OAM - Technical Overview and Deployment Scenarios
Wednesday
13:30:00
BRKNMS-2466
13 Smart Automations to Troubleshoot Your Cisco IOS Network
Wednesday
16:00:00
BRKNMS-2842
Managing Network Performance in WAAS Environments
Wednesday
16:00:00
BRKNMS-2943
Smart Services for Business Video - Turning Vision into Reality
Thursday
09:00:00
BRKNMS-3135
Advanced - Application Visibility and Performance in Cisco devices with
Network Based Application Recognition (NBAR)
Thursday
09:00:00
BRKNMS-2031 SYSLOG Design, Methodology and Best Practices
Thursday
16:00:00
BRKNMS-2846
Packet Transport and its Management
Thursday
16:00:00
BRKNMS-2659
Cloud Automation
Friday
09:00:00
BRKNMS-2844
A walkthrough over Service Management Friday
09:00:00
BRKNMS-3999
Using a Network Hypervisor to Automatically Create End to End Topologies
“Network Containers” in a Multi-Tenant Data Center
Friday
09:00:00
BRKNMS-2845
Best Network Mgmt Practice in Cisco Device Instrumentation: what (not) to do?
Friday
11:00:00
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 97
More NMS Sessions London 2012
1. Navigate to http://bit.ly/cSMV3N
2. Search for ―Session ID‖
3. Join us and Enjoy !
Session
ID
Title Session Type Time
TECNMS-3601 Advanced Network Automation Technical Seminar Monday 9:30
BRKCRS-2437 Incorporating Intelligent Access at the Campus Edge Technical Breakout
BRKIPM-2090 Implementing Network Automations Technical Breakout Tuesday 11:15
BRKNMS-2464 13 Smart Automations to Configure Your Cisco IOS Network Technical Breakout Tuesday 15:45
BRKCDN-1114 Building Innovative Solutions with IOS Embedded Automation Technical Breakout Wednesday 14:35
LABNMS-1262 Implementing Network Automation Module 0 - Basics Lab: Walk in
LABNMS-1263 Implementing Network Automation Module 1- Planning Lab: Walk in
LABNMS-1264 Implementing Network Automation Module 2 - Deployment Lab: Walk in
LABNMS-1265 Implementing Network Automation Module 3 - Monitoring Lab: Walk in
LABNMS-1266 Implementing Network Automation Module 4 - Troubleshooting Lab: Walk in
LABNMS-1422 Network Automation Solutions using Cisco IOS EEM Lab: Walk in
LABNMS-2001 Advanced Network Automation and Solutions using Cisco IOS EEM Lab: Instructor Led
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 98
More References
XML functionality in NX-OS
http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/xml/user/guide/using.html
SNMP:
- SNMP support for named access list
- SNMP support over VPN – Context based access control
- Interfaces MIB: SNMP Context based access
Technology
Scope/Domain
Platform
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 99
References – Instrumentation
Device Manageability Instrumentation (DMI) www.cisco.com/go/instrumentation
Embedded Event Manager (EEM): www.cisco.com/go/eem
Cisco Beyond – EEM Community: www.cisco.com/go/ciscobeyond
Embedded Menu Manager (EMM): http://tinyurl.com/emm-in-124t
Embedded Packet Capture (EPC): www.cisco.com/go/epc
Flexible NetFlow: www.cisco.com/go/netflow and www.cisco.com/go/fnf
GOLD: http://www.cisco.com/en/US/products/ps7081/products_ios_protocol_group_home.html
Cisco IPSLA ´s: www.cisco.com/go/ipsla
Network Analysis Module: http://www.cisco.com/go/nam
Network Based Application Recognition (NBAR): www.cisco.com/go/nbar
Security Device Manager (SDM): http://www.cisco.com/go/sdm
Smart Call Home: www.cisco.com/go/smartcall
Web Services Management Agents (WSMA): http://tinyurl.com/wsma-in-150M
Feature Navigator: www.cisco.com/go/fn
MIB Locator: www.cisco.com/go/mibs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 100
Embedded Automation Systems (EASy)
www.cisco.com/go/easy www.cisco.com/go/ciscobeyond
www.cisco.com/go/instrumentation supportforums.cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 102
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 106
Message Header:
Message Body
Filtering for Syslog Syslog Message Format
< >, Timestamp, Tag string, …
<facility(X)>.<level(Y)>
WHERE Is the Message Logged in
the Syslog Server? local0…local7,
cron, user, etc. WHAT Messages Are Logged?
emergency 0, alert 1, critical 2,
error 3, warning 4, notification 5,
information 6, debug 7
* Sep 20 01:12:31: %SYS-5-CONFIG_I: Configured from console by vty1 (144.254.9.79)
* Sep 20 01:12:31: %SYS-5-CONFIG_I: Configured from console by vty1 (144.254.9.79)
Cisco IOS® Component
Mnemonic Severity
Message-text Timestamp
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 107
Embedded Resource Manager Positioning
ERM supersedes the Memory Threshold notification
EEM Event Detection now available for ERM
- More powerful actions
Same capabilities as RMON event and alarm, EEM SNMP ED, EEM watchdog ED, EVENT-MIB, EXPRESSION-MIB
- Advantage: notion of group. No need to create new MIB variable (EXPRESSION-MIB)
- Advantage: no OID lookup required
- Advantage: easy ―slot‖ resource monitoring: Line Card, (standby) RP
- Advantage: event driven for memory and buffer, so no polling interval (which don‘t see the micro spikes)
―ERM provides a consolidated, consistent facility to monitor, manage, and react to dynamic changes in resource capacity and availability‖
Rick Williams, new PM for ERM and EEM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 108
ERM: Interface Queue Unwedging
resource policy
policy queue-unwedge-pol global
system
memory io
critical rising 90 interval 10 falling 20 interval 10
Allows reclamation of leaked packet memory to automatically unwedge interface queues
For example, when I/O memory is more than 90% (default 75%) used automatic deallocation will be used to reclaim memory
IOS IOS-XR IOS-XE NX-OS
? ? 12.4(6)T
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_6105.html
•not well known: could be a use case
3.6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKNMS-2845 109
SCH can be configured:
1. Device -> HTTPS -> SCH Portal
2. Device -> Email -> SCH Portal
3. Device -> HTTP -> TG -> HTTPS -> SCH Portal
4. Device -> Email -> TG -> HTTPS -> SCH Portal
SCH Portal Email
Customer
Network Internet
HTTPS
Transport
Gateway
HTTPS