LTRNMS 3002 Network Compliance and Network and Application ...d2zmdbbm9feqrf.cloudfront.net/2016/eur/pdf/LTRNMS-3002-LG.pdf · Network Compliance and Network and Application Monitoring

LTRNMS 3002 Network Compliance and Network and Application Monitoring with Prime Infrastructure 3.0

LTRNMS-3002 Network Compliance and

Network and Application Monitoring with Prime Infrastructure 3.0

Getting Started with the lab .................................................................................. 2 Lab Topology ...................................................................................................................................................... 2 Connection to the lab ...................................................................................................................................... 3 Create your environment .............................................................................................................................. 3 Populating device Inventory ........................................................................................................................ 4 Using a VCenter as discovery Source....................................................................................................... 6 Creating Device group .................................................................................................................................... 9 Endpoint Subnet association .................................................................................................................... 10 Prepare a new Overview dashboard ..................................................................................................... 11

Part 1 : Compliance ............................................................................................. 12 Exercise 1: Enabling Compliance ............................................................................................................ 12 Exercise 2: EOX/PSIRT Report: ............................................................................................................... 13 Exercise 3: Using predefined Compliance Policies .......................................................................... 15 Exercise 4: Creation of a simple user defined policy ...................................................................... 20 Exercise 5: Creation of a user defined policy with configuration block and simple regex ............................................................................................................................................................................... 31 Exercise 6: Creation of a user defined policy using “command output” scope .................... 39 Exercise 7: Creation of a user defined policy testing multiple instances of a command . 47

Part 2 : Device Monitoring .................................................................................. 59 Exercise 1: Out of the box Devices monitoring .................................................................................. 59 Exercise 2: Customizing device monitoring ....................................................................................... 65 Exercise 3: Monitoring UCS servers ....................................................................................................... 70

Part 3: Application Monitoring ............................................................................ 71 Exercise 1: Using NAM as a datasource. ............................................................................................... 71 Exercise 2: AVC Readiness Assessment on router ........................................................................... 73 Exercise 3: AVC profiles .............................................................................................................................. 73 Exercise 4: Interface configuration ........................................................................................................ 76

Deploy a QoS profile .......................................................................................................................................... 77 Deploy an AVC profile ...................................................................................................................................... 78

Exercise 5: Device Data Sources ............................................................................................................. 81 Exercise 6: QoS and AVC monitoring on interfaces ......................................................................... 82 Exercise 7: Monitoring application with Service Assurance and Application Performance Dashboard......................................................................................................................................................... 85 Exercise 7: Customize your Dashboard ................................................................................................ 88


Getting started with the lab

Lab Topology

The lab infrastructure deployment is shown below.

2 student groups see the same POD devices. However students in East group will modify only the East devices (SW-PODx-E, RTR-PODx-E) and Students in West group will modify only the West devices (SW-PODx-W, RTR-PODx-W . Some devices (readonly) are shared. Each student group has its own Prime Infrastructure 3.0 and its own NAM 6.2. Below are the addresses of important elements of the pods

POD East Device type Name IP address Credentials Switch SW-PODx-E 10.14.20x.1 Router RTR-PODx-E 10.14.20x.3 Prime Infrastructure PI-PODx-E 192.168.40.5x root/Public123


POD West Device type Name IP address Credentials Switch SW-PODx-W 10.14.20x.2 Router SW-PODx-W 10.14.20x.4 Prime Infrastructure PI-PODx-W 192.168.40.6x root/Public123

Shared Device type Name IP address Credentials Fabric Interconnect 10.14.200.100 vNAM NAM-PODx 192.168.40.2x admin/cisco

Connection to the lab

You must use Cisco AnyconnectVPN client. Launch it and use “primelab-eu.cisco.com” as server Username: pi-lab Password: CLBerlin

Create your environment

Launch your Prime Infrastructure server: https://192.168.40.yx

https://192.168.40.5x/


Connect using Username: root Password: Public123 Select Dashboard/Network Summary/Overview

Populating device Inventory

There are 3 ways to populate the inventory:

adding a single device doing a bulk import configuring an automatic device discovery

In this section you will do a bulk import


Go to Inventory/Device Management/Network Devices Select Bulk Import

Select the file called podx.csv where x is your pod number (East and West will use the same file).

Click Import. You can check the status of the job in Administration/Dashboards/ Job Dashboard

After a couple of minutes, due to synchronization, you should see your devices managed in Inventory/Device Management/Network Devices


Using a vCenter as discovery source

From Inventory/Device Management/Compute Devices, Select Cisco UCS Server and click on the Fabric Interconnect

Click Schematic and expand as much as you can. You should be able to see the Chassis and the Blades


To have more information on the ESX DataCenter environment, you will add now the ESX vCenter. This will give you the visibility on the datacenters, clusters, hosts and VMs. Select Inventory/Compute Devices

Select Discovery Sources

Add device

Add the vCenter:


IP: 192.168.40.40 Port: 443 Username: cl16 Password: LTRNMS3002

After a few seconds, the discovery source becomes synchronized

You can see the DataCenters, cluster, hosts and VMs. Explore .


To monitor resources on servers and VMs, select Datacenter and click Start Monitoring.

(Note: it is possible to be more specific, and to monitor only specific hosts or specific VMs.)

Creating Device group

You will create 2 device groups (location groups) called East and West, respectively for East devices and for West Devices. You will use them later. Select Inventory/Group Management/Network Device Groups


Click + , to add a group

Create a location group called East, using the “location” attribute and the condition “contains East”

Do the same for West location group

Endpoint association

In your network, most of the endpoints from East use IP addresses 10.21.*.* and most of the endpoints from West use IP addresses 10.22.*.*


For monitoring purpose, it’s important to associate these endpoints subnets to the appropriate locations. Select Services/Application Visibility & Control/Endpoint Association (Note for the remaining of the guide we will use AV&C for Application Visibility and Control) Select +

Associate the 10.21.*.* subnets to East

Save Associate the 10.22.*.* subnets to West

Prepare a new Overview dashboard

You will create below, an empty dashboard that you will use later in the lab Select Dashboard/Overview/General On upper right corner, click settings, then “Add New Dashboards”.


Give a name: CL16-PODx-East (or West).

Click on the Dashboard Tab. You have an Empty Overview Dashboard

Select the configure icon in upper right corner, and click “Set Current Page As Home”

Now each time you will click on , you will jump to this dashboard

Part 1: Compliance

Exercise 1: Enabling Compliance


Objective: Learn how to enable the compliance feature By default Compliance is disabled, but it should have been previously enabled on your system. In the exercise you will just verify that it’s the case, (and enable it if needed). Verify that you have the Compliance entries, under Configuration/Compliance

If not, select Administration/Settings/System Settings/General/Server Select Compliance Service / Enable. Click Save and do a login/logout

Exercise 2: EOX/PSIRT Report:

Objective: Know how to activate EOX and PSIRT analysis Before visualizing a PSIRT of EOX report, you must first activate it. Select Reports/PSIRT and EOX


As you can see, there is no data available

Click Schedule Job You can click also View Job Details to see the status of the Job

Don’t wait … it takes time. You will see the result later … Do Exercise 3 and come back here after. If you select Hardware EOX, you should see 2 devices with EOX announcements


Click on to see the EOL announcement. (Internet Access is needed)

Exercise 3: Auditing using predefined Compliance Policies

Objective: In this exercise you will use an existing compliance policy to verify the compliance of the passwords with security rules. The policy will test the encryption, the encryption level and the password length. You will learn:

- How to create a Compliance Profile using Predefined Compliance Policies - How to create an audit job to execute this Compliance Profile - How to visualize the Audit Report generated by the execution of the

previous job Select Configuration/Compliance/Profiles


Select + to add a new profile

Give a name to this Profile

Click + Add, to Add Compliance Policies

In “Audit and Management” folder, select User Passwords


Keep only the first 5 rules (it will be enough to have violations!!)

Click Save You have created the profile. Click the execute icon (see below)


Select the 2 switches

Execute the job now, without recurrence

From Configuration/Compliance/Jobs, you can see the job in “Running” state.


Click the refresh button after 1 minute to see the result: It should report a failure

Click the Failure link to have details Below you see 5 rules, 6 violations (not necessarily the same number of violation everywhere), click “Next”

You can see the details of each violation


Click previous and select “Export as HTML”

Visualize the report

Exercise 4: Creation of a simple user defined policy

Objective: In this exercise, you will create a simple policy to verify that the system clock has been configured with both timezone and summer-timezone. You will verify that timestamps have been also properly configured on syslog and debug messages. The compliance will test the existence of the commands:

o clock timezone <timezone> … o clock summer-time <summer-timezone> recurring … o service timestamps debug datetime localtime show-timezone o service timestamps log datetime localtime show-timezone

<timezone> and <summer-timezone> will be passed as parameters (Rule Inputs).


You will learn:

- How to create a policy - How to add rules in a policy - How to add rule inputs to rules - How to define condition and actions in a rule

Select Configuration/ Compliance /Policies

Click + to add a policy, give a name “Timezone”, and click “Create”

Click “New” to add a new rule

Give a Name then click “Next”


Select IOS and IOS-XE then click “Next”

Click “New” , to create the first parameter (Rule Input) Provide:

- the name of the parameter: timezone - click generate to generate the Identifier of the parameter (you will use the

parameter by its Identifier ) - Select the Scope: Execution. This means that the parameter is for auditing,

the other possible scope is fix, when the parameter is only used to fix the CLI

- Select: Input Required - Give a Default value: CET, stands for Central Europe Time


Create a second “rule input” called Summer-timezone

Remark: when you generate a parameter – are converted to _ , _ is also added to the beginning of the parameter. Default value is CEST for Central Europe Summer Time You have now two parameters, click Next


You will add now the condition and actions The condition will check if the configuration contains the string:

o clock timezone <_timezone>

Where _timezone is the identifier of the rule input

Define the scope: Configuration

Define the “Condition Match Criteria”


Define now the actions you want to take in case of match/no match If the condition matches, “Continue”, means test the next condition

If condition doesn’t match, “Raise a Violation and Continue” (to the next condition) Customize the severity and the violation message.


Click ok: the condition is created. Click new to add the second condition to test the summer-timezone.

Condition: (See below the input rule syntax <_summer_time>)


Actions:

Matches: continue Does not Match: Raise a Violation and Continue

Click OK to save and add a new condition to verify the “debug” timestamp configuration

With the actions

- Matches: Continue - Does not Match : Raise a violation and Continue


Click “OK” to save the condition/actions. Click “New” to add the last condition to verify the syslog timestamp configuration Condition: Contains the string : service timestamps log datetime localtime show-timezone

Action

- matches : do not raise a violation ( no other rule to test)

- Does not match: Raise a Violation


Click ok to save the condition You have 4 conditions/Actions in the rule. Click Create to save the Rule

The rule is created, as well as the policy

Now you will create a Profile (as you did in previous exercise) to use this policy.


Select Configuration/Compliance/Profile, + and give a name

Click “Add”, to add a policy and check your policy in the user defined policies folder

Keep the default value for the Rule Inputs: CET for the timezone and CEST for the summer-timezone

Execute the profile


Select the switches

Run the job immediately In Configuration/Compliance/Jobs, wait for the job to complete

See the result

Exercise 5: Creation of a user defined policy with configuration blocks and simple regex

Objective: In this exercise, you will create a policy, which will check that all switch ports, which are explicitly configured in trunk mode, are also configured with a list of allowed VLANs.


You will learn:

- how to parse a configuration per blocks, as you need to test for each interface .

- how to use regex (very basic here) and how to capture a matching group

The rule will contain 3 conditions Condition/Action 1: Find “Interface block”

Scope: Configuration Parse as blocks: Yes. Define block start : ^interface.* , ^=> start with, .=> any character * => any number of times Condition: match the regex: interface (.*) => the parenthesis will allow to capture the interface name . The id will be <1.1>, 1: Condition 1, 1: first captured parameter Match Action: Continue Doesn’t match Action: Do not Raise a violation

Condition/Action 2: Is it a trunk ? Scope: Previously matched block. We want to stay in the block interface Condition: match the string: “switchport mode trunk” Match Action: Continue Doesn’t match Action: Do not Raise a violation

Condition/Action 3: are allowed vlan configured?

Scope: Previously matched block. We want to stay in the block interface Condition: match the string: “switchport trunk allowed vlan ” Match Action: Do not raise a violation Doesn’t match Action: Raise a violation: message “misconfigured trunk on <1.1> …”. <1.1> refers to the interface name captured on condition1!



Click + to add a policy, give a name “trunk”, and click “Create”

Click “New “to add a new rule


Select IOS and IOS-XE then click “Next”


Skip the rule input In condition and actions, click “+New” to add the first condition

Condition/Action 1: Find “Interface block”

Scope: Configuration

Parse as blocks: Yes. Define block start: ^interface.*, ^=> starts with, .=> any character * => any number of times


Condition: match the regex: interface (.*) => the parenthesis will allow to capture the interface name. The id will be <1.1>, 1: Condition 1, 1: first captured parameter

Match Action: Continue

Doesn’t match action: Do not Raise a violation

Click OK and add a second condition Condition/Action 2: Is it a trunk ?

Scope: Previously matched block . We want to stay in the block interface

Condition: match the string: “switchport mode trunk”

Match Action: Continue


Doesn’t match Action: Do not Raise a violation

Click OK and add the last condition Condition/Action 3: are allowed vlan configured?

Scope: Previously matched block . We want to stay in the block interface

Condition: match the string: “switchport trunk allowed vlan ”

Match Action: Do not raise a violation

Doesn’t match Action: Raise a violation: message “misconfigured trunk on <1.1> …”. <1.1> refers to the interface name captured by condition1!


Click “Create”

Now you will create again a Profile Select Configuration/Compliance/Profile , + and give a name



Execute the profile

Select the switches

and run the job immediately In Configuration/Compliance/Jobs, wait for the job to complete


See the result

You can check in the configuration archive

Exercise 6: Creation of a user defined policy using “command output” scope

Objective: In this exercise, you will create a policy, which will check that your switches are configured either in VTP client or in VTP server mode in a VTP domain that you passed as parameter (Rule Input) Unfortunately, it’s not possible to test the configuration, as the VTP information is not always visible in the configuration see below: In VTP transparent mode, VTP information is visible in the configuration


However, in VTP client or VTP server mode, the VTP information is not in the configuration, but is visible through a command “show vtp status”

This is the same behaviour with VTP server mode. You need to test the output of a “show vtp status”

The rule will contain 2 conditions Condition/Action 1: Check the vtp domain

Scope: show command: show vtp status Condition: Match the expression VTP Domain Name\s*:\s<_vtp_domain>


Match Action: Continue Doesn’t match Action: Raise a Violation

Condition/Action 2: check the vtp mode Scope: show command: show vtp status Condition: Matches the expression VTP Operating\s*:\s(Server|Client) Match Action: Do not Raise a violation Doesn’t match Action: Raise a violation


Click + to add a policy, give a name “VTP”, and click “Create”




Select IOS and IOS-XE then Next

Add the VTP domain as rule input. Put your pod name as default value, for example POD1 if you are either POD1W or POD1E.


In condition and actions, click +New to add the first condition

Condition/Action 1: Check the vtp domain

Scope: show command: show vtp status

Condition: Match the expression VTP Domain Name\s*:\s<_vtp_domain>


Match Action: Continue Doesn’t match Action: Raise a Violation

Condition/Action 2: check the VTP mode

Scope: show command: show vtp status

Condition: Matches the expression: VTP Operating Mode\s*:\s(Server|Client)


Match Action: Do not Raise a Violation Doesn’t match Action: Raise a Violation

Click Save

Create now the profile Select Configuration/Compliance/Profile , + and give a name


Select Add, to add a policy and check your policy in the user defined policies folder

The Rule Input “vtp domain” should be your POD

Execute the profile

Select the switches

And run the job immediately In Configuration/Compliance/Jobs, wait for the job to complete


Visualize the result

Exercise 7: Creation of a user defined policy testing multiple instances of a command

Objective: In IOS, some commands can have multiple instances. For example, you can have multiple “snmp-server community “, multiple “logging” destinations, multiple “ntp server” . It’s easy to check that a specific instance of a command exists. For example: “snmp-server community pilab-ro RO” must exist. But how can you test that another instance with a different community name does not exist? In this exercise, you will learn a method to solve this issue.


Imagine that the rule is to have 2 readonly communities (passed as parameters), and one rw community (passed as parameter). How can you write the policy? The rule has 3 inputs for the communities <_com_ro1>, <_com_ro2>, <_com_rw> . The rule has 5 conditions/actions: Condition/Action 1: Check the first read-only community

Scope: Configuration Condition: contains the string “ snmp-server community <_com_ro1> RO Match Action: Continue Doesn’t match Action: Raise a Violation and Continue

Condition/Action 2: Check the second readonly community Scope: Configuration Condition: contains the string “ snmp-server community <_com_ro2> RO Match Action: Continue Doesn’t match Action: Raise a Violation and Continue

Condition/Action 3: Check the readwrite community Scope: Configuration Condition: contains the string “ snmp-server community <_com_rw> RW Match Action : Continue Doesn’t match Action : Raise a violation and continue

If we stop here, and have no violation, we are sure that the mandatory communities exist but we don’t know if an “unwanted” community exist as well. One possible trick, is to consider now, each “snmp-server community xxx RO” as a configuration block of 1 line !

Condition/Action 4: Check if unwanted RO community exists

Scope: Configuration Parse as blocks: Yes. Define block start:

^snmp-server community \S* RO -

Condition: match the expression: snmp-server community (?:<_com_ro1>|<_com_ro2>) RO.*

- Where (?:<_com_ro1>|<_com_ro2>) means either <_com_ro1> or <_com_ro2> but without capturing as parameter ( .?: means non capturing group).

- RO.* => because we accept to have an access-list! Match Action: Continue Doesn’t match Action: Raise a Violation and Continue


Condition/Action 5: Check if unwanted RW community exists

Scope: Configuration Parse as blocks: Yes. Define block start :

^snmp-server community \S* RW Condition: match the expression: snmp-server community <_com_rw> RW.* Match Action: No violation Doesn’t match Action: Raise a violation


Click + to add a policy, give a name “SNMP”, and click “Create”




Select IOS and IOS-XE then Next

Add the 3 rule inputs, for the snmp communities (2 RO, 1 RW) . As default values for RO community, use public and snmpro and use private for the RW community.



In condition and actions, click +New to add the first condition

Condition/Action 1: Check the first readonly community Scope: Configuration Condition: contains the string “ snmp-server community <_com_ro1> RO


Match Action: Continue Doesn’t match Action: Raise a Violation and Continue

Condition/Action 2: Check the second readonly community Scope: Configuration Condition: contains the string “ snmp-server community <_com_ro2> RO



Condition/Action 3: Check the readwrite community Scope: Configuration Condition: contains the string “ snmp-server community <_com_rw> RW


Condition/Action 4: Check if unwanted RO community exists Scope: Configuration Parse as blocks: Yes. Define block start :

^snmp-server community \S* RO Condition: match the expression: snmp-server community (?:<_com_ro1>|<_com_ro2>) RO.*



Condition/Action 5: Check if unwanted RW community exists Scope: Configuration Parse as blocks: Yes. Define block start:

^snmp-server community \S* RW Condition: match the expression: snmp-server community <_com_rw> RW.*


Match Action: Does Not Raise a Violation Doesn’t match Action : Raise a Violation


Click save/create to create the policy

Create now the profile Select Configuration/Compliance/Profile, + and give a name


Keep the rule inputs values as below

Execute the profile

Select the switches


and run the job immediately In Configuration/Compliance/Jobs, wait for the job to complete

Visualize the result

You can confirm with the configuration archive . Do you know how to do it? (There is a trick) Here are POD1W, snmp communities


Here are POD1 E snmp communities

Part 2: Device Monitoring

Exercise 1: Out of the box Devices monitoring

Prime Infrastructure uses monitoring policies to monitor wired devices (Health and interfaces). Select Monitor/Monitoring Tools/Monitoring Policies

You can see the monitoring policies. Some are active by default, some have associated thresholds.

For the policies Device Health and Interface Health, click on the links under “Activation history” and “Details” What do you notice?


Click now on Auto monitoring

Examine which parameters are polled for devices and Interfaces (Link and Trunk Ports)


Wireless devices are not monitored using monitoring policies but monitoring jobs. You can see the jobs used for wireless from: Administration/Dashboards/Job Dashboard

Examine now the Overview dashboards for devices Dashboards/Overview/Network Devices


(You can change the layout)

Click the icon on one of your devices to launch the device 360


Click a device IP address to launch the “Performance Dashboard “ for the device

Examine now the Overview Dashboard for Interfaces Select Dashboard/Overview/Network Interfaces


Drill Down to one interface to launch the Performance Dashboard/Interface

As you see the interface is polled, but the traffic is very low (close to 0%)

Mouse Over the upper right corner of the Interface Tx and Rw Utilization dashlet, and click the edit icon

Change display unit from “Percent” to “Bits per second”


Save and close and see the result

Exercise 2: Customizing device monitoring

In this exercise, you will customize the device monitoring. You will use the 2 device groups (location groups) called East and West created at the beginning of the lab. You will create a new monitoring policy to monitor only the device from your location group (either East or West). Select Monitor/ Monitoring Tools/ Monitoring Policies and click “Add”


Select the Device Health Policy Type

Expand Device Selection

Select the location group East or West Give a name to the policy, keep the default polling intervals and click “save and activate”


Confirm that the policy is created

Confirm the policy is active on appropriate devices

Go to your personal dashboard by clicking on You have an Empty Overview Dashboard called CL16 PODx, (created early in the lab).


From the setting icon (upper right corner), Select “Add Dashlets”

Add the following Dashlets

Network Topology Top N CPU Utilization Top N Interface Utilization

Add a Filter : Site

You can see the Dashboard


Edit The Network Topology Dashlet (mouse over upper right corner)

Select the group East or West, depending of your pod, and “save and close”

Edit the Top N Interfaces Dashlet Select “Link Ports” as Port Group and Change the Title

In the Site filter, Select East or West, depending on your pod and click Go


Now you have changed the behaviour of your dashboard. This Dashboard:

displays your location topology, displays the monitored metrics of the devices (CPU) of your location, displays the monitored metrics of the link ports of your location.

In addition, the devices from your location have a specific monitoring policy (with a different interval in this case)

Exercise 3: Monitoring UCS servers

Explore the Datacenter Dashboards. On Dashboard/Data Center /Compute, select the Data Center (PI-LAB) and click “Go”

You can drill down to a Host to enter Dashboard / Data Center /Host Go also to Monitor / Compute Device.


Find YOUR VM, it is called PI30-CL16-PODxy (x is the pod number, y is W for West or E for East) and display its performance metrics. Display also the performance metrics of the host where your VM runs. Below, from Virtual Machines, use Quick Filter to search you VM

Click on it: You can have details on your VM and go to the host and the cluster

Part 3: Application Monitoring In this part you will learn:

How to configure a NAM as a data source for application monitoring How to configure QOS and Application Visibility on routers How to monitor applications

Exercise 1: Using NAM as a data source.

A NAM is part of your inventory. At this time you can only use it as a network device. To use it as a data source for application monitoring, you must enable it. Select Services/ AV&C/ Data Sources


At the bottom, you should see the NAM in disabled state

Select it and click Enable

You should see it in “enabled state”. If you expand it, you should see the “DATA PORT”. This is the NAM port which collects traffic and that you will use as a data source.


Exercise 2: AVC Readiness Assessment on router

Prime Infrastructure provides an assessment tool for AVC and QoS. This tools gives you the status of your routers regarding AVC capability and configuration. Select Services/Application Visibility and Control/Readiness Assessment

In the example below, both routers are AVC capable, one as already AVC configured. One is running protocol pack 11, the other protocol pack 13.

Protocol packs contains the information used by NBAR2 to classify protocols. Protocol packs are periodically distributed to recognize new applications or to provide bug fixes. Prime Infrastructure provides a repository for the protocol packs. Protocol packs can be downloaded from CCO and uploaded to Prime Infrastructure, and then they can be loaded to the routers.

Exercise 3: AVC profiles


AVC profiles are configuration templates that can be deployed on interfaces. There are 3 categories

QoS Classification Profiles define how application traffic can be

identified (based on NBAR2) and marked. 3 default profiles are provided

out of the box according to Cisco best practices: 5 classes, 8 classes and 12

classes profiles. New profiles can be added

QoS Action Profiles define the egress actions, which will occur on egress

traffic: (Queuing, Priority Queuing, BW reservation, shaping…). 3 default

profiles are provided (5,8,12 classes) out of the box. They can be modified

and new profiles can be added.

Application visibility Profiles define the monitoring actions (URL

monitoring, traffic volume, Application Response Time, Voice/Video

metrics).

Objectives: The goal of this lab is to create a new QoS classification profile that will include the traffic to/from your management platform in the class “TRANSACTIONAL DATA” Step 1: Adding a new QoS Classification Profile Select Services/AV&C/AVC Profiles

Select + to add a new profile


Choose Create Classification Profile

Give a name (PILAB-QOS), and choose 5-class profile

Step 2: Adding a new classification rule to classify the traffic to/from your Prime Infrastructure Server Click Add to add your classification rule (see image above) A new entry appears at the bottom

Click Change the type from NBAR to L3/L4 (you will classify using your own PI IP address ) Select Apply IP/Port symmetrically Put YOUR PI IP address (192.168.40.xy)


Click OK Step 3: choose the class of service Select now the QoS class (Transactional-Data)

Save the line

Save the profile

Exercise 4: Interface configuration

This feature allows enabling AVC/QoS profiles on interface or interface groups In this exercise, you will deploy both a QoS profile (the Classification Profile you created in the previous exercise), and an AVC profile (to enable traffic Statistics, Application Monitoring, Voice/Video Monitoring) on the internal interface of your router. If you are on East, the interface is g0/0/1 (router 4331) If you are on West, the interface is vlan1 (router 892)


Deploy a QoS profile Select Services/ AV&C/ Interface Configuration

Select the appropriate interface on your router (You can use the quick filter )

Click “Enable QoS” Then select your profile (PILAB-QOS)

You can preview the CLI. You should see the ACL for your PI server.


Then deploy Check the status of the job in Administration/Job Dashboard

Deploy an AVC profile Select Services/ AVC/ Interface Configuration

Select the internal interface of your router as previously. Notice that you see it with QoS enabled


Select “Enable App Visibility” Choose “App Visibility & Performance (IPv4 and IPv6)”

You can see the CLI. If you are familiar with AVC CLI, you can see that Prime Infrastructure uses the ezPM framework (Easy Performance Monitor) if the router can support it.

Click “Deploy” and wait the job completes.

If you go back to interface configuration, you can see that “App Visibility Policy” is deployed


Select now Inventory/Group Management/Port groups

Expand Port Groups/System Defined and select “AVC Configured Interfaces”. You should see your router port. AVC Configured interfaces is automatically populated with the ports where QoS or AVC is configured

Select Monitor/Monitoring Tools/ Monitoring Policies

A Policy exists by default called Interface-AVC. This policy monitors interfaces from the port group “AVC configured interfaces”. It is not activated by default. Activate it!

The policy becomes active. You can click “details” to see on which interfaces


Exercise 5: Device Data Sources

You have deployed AVC profiles. The effect is to configure metering agents on your router. Metering agents are able to provide statistics for Application traffic, Application Response Time and Voice and Video parameters (jitter and loss). These metrics are exported using Netflow V9 or IPFIX. These exports create data sources in Prime Infrastructure. To view the data sources: Select Services/AV&C/Data Sources

Select your data source (RTR-PODx-y) and see the netflow templates. You will have probably several templates, depending of what you have enabled and depending on the traffic patterns on the network.


If you want details on the contents of the export, you can drill down to a template by clicking on it. You will see the fields of the netflow records and the exporting devices (your router)

(Note: you can also go to this same page from Services/AV&C/Netflow Templates)

Exercise 6: QoS and AVC monitoring on interfaces

Previously, you enabled monitoring on the port group “AVC configured interfaces”. This port group contains the interfaces where you enabled AVC or QOS


Search for your router RTR-PODx-y in the search tool bar. Click on the router name link.

Click on the icon to launch the 360 view. Select interface and scroll to the interface where you enable AVC. You can see that Top3 applications data is provided.

Click now on the interface name link in device 360

This launches the Interface Dashboard for this interface You see interface details and interface Tx/RX (data polled through SNMP)


Then you see data collected through AVC (Application volume, Top N client, Number of clients and DSCP information)

You see also data from Class Based QoS monitoring. To visualize data on the “Top QoS Class Map Statistics Trend” dashlet, you need to select “In” traffic and either Pre or Post policy rate (probably there is no drop)


Exercise 7: Monitoring application with Service Assurance and Application Performance Dashboard

Service Assurance Dashboard is the main Overview Dashboard to display Application metrics Go to Dashboard/ Overview/ Service Assurance

Explore the dashboard Focuse on the Top N “Applications” Dashlet


Click on the edit icon

Expand the data sources

By default all data sources are aggregated Change to data source RTR-PODx-y (netflow) then vnam-podx (NAM ) to see the difference. Click the bar of the RTP Application to drill down to a performance dashboard for Application


From in the upper right corner, Add the Dashlet “Application ART Analysis”

You should see “No data”. Why?

Change to another Application, tcp based, for example ssh


Look the Application ART Analysis dashlet. You should have data. Do you understand this graph?

Exercise 7: Customize your Dashboard

Click to launch your dashboard, and click setting (upper right corner) to add dashlets.

Add the dashlets:

Top N applications Worst Site by transaction time Top N Clients Top N servers


End of LAB

Documents

LTRNMS 3002 Network Compliance and Network and Application ...d2zmdbbm9feqrf.cloudfront.net/2016/eur/pdf/LTRNMS-3002-LG.pdf · Network Compliance and Network and Application Monitoring