policy-based management mib steve waldbusser jon saperia thippanna hongal
TRANSCRIPT
Policy-Based Management
MIB
Steve Waldbusser
Jon Saperia
Thippanna Hongal
Infrastructure
SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policy Table
Infrastructure
SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policy Table
Role Table
Capabilities Table
Time Objects
PolicyTable
PmPolicyEntry ::= SEQUENCE {
pmPolicyIndex Integer32,
pmPolicyFilter OCTET STRING,
pmPolicyAction OCTET STRING,
pmPolicyCalendar RowPointer,
pmPolicyDescription SnmpAdminString,
pmPolicyMatches Gauge32,
pmPolicyStatus RowStatus
}
Policy Expression Language
Derivative of C
Subsetted by a BNF Grammar
Used for both Filters and Actions
policyFilter PseudoCode
(is an interface
AND is an ethernet
AND is an access port
AND gets gold or silver service)
policyFilter PseudoCode
(!strcmp(ifTable, elementName())
&& getint(ifType.$1) == ethernet-csmacd
&& roleMatch("access")
&& (roleMatch("gold") || roleMatch("silver")))
policyFilter Code
(!strncmp("1.3.6.1.2.1.2.1.2", elementName(), 17)
&& getint("1.3.6.1.2.1.2.2.1.3.$1") == 6
&& roleMatch("access")
&& (roleMatch("gold") || roleMatch("silver")))
policyFilter/Action Example
Filter(!strcmp(ifTable, elementName())&& getint(ifType.$1) == ethernet-csmacd&& roleMatch("connected"))
Actionsetint("ifAdminStatus.$1", 2)
OR
setint("1.3.6.1.2.1.2.2.1.7.$1", 2)
Complex Actions
Compound Statements– setint(OID1, 2); setstring(OID2, “String”); setint(OID3, 5)
Conditional Statements– (!strcmp(getstring(sysDescr.0), “ACME”)
?(setint(AcmeQOSKnob1.$1, 17);setint(AcmeQOSKnob2.$1, 2345))
:(setint(diffServMIBKnob1.$1, 34);setint(diffServMIBKnob2.$1, 754)))
Accessor Functions
getint
getstring
exists
elementName
strcmp
lc_strcmp
roleMatch
capMatch
setint
setstring
setoid
PolicyTable
Index policyFilter policyAction Description policyMatches
1 (type == interface && ifType == ethernet && !roleMatch(“connected”))
IfAdminStatus = off; For security reasons, shutoff all unused ports
22
2 (type == interface && ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
8
3 (type == CPU&& sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
1
Index policyFilter policyAction Description policyMatches
1 (type == interface && ifType == ethernet && !roleMatch(“connected”))
IfAdminStatus = off; For security reasons, shutoff all unused ports
22
2 (type == interface && ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
8
3 (type == CPU&& sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
1
Role Table
element string
ifIndex.1 gold
ifIndex.1 access
ifIndex.1 headquarters
ifIndex.99 trunk
status
active
active
active
active
PmRoleESTable
Purpose:
Writable table that allows strings to be downloaded to agent:
Multiple strings can be assigned to any element
Role Table
PmRoleESEntry ::= SEQUENCE {
pmRoleESElement OBJECT IDENTIFIER,
pmRoleESString SnmpAdminString,
pmRoleESStatus RowStatus
}
PmRoleSEEntry ::= SEQUENCE {
pmRoleSEString SnmpAdminString,
pmRoleSEElement OBJECT IDENTIFIER
}
Role Table
Accessor Function:– Need an accessor function for use in
policyFilter– Something like roleMatch(“argument”)– Returns true if the element has that role
string defined
CapabilitiesTable
index
1
2
3
type subType
WFQ
Pentium
RoundRobinQ
AcmeWFQ
Purpose:
We want policies to be executed only on devices that have certain capabilities
Need those capabilities to be in a MIB so that policy servers can determine which policies to download
Values for type are assigned by the working group
Values for subType are assignable by the implementor
Capabilities Table
Accessor Function:– Need an accessor function for use in policyFilter– Something like capMatch(“argument”)– Returns true if the element has that capability
NOTE:– capabilitiesTable not referenced by element– Only used to determine which filters to download– On the other hand, capMatch has a per-element resolution– It must apply policies to only the proper elements
Time
We want policies to be executed only at certain times
Need time to be in a MIB so that filters can read them
Needs to provide two views of time– Globally consistent (i.e., UTCTime)– Local “Business Time” (i.e., M-F 9-5 local time)
Time
Three choices:
policyCalendarPtr - points to rfc2591
Accessor Function– Like: If (dayOfWeek(“MTWTF”)) then (policyAction)
Three mib objects– timeOfDay– dayofWeek– dayOfMonth– ...– if (timeOfDay.0 > 9 && timeOfDay.0 < 17)
Operational Requirements
Policy Creation– Need to allow an engineer to “debug” a policy– policyActions can be debugged in a lab– Debugging of policyFilters consists of ensuring that the filter
selects the intended set of elements (not more, not less)– Need to see where a policy would be executed– Table that shows where a policy is executed
• For debugging, set policyAction to no-op
pmPolicyDebugPETable
PEPolicyIndex
1
1
1
PEElement PEStatus
ifIndex.4
ifIndex.8
ifIndex.9
ON
ON
ON
2 ifIndex.4 ON
2 ifIndex.8 ON
Operational Requirements
Troubleshooting in Field– Engineers will occasionally find that a device is misconfigured
due to policy
– Need to find out which policy is causing the misconfiguration– Need to see where policies are bound
• Table that shows what policies are executed here
Ad-hoc disabling of a policy binding– Granularity: 1 policy on 1 element– Turn status off in pmPolicyDebugEPTable– Need to provide facility so that this is documented in
policyServer
pmPolicyDebugEPTable
PEPolicyIndex
1
2
1
PEElement PEStatus
ifIndex.4
ifIndex.4
ifIndex.8
ON
ON
ON
2ifIndex.8 ON
1ifIndex.9 ON
Advantages of the Approach
Built with existing infrastructure and tools
Leverages existing MIBs
Flexibility
Complete Architecture– Includes operational tools
Architectural Drawings
created during meeting
Policy Management MIB
PMMIB
Instance-Independence
ServicesInstance-
Independent
Instance-Dependent
QOS Policy MIB
QOS PolicyMIB
Mechanism-Independence
ServicesMechanism-Independent
Mechanism-Dependent
Instance DependentMechanism Dependent
NMS
Managed System
QOS PolicyMIB
PMMIB
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance IndependentMechanism Dependent
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance DependentMechanism Independent
NMS
Managed System
QOS PolicyMIB
PMMIB
Instance IndependentMechanism Independent