Tech - Update - January 2010 - Bruno - Klauser - GOLD and Manage IOS EEM

Manageability and
Embedded Automations
with Cisco IOS® Network Elements
[20100112 and 13 – Denmark]
Bruno Klauser
Consulting Engineer NMS/OSS
European Markets
bklauser@cisco.com
wwwin-people.cisco.com/bklauser
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Demand for Availability
Excessive OSPF messages
force US Telco to bring down
parts of ATM network:
26 hrs Outage
several Million US$ Impact
Bad redundancy implementation

Resolution Time
forces traffic through a 64kbit

undersea cable:
4 hrs Outage
several Million £ Impact
LSP black hole issue forces

Airline to ground all planes:
20 minutes Outage Lack of memory in a switch
several Million US$ Impact causes Intermitted outages
on trading floor – Impact:
1 Million € per 1 minute
Inadequate QoS on GigE link
of bookstore impacts 10‘000
transactions per second:
Millions of US$ in seconds
1995 2000 2005 2010 2015

Demand for Differentiation
Program
Embedded Automation
Systems (EASy)
Business Value / Revenue Potential
Compute
Customize Cloud, XaaS,
Computing
Device Manageability
Instrumentation (DMI)
Transaction Experience SLA
Collaborate
Unified Comms
Configure Security
Basic Instrumentation
GET / SET
Quality of Service SLA
Increase in
Connect
- Application awareness
Managed Network
- Real-time management
Services
- Custom requirements
- Programmability
Basic SLA
1995 2000 2005 2010 2015

Self-* Networks ?
Airliner Router Network
8‘000 ‚instruments‘ MIB OIDs Routers
21‘000 sensors Links
With increasing scale, complexity and availability requirements,

operators need to rely on Embedded Automations
From: Full control by a single central authority

To: Operating a system of self-managing components
Embedded Automation Systems (EASy)
Type 1: Automation of Manual Operational Tasks

– Example: Low-TTL Traffic Monitoring
– Example: NBAR / CBQoS Accuracy Monitoring
– Example: CPE driven automated port re-configuration
Type 2: Automation of previousely un-solvable Challenges

– Example: NBAR Flexible NetFlow Application Correlation
– Example: automated embedded diagnostics, Smart Call Home
– Example: performance based topology / policy changes
Type 3: Use of Automation to Architect New Solutions

– Example: Highly-Available Mobile Access Router (HAMAR)
– Example: Resilient Layer 2 DC Interconnect
– Example: High-Throughput Geo-Redundant FW Clustering

Agenda
Introduction & Overview

Service Planning
Service Deployment & Activation
Service Testing, Verification & Assurance
Troubleshooting & Optimization
Summary

Manageability is a Prerequisite
Customer Ethernet Ethernet Customer
Premise Access MPLS/IP Access Premise
Aggregation Aggregation
Core
Cisco IOS® Device Manageability Instrumentation (DMI)

Fault Configuration Performance Accounting
802.3ah—Link E-LMI—(service IP SLA—delay, jitter, Flexible NetFlow—
monitoring and remote parameter and status packet loss, MPLS health IETF IPFIX
fault indication signaling) monitoring, advanced BGP policy accounting –
802.1 ag—Continuity E-DI—(Enhanced object tracking includes AS information
check, Device Interface, CLI, CBQoS MIB—(class-based Periodic MIB bulk data
L2 ping, trace, AIS Perl, IETF Netconf) QoS) collection and transfer
MPLS OAM—LSP EMM — Embedded Menu NBAR …
ping, LSP trace, VCCV Manager RMON
IP OAM—Ping, Trace, NETCONF—(XML PI) EPC – Embedded
BFD, CNS and WSMA Packet Capture
ISG per session TR-069 ERM—Embedded Security
EEM—Embedded KRON—command Resource Manager
Event Manager scheduler GOLD—Generic Auto Secure—one-touch
EVENT-MIB—OID-based Config change—logging Online Diagnosis device hardening
triggers, events, or SNMP and notifications SmartCallHome LDP Auth—message
Set, IETF DISMON Config replace and … authentication
EXPRESSION-MIB—OID rollback Routing Auth—MD5
expression-based triggers, Diff—context diff utility authentication, BGP, OSPF
IETF DISMON MIB persistence …
… …
See also: www.cisco.com/go/instrumentation

Manageability is a Prerequisite
DC Headquarters
Cisco IOS® Device Manageability Instrumentation (DMI)

Fault Configuration Performance Accounting
802.3ah—Link E-LMI—(service IP SLA—delay, jitter, Flexible NetFlow—
monitoring and remote parameter and status packet loss, MPLS health IETF IPFIX
fault indication signaling) monitoring, advanced BGP policy accounting –
802.1 ag—Continuity E-DI—(Enhanced object tracking includes AS information
check, Device Interface, CLI, CBQoS MIB—(class-based Periodic MIB bulk data
L2 ping, trace, AIS Perl, IETF Netconf) QoS) collection and transfer
MPLS OAM—LSP EMM — Embedded Menu NBAR …
ping, LSP trace, VCCV Manager RMON
IP OAM—Ping, Trace, NETCONF—(XML PI) EPC – Embedded
BFD, CNS and WSMA Packet Capture
ISG per session TR-069 ERM—Embedded Security
EEM—Embedded KRON—command Resource Manager
Event Manager scheduler GOLD—Generic Auto Secure—one-touch
EVENT-MIB—OID-based Config change—logging Online Diagnosis device hardening
triggers, events, or SNMP and notifications SmartCallHome LDP Auth—message
Set, IETF DISMON Config replace and … authentication
EXPRESSION-MIB—OID rollback Routing Auth—MD5
expression-based triggers, Diff—context diff utility authentication, BGP, OSPF
IETF DISMON MIB persistence …
… …
See also: www.cisco.com/go/instrumentation

Having a Service Life Cycle
Have, know, live and continuosely improve your lifecycle process

Make sure it supports you in meeting your network service objectives

Questions during a Service Life Cycle
Is there room for yet How to configure? Is it working as specified?
another service? • 1 or many nodes ? • Configuration ?
• How do we perform today ? • CLI, scripts, automation ? • Control Plane ?
• Are there existing issues ? • Can we afford downtime ? • Data Plane ?
• Will we meet specs ? • Quality & Security ? • Were my design
• Resource consumption ? • ... assumptions right ?
• What is my current Traffic ? • ...
• ...
• How to be prepared ?
• How to Diagnose ? • Will we breach any SLA ?
• Make use of Smart Services ? • What is our performance ?
• Could we offer even tighter SLA ? • How to identify Applications?
• Automate Remedy & Mitigation ? • ...
• ...
What if something goes wrong? Are we meeting SLA?

Feature Availability
Main focus on what is available in IOS 12.4(24)T on ISR platforms
Most Features have been around for some time already
More Details in Appendix I
Feature Navigator: www.cisco.com/go/fn
12.4(4)T 12.4(2)T 12.3(14)T 12.3(4)T 12.3(2)T 12.2(12)T
Cisco
Cisco 7301 Cisco
Cisco 7304
and 7200 Catalyst X
Cisco Catalyst 3750X& X X X X
Router 4500 Series 2900
Routers 6500 Series
X X
Series X X X X
12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE T
X X X X X
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXH 12.2(12th)SG 12.2(6th)SE 12.3(2)T
X X X X
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXH 12.2(12th)SG 12.2(6th)SE 12.3(4)T
12.2(25)S 12.2(31)SB 12.2(1st)SXH

X
12.2(12th)SG
X
12.2(6th)SE
X
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(44)SE 12.3(14)T
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(12th)SG 12.2(6th)SE 12.4(2)T
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(12th)SG 12.2(6th)SE 12.4(4)T
12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(31)SGA NA NA
12.2(31)SB 12.2(31)SB 12.2(1st)SXH 12.2(12th)SG 12.2(6th)SE
12.2(31)SB 12.2(31)SB HD 12.2(13th)SG 12.2(7th)SE 12.5(2nd)T

Agenda

Service Planning
Summary

“Plan [noun]
A set of decisions
about how to do
something in the
future.”
Cambridge Dictionary
http://dictionary.cambridge.org
ID
Presentation_ID © 2008
2009 Cisco Systems, Inc. All rights reserved. Cisco Cisco
Confidential
Public 13
Service Planning
Learn from your existing Services …
New Services Baselining
Application requirements Monitoring
SLA and SLC Performance sources
Break- Proof Indicators Collected data
Product management Historical data
Service Planning
Current Services Problem Management
SLA compliance Incidents
Resources and capacity Problem sources
Deliverables Troubleticketing
Planning starts with Gathering and Assessment of Information
The Network itself holds a lot of relevant Information

How Is My Current Use Of
Resources

Embedded Resource Manager (ERM)
The ERM framework tracks resource depletion and resource
dependencies across processes and within a system to
handle various error conditions “
Monitor thresholds for CPU, buffer, and/or memory
For system or line card
ERM can define “group”, i.e.
group of different CPU processes
Interface into EEM
CISCO-ERM-MIB
Available from: IOS 12.2(33)SRB, 12.4(15)T

Platforms: UC520, 8xx, 18xx, 28xx, 38xx, 65xx, 72xx, 73xx, 75xx, 76xx, 10xxx
Service Planning
Example – Monitoring Resources
Problem: During the planning cycle, we would like to understand if
total CPU usage reaches critical levels
Solution: Define an ERM policy to notify upon resource depletion
resource policy
policy my-erm-policy-1 type iosprocess
system
cpu total
critical rising 90 interval 15 falling 20 interval 10 global
major rising 70 interval 15 falling 15 interval 10 global
minor rising 60 interval 15 falling 10 interval 10 global
!
If Total CPU Usage Count Rises Above 90% at an Interval of

15s, a Critical Up Notification Is Sent to the iosprocess RU
Feb 17 13:32:18.283: %SYS-4-CPURESRISING: System is seeing global

cpu util 62% at total level more than the configured minor limit 60%

Service Planning
Example – Monitoring Multiple Processes
Problem: In order to detect resource consumption caused by brute force login
attempts, we want to keep an eye on CPU utilization by the login processes
Solution: Define an ERM policy to notify upon critical / suspicious levels
resource policy
policy my-login-policy type iosprocess
system
cpu process
critical rising 30 interval 10 falling 20 interval 10
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance "SSH Process"
instance "SSH Event handler“
:
policy my-login-policy
If Group CPU Usage Count Rises Above 10% at an Interval of 10s,

a Syslog is Issued
*Aug 25 12:56:26.089: %SYS-4-CPURESRISING: Resource group my-login-group is seeing
local cpu util 16% at process level more than the configured minor limit 10%
*Aug 25 12:56:41.089: %SYS-6-CPURESFALLING: Resource group my-login-group is no longer
seeing local high cpu at process level for the configured minor limit 10%, current value 0%
Service Planning
Quickly export SNMP Statistics?
Problem: Sometimes we need data from one or multiple MIBs, but
- we may not want to (re-)configure an NMS
- don’t want to constantly poll
- need to gather data during temporary loss of connectivity
Solution: Use Bulk File MIB to define the data we need and
periodically transfer it to a convenient location
- group data from multiple MIBs
- single, common polling interval
- buffer data
- transfer using RCP, FTP, TFTP
- format ASCII or Binary
Feature Name: Periodic MIB Data Collection and Transfer Mechanism
Available from: IOS 12.0(24)S, 12.2(25)S, 12.3(2)T, IOS XE 2.1, IOS XR 3.2
Platforms: ASR1k, 18xx, 28xx, 38xx, 19xx, 29xx, 39xx, 65xx, 72xx, 73xx, 76xx, 10xxx, ME3400, C4k, C6k, …
See: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.2.1.2
Service Planning
Configuration – Example
1. Define Lists of relevant OIDs (Names for IF-MIB, ASN.1 for all others)
Router(config)# snmp mib bulkstat object-list my-if-data
Router(config-bulk-objects)# add ifIndex
What Data am I addinterested
Router(config-bulk-objects)# add ifDescr
Router(config-bulk-objects)# in?
ifAdminStatus
Router(config-bulk-objects)# add ifOperStatus
Router(config-bulk-objects)# exit
2. Specify Polling Schema

Router(config)# snmp mib bulkstat schema my-if-schema
Router(config-bulk-sc)# object-list my-if-data
Where and when
Router(config-bulk-sc)# do I want1 to poll Data?
poll-interval
Router(config-bulk-sc)# instance exact interface FastEthernet0
Router(config-bulk-sc)# exit
3. Configure the Transfer Mechanism – and enable it !

Router(config)# snmp mib bulkstat transfer my-fa0-transfer
Router(config-bulk-tr)# schema my-if-schema
Router(config-bulk-tr)# transfer-interval 5
How do I want
Router(config-bulk-tr)# to export
url primary Data?
tftp://10.10.10.10/folder/
Router(config-bulk-tr)# retain 30
Router(config-bulk-tr)# buffer-size 4096
Router(config-bulk-tr)# enable
Service Planning
Expression MIB
Allows you to create new SNMP objects based upon existing MIB
variables and formulas
Interesting when combined with the EVENT-MIB
EXPRESSION MIB proposed by Cisco to IETF DISMON Working
Group, accepted standard track RFC-2982
Based on IETF draft, again in the DISMON Working Group, and numbered in
Cisco’s namespace
3 Phases:
MIB Introduction, SNMP Only - 12.0(5)T
However “show command” exists
However “debug command” exists
Introduction of Scriptable Interface
Introduction of CLI Support
See: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup.html
Available from: IOS 12.0(5)T (EXPRESSION-MIB), 12.3(7)T (SNMPset in TCL script), 12.4(20)T (CLI)
Service Planning
Event-MIB
The EVENT MIB provides a superset of the capabilities of the
RMON alarm and event
EVENT MIB can monitor
- any MIB object (existence)
- any integer/counter (boolean, threshold)
EVENT-MIB sends an SNMP notification in response to a trigger
(like RMON) but add the concept of setting a MIB object (integers)
EVENT-MIB can specify which variables to add to the notification
RFC 2981-compliant introduced in 12.2(4)T
After 12.4(20)T configuration support via CLI added.
See: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1125529
Available from: IOS 12.2(4)T (EVENT-MIB), 12.3(7)T (SNMPset in TCL script), 12.4(20)T (CLI)
Platforms: 18xx, 28xx, 38xx, 72xx, 73xx, 76xx
Service Planning
EXPRESSION-& EVENT-MIB
If my link utilization is above 50% for an hour, it’s time to

upgrade the link
Steps: Expression-MIB
1. Create an Expression
Utilization = (∆ ifInOctets + ∆ ifOutOctets) * 8 * 100 / hour / ifSpeed
Event-MIB
2. Create an Event
If utilization > 50% generate an Event

Event and Expression MIB Enhancement
Example – Simple Capacity Planning – 2/2
Calculate link utilization on all the interfaces in the

router Router# show running | beg expression
snmp mib expression owner marisol name exp3
expression ($1*800)/$2
enable
object 1
id ifInOctets
wildcard
object 2
id ifSpeed
wildcard
mpalmero@sweet-brew-6% snmpwalk -c public -v 2c dehors 1.3.6.1.2.1.90.1.3.1.1.2

SNMPv2-SMI::mib-2.90.1.3.1.1.2.7.109.97.114.105.115.111.108.4.101.120.112.51.0.0.1 = Counter32:
214800
SNMPv2-SMI::mib-2.90.1.3.1.1.2.7.109.97.114.105.115.111.108.4.101.120.112.51.0.0.2 = Counter32: 0

EASy
EASy – Adding a Custom MIB OID 1/2
Problem: Collect data via SNMP, even if there is no MIB support
currently available.
Solution: Expression-MIB provides the capability to process data

into more relevant information via SNMP
– Expression-MIB can be configured using SNMP directly since 12.0(5)T.
– Initially Cisco Implementation was based on OID 1.3.6.1.4.1.9.10.22 but current
Cisco implementation is based on RFC2982-MIB, OID 1.3.6.1.2.1.90.
– In 12.4(20)T Expression-MIB feature is enhanced to add CLIs to configure
expressions.
Expression-MIB can gather data from Command Line Interface (CLI

show commands), even if there is no MIB support
EEM 3.1 will provide similar capability without the need to involve
the Expression-MIB
See: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup.html
EASy
EASy – Adding a Custom MIB OID 2/2
Is the
Is a certain value from a No Expression-MIB(1)
"CLI show command" Supported in your EEM 3.1
supported in your device via SNMP? Device?
No
Yes
Yes
Running
Script #1
Yes 12.4(20)T or
higher? EEM policy based on CLI Expression-MIB
No Script #2
Reference: Yes
http://www.cisco.com/go/mibs EEM policy based on the RFC2982-MIB
•SNMP Object Navigator
Support for
•Cisco IOS MIB Locator
RFC2982-MIB?
No Script #3
EEM policy based on the Expression-MIB
See: This is available from CiscoBeyond (and soon as an EASy package)

http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1961
What Traffic Volumes Flow
Through My Network?

What is NetFlow ?
Developed and patented at Cisco®
Systems in 1996
NetFlow is the defacto standard for
acquiring IP operational data
Provides network and security
monitoring, network planning,
traffic analysis, and IP accounting
NetFlow v9 (RFC3954) serves as
the basis for IETF IPFIX Standard
(RFC5101 & RFC5102)
Network World article – NetFlow Adoption on the Rise:
http://www.networkworld.com/newsletters/nsm/2005/0314nsm1.html
Service Planning
Flexible NetFlow
Traditional NetFlow with the v5, v7, or v8 NetFlow export
NetFlow Version 9 (RFC3954)

Advantages: extensibility
Integrate new technologies/data types quicker
(MPLS, IPv6, BGP next hop, etc.) Exporting
Process
Integrate new aggregations quicker
Basis for IETF IPFIX Standard (RFC5101 & RFC5102)
Flexible NetFlow
Advantages: cache and export content flexibility Metering
User selection of flow keys
Process
User definition of the records

Flexible NetFlow
Multiple Monitors with Unique Key Fields
Traffic Flow Flow
Monitor Monitor
1 2
Key Fields Packet 1 Non-Key Fields Key Fields Packet 1 Non-Key Fields
Source IP 3.3.3.3 Packets Source IP 3.3.3.3 Packets
Destination IP 2.2.2.2 Bytes Dest IP 2.2.2.2 Timestamps
Source Port 23 Timestamps Input Interface Ethernet 0
Destination Oort 22078 Next Hop Address SYN Flag 0
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Security Analysis Cache

Traffic Analysis Cache
Source Dest. Source Dest. Input Source IP Dest. IP Input I/F Flag … Pkts
Protocol TOS … Pkts
IP IP Port Port I/F
3.3.3.3 2.2.2.2 E0 0 … 11000
3.3.3.3 2.2.2.2 23 22078 6 0 E0 … 1100

Flexible NetFlow
Configuration – Example
1. Configure the Exporter
Router(config)# flow exporter my-exporter
Where do I want my data sent?
Router(config-flow-exporter)# destination 1.1.1.1
2. Configure the Flow Record

Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 destination address
What data do
Router(config-flow-record)# Imatch
want ipv4
to meter?
source address
Router(config-flow-record)# collect counter bytes
3. Configure the Flow Monitor

Router(config)# flow monitor my-monitor
How do I want to cache
Router(config-flow-monitor)# Information?
exporter my-exporter
Router(config-flow-monitor)# record my-record
4. Apply to an Interface
Router(config)# interface s3/0
On which Interface do I want to monitor?
Router(config-if)# ip flow monitor my-monitor input

Flexible Flow Record: Key Fields
Flow IPv4 IPv6
Sampler ID IP (Source or
Payload Size IP (Source or
Destination) Payload Size
Direction Destination)
Prefix (Source or Packet Section Prefix (Source or Packet Section
Interface Destination) (Header) Destination) (Header)
Input Mask (Source or Packet Section Mask (Source or Packet Section
Destination) (Payload) Destination) (Payload)
Output
Minimum-Mask Minimum-Mask
Layer 2 (Source or TTL (Source or DSCP
Destination) Destination)
Source
VLAN Options
Protocol Protocol Extension Headers
bitmap
Destination
Fragmentation Traffic Class Hop-Limit
VLAN Version
Flags
Fragmentation Flow Label Length
Source MAC Precedence
address Offset
Option Header Next-header
Identification DSCP
Header Length Version
Destination Header Length TOS
MAC address Payload Length
Total Length

Flexible Flow Record: Key Fields
NEW
Routing Transport Application

src or dest AS Destination Port TCP Flag: ACK Application ID*
Peer AS Source Port TCP Flag: CWR
Traffic Index ICMP Code TCP Flag: ECE
Forwarding ICMP Type TCP Flag: FIN
Multicast
Status Replication
IGMP Type* TCP Flag: PSH
IGP Next Hop Factor*
TCP ACK Number TCP Flag: RST
BGP Next Hop TCP Header Length TCP Flag: SYN RPF Check
Drop*
Input VRF TCP Sequence Number TCP Flag: URG
Name Is-Multicast
TCP Window-Size UDP Message Length
NEW TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer *: IPv4 Flow only

Service Planning
Application Visibility
Courtesy
of Plixer
More on this on later: “service assurance” section

Service Planning
Flexible Flow Record: Non-Key Fields
Counters Timestamp IPv4 IPv6

sysUpTime First Total Length Total Length
Bytes Minimum (*) Minimum (**)
Packet
sysUpTime First Total Length Total Length
Bytes Long
Packet Maximum (*) Maximum (**)
Bytes Square Sum TTL Minimum
Bytes Square Sum Long TTL Maximum
Packets
Packets Long
Plus any of the potential “key” fields: will be the value from
the first packet in the flow
(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX
(**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX

Service Planning
NetFlow IPv6 Example
Capturing a simple ping between 1::1 and 3::3
router#sh flow mon ipv6-monitor cache
...
IPV6 FLOW LABEL: 0
IPV6 NEXT HEADER: 58
IPV6 EXTENSION MAP: 0x00000000
IPV6 SOURCE ADDRESS: 1::1
IPV6 SOURCE PREFIX: 1::
IPV6 SOURCE MASK: /48
IPV6 DESTINATION ADDRESS: 3::3
IPV6 DESTINATION PREFIX: 3::
IPV6 DESTINATION MASK: /48
IP VERSION: 6
IP DSCP: 0x00
IP PRECEDENCE: 0
IP PROTOCOL: 58
IP HEADER PACKET SECTION: 0x60000000 0x003C3A3F 0x00010000 0x00000000
0x00000000
IP PAYLOAD PACKET SECTION: 0x8000E1F6 0x10E40000 0x00010203 0x04050607
0x08090A0B 0x0C0D0E0F 0x10111213 0x14151617
0x18191A1B 0x1C1D1E1F
IP TOS: 0x00
IP TTL: 63
IP LENGTH HEADER: 40
IP LENGTH PAYLOAD: 60

Service Planning
Three Types of FNF NetFlow Caches
Normal cache (traditional NetFlow)

More flexible active and inactive timers: one second minimum
Immediate cache
Flow accounts for a single packet
Desirable for real-time traffic monitoring, DDoS detection, logging
Desirable when only very small flows are expected (ex: sampling)
Caution: may result in a large amount of export data
Permanent cache
To track a set of flows without expiring the flows from the cache
Entire cache is periodically exported (update timer)
After the cache is full (size configurable), new flows will not be
monitored
Uses update counters rather than delta counters

Service Planning
Core Traffic Matrix with Flexible NetFlow
Problem: Network wide capacity planning requires the traffic matrix
Solution: Use Flexible NetFlow with a permanent cache
flow record traffic-matrix-record

match interface input
match ipv4 dscp
match routing next-hop address ipv4 bgp
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
We must define the
flow monitor traffic-matrix-monitor maximum number
record traffic-matrix-record of entries for the
cache entries 1000 permanent cache
cache type permanent
exporter capacity-planning-collector
interface pos3/0
ip flow monitor traffic-matrix-monitor

Service Planning
Configuration Using EEM + Cron + CLI
Problem: No synchronized NetFlow export across routers

Solution: Use Flexible NetFlow with a permanent cache
Router(config)# event manager applet periodicexport

Router(config-applet)# event timer cron name
"everyhour" cron-entry "0 * * * *"
Router(config-applet)# action 1.0 cli command
"clear flow monitor traffic-matrix-record force-export"
Export the content of the permanent cache every one hour

If time is synchronized across routers (NTP), we have a
synchronized export (snapshot)

Service Planning
Flexible NetFlow TopTalkers
show flow monitor monitor-name cache filter options

… aggregation options sort options
Flow filtering, aggregation and sorting can be combined

to select what information and how it will be displayed
Top ten protocols observed:

Router# show flow monitor <monitor> cache
aggregate ipv4 protocol sort highest counter bytes top 10
Available from: IOS 12.4(22)T

Platforms: x8xx ISR,x900x ISR, 72xx, ..

Service Planning
Flexible NetFlow Top Talkers - Examples
Top ten IP addresses that are sending the most packets
aggregate ipv4 source address
sort highest counter bytes top 10
Top five destination addresses to which we're routing most traffic
from the 10.10.10.0/24 prefix
filter ipv4 destination address 10.10.10.0/24
aggregate ipv4 destination address
sort highest counter bytes top 5
5 VLAN's that we're sending the least bytes to:

aggregate datalink dot1q vlan output
sort lowest counter bytes top 5
Top 20 sources of 1-packet flows:
filter counter packet 1
sort highest flow packet top 20
Service Planning
Flexible NetFlow Top Talkers – Example
TCP Servers’
SYN network
attacks 10.10.10.0/24

filter ipv4 destination address 10.10.10.0/24
counter packet regex[1-2]
ipv4 destination address
sort highest flow top 100
The top 100 pairs of IP addresses with one or two packet(s) that
are destined for my servers' network

CPU Impact
Finding Summary
Larger number of cache entries will have an increasing level

of impact to CPU
This is much more visible on the low end systems (LES)
Having multiple exporters does not add significant CPU
impact
NetFlow v9 and NetFlow v5 export have similar CPU impact
Flexible NetFlow does add a slight CPU load
More visible on lower end platforms
However this difference is seen at large flow counts that are not
expected to be seen on LES
Paper at www.cisco.com/go/netflow under
“Technical Documents”

How To Analyze Transient
Conditions?

Service Planning
Embedded Event Manager (EEM)
*Not all available in all releases
IOS.sh TCL
Applets
Policies Policies
3. An EEM Policy is activated that initiates a pre-
defined set of actions
Policy
Embedded Event 2. An EEM Event Detector receives notification

Manager
Event Detector
1. Something happens on the causing an

Event to trigger

Service Planning
Embedded Event Manager (EEM) Versions
Embedded monitoring of different components of the system
via a set of software agents (event detectors)
Event detectors (ED) notify EEM when an event of interest occurs;
based on this, a policy will trigger an action to be taken
Advantages: Local programmable actions, triggered by specific
events – growing set of detectors and actions:
– EEM 1.0 introduced in 12.0(26)S, 12.3(4)T
– EEM 2.0 introduced in 12.2(25)S
– EEM 2.1 introduced in 12.3(14)T
Adds multi-event correlation
– EEM 3.0 introduced in 12.4(22)T Adds programmatic Applets
– EEM 3.1 introduced in 15.0(1)M

– EEM 3.2 introduced in 12.2(52)SE
– stay tuned ...

Service Planning
EEM Architecture
email SNMP set SNMP SNMP Reload or Application CLI IOS.sh TCL
Syslog
notification Counter get notification switch-over specific Applets Policies Policies
Actions
EEM Applets
multi-event-correlation
Embedded Event
Manager
Event Detectors
Interface XML CDP
Syslog SNMP Timer none HW Watchdog CLI OIR ERM EOT RF GOLD NetFlow IPSLA Route 802.1x MAC
Counter RPC LLDP
ED EDs EDs ED EDs ED ED ED ED ED ED ED ED ED ED ED ED
ED ED ED
Remote:
• Fan
• Notification • Cron Process Interface
Syslog • Temp
Local: • Count Scheduler Descriptor
Event • Env
• Notification down Database Blocks
• ...
• Get/Set

Service Planning
EEM Applets and Policies
CLI IOS.sh TCL

Applets Policies Policies
Part of the Cisco IOS Separate ASCII File Separate ASCII File
Configuration my-policy.sh my-policy.tcl
Based on CLI Based on Cisco IOS Based on Cisco IOS
Commands CLI and Shell CLI and Safe TCL
Commands Commands
Simple Actions Effective shell-like Flexible and powerful
simple scripting scripting capabilities
Programmatic Applet Registered via the Registered via the
Extensions Cisco IOS Config Cisco IOS Config

Service Planning
Example: Trigger a Config Change – 1/3
Problem: a PKI related config change on a remote device should only
happen once NTP has successfully synched the time
Router(config)# ntp logging
Router(config)# ntp update-calendar
Router(config)# ntp server 172.16.154.40 prefer
Solution I: use EEM Syslog Event Detector and a CLI Applet to trigger the
change
CLI Applet
event manager applet config_upon_ntp
event syslog pattern ".*%NTP-5-PEERSYNC.*"
action 100 syslog msg "Starting ..."
:
... Your Config Changes Here ...
:
action 999 syslog msg "... done"
Dec 10 13:03:57.746: %NTP-5-PEERSYNC: NTP synced to peer 172.16.254.40

Dec 10 13:03:57.750: %HA_EM-6-LOG: config_upon_ntp: Starting ...
Dec 10 13:03:57.750: %HA_EM-6-LOG: config_upon_ntp: ... done

Service Planning
Example: Trigger a Config Change – 2/3
Solution II: use EEM Syslog Event Detector and an IOS.sh Policy to trigger
the change
IOS.sh Policy
##::cisco::eem::event_register_syslog pattern .*%NTP-5-PEERSYNC.*
send log "Starting ..."
enable
conf t
hostname $new_hostname
:
... Your Config Changes Here ...
:
end
send log "... done"
# End of IOS.sh Policy demo script
router#
*Dec 22 18:27:09.659: %HA_EM-6-LOG: sl_cfg_ntp.sh: Starting ...
*Dec 22 18:27:09.801: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:sl_cfg_ntp.sh)
*Dec 22 18:27:09.927: %HA_EM-6-LOG: sl_cfg_ntp.sh: Set hostname from router to it-worked
*Dec 22 18:27:09.927: %HA_EM-6-LOG: sl_cfg_ntp.sh: ... done
it-worked#
Solution III: use EEM Syslog Event Detector and a TCL Policy to trigger the
change …

TCL Policy
::cisco::eem::event_register_syslog occurs 1 pattern .*%NTP-5-PEERSYNC.* queue_priority low nice 1 maxrun 90
namespace import ::cisco::eem::*

namespace import ::cisco::lib::*
Policy runtime
action_syslog msg "Starting ..." Default = 20 seconds
Increase this value if you see
set oldname [info hostname] a “Process Forced Exit” message
set newname "it-worked" from the router.
if [catch {cli_open} result] {

error $result $errorInfo
} else {
array set cli $result
}
if [catch {cli_exec $cli(fd) “enable\n conf term\n hostname $newname\n end"} result] {
action_syslog msg "Failed to set hostname: $result : $errorInfo"
} else {
action_syslog msg "Set hostname from $oldname to $newname"
}
cli_close $cli(fd) $cli(tty_id)

action_syslog msg "... done"
router#
*Dec 10 10:43:29.061: %HA_EM-6-LOG: config_upon_ntp.tcl: Starting ...
*Dec 10 10:43:29.197: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:config_upon_ntp.tcl)
*Dec 10 10:43:29.329: %HA_EM-6-LOG: config_upon_ntp.tcl: Set hostname from router to it-worked
*Dec 10 10:43:29.329: %HA_EM-6-LOG: config_upon_ntp.tcl: ... done
it-worked#

EEM
Getting Started with TCL Scripts
1. Define directory Router(config)#event manager directory user policy flash:
Router#copy tftp flash:

Address or name of remote host []? 10.1.88.9
Source filename []? foobar.tcl
2. Copy Tcl script to flash Destination filename [tcl]? foobar.tcl
Accessing tftp://10.1.88.9/foobar.tcl...!
1232 bytes copied in 0.620 secs (1987 bytes/sec)
event manager environment _email_server 172.27.121.177

3. Configure any required event manager environment _email_from noc@cisco.com
event manager environment _email_to it@cisco.com
environment variables
4. Configure any IOS

Examples include IP SLA, ERM and Embedded Object Tracking
features EEM may
depend on (optional)
5. Register Tcl script Router(config)#event manager policy foobar.tcl type user

Event Description EEM Version in IOS IOS XR IOS XE NX-OS
Detector
Availability of Event Detectors
(ED Triggers, based on ...) 1.0 2.0 2.1 2.2 2.3 2.4 3.0 3.1 3.2 3.6 3.7 2.1 2.2 4.0 4.1
Syslog RegExp match of local syslog message
SNMP Notif SNMP MIB Variable Threshold
Watchdog IOS process or subsystem activity events
Interface Counter (Interface) Counter Threshold
Timer Designated Time or Interval
Counter Change of a designated counter value
Application specific An IOS subsystem or policy script
CLI RegExp match of input via command line interface
OIR Hardware online insertion and removal OIR
none No trigger, used in conjunction with exec command
ERM Embedded Resource Manager (ERM) events
EOT Enhanced Object Tracking variable (EOT) events
RF IOS Redundancy Facility (switchover)
GOLD Generic Online Diagnostics (GOLD) events
SNMP Proxy Incoming remote SNMP Notification
XML RPC Incoming XML message
Routing State change of Routing Protocols
Netflow Traffic Flow information from Netflow
IPSLA IPSLA events (supersedes EOT for EEM / IPSLA)
CLI enhanced Integrates CLI Ed with the XML PI
SNMP Object Intercept SNMP GET/SET requests
Neighbor Disco CDP, LLPD, Link up/down events
Identity 802.1x and MAB authentication events
MAC MAC Address Table entry changes
Hardware Register for environmentla monitoring hardware
Statistics Threshold crossing of a statistical counter
Fan (absent / bad) Presence and State of a Fan
Module failure Occurence of a Module Failure Event
Storm Control Occurence of a Storm Control Event
Temperature Temperature Sensor Thresholds

EEM 2.0: Timer Event Detector
EEM 2.1: CLI Action
Export a Permanent Minute (0 59)
Hour (0 23)
Flexible NetFlow Cache Day of the month (1 31)
on regular basis Month of the year (1 12)
Day of the week (0 6 with 0=Sunday)
Router(config)# event manager applet periodicexport

Router(config-applet)# event timer cron name
"everyhour" cron-entry "0 * * * *"
Router(config-applet)# action 1.0 cli command
"clear flow monitor traffic-matrix-record force-export"
Router# debug flow exporter event

Router#
Nov 6 17:00:00.763: FLOW EXP: Exporting packet
(ID: 256, Exporter: capacity-planning-collector)

EEM 2.0: EOT Event Detector
Problem: A Notification is required upon
failure of a specific route
D 1.1.1.1 [90/297372416] via 192.168.1.1,
X
Solution: Track the Route using
Enhanced Object Tracking (EOT) and
Embedded Event Manager (EEM) email EOT/EEM 1.1.1.1/32
172.27.121.177
track 400 ip route 1.1.1.1/32 reachability

delay down 10 up 10
!
event manager environment my_server 172.27.121.177
event manager environment my_from router-abc@customer.com
event manager environment my_to attach@cisco.com
event manager environment my_route 1.1.1.1/32
!
event manager applet email_track_iproute
event track 400 state down
action 1.0 syslog msg "Prefix to [$my_route] has been withdrawn!"
action 1.1 mail server "$my_server" to "$my_to" from "$my_from“
subject “EEM: Prefix to Remote Site [$my_route] is DOWN" body ""
action 1.2 syslog msg “EEM: Path Failure alert email sent!"
Note: New Routing Event Detector in EEM 3.0

EEM 2.4: Proxy Event Detector
Router or switch can RECEIVE
an SNMP trap
EEM event upon trap receipt
EEM EEM
Execute (trigger) EEM script to
take local action
Script sees varbind info
Example:
UPS on battery backup
===> Shut non-critical POE ports
to conserve power Uninterruptible
Power Supply
Only 5 minutes remaining
===> Shutdown service modules SNMP trap
gracefully On Battery
Example: managed Services 5 Min Remaining!
EEM 2.4: Multiple Event Correlation
Previous to EEM v2.4, there was a
one-to-one correspondence between a
single event and the triggered policy
In other words, a policy could only be
triggered by a single event and any
event correlation had to be coded by
the user Event Correlation
Multiple Event Support ushers in an Capabilities
event correlation specification such
that multiple events may be
considered together to trigger a
policy
For example:
If (Event 1 OR Event 2) AND Event 3,
then
Trigger Policy A
EEM 2.4: Multiple Event Correlation
Problem: A Syslog message is required upon state change of either
Ethernet1/0 or Ethernet1/1
Solution: Use Embedded Event Manager (EEM) Multiple Event
Correlation with a correlate statement within the trigger block to define the
logic between individual events and optional occurs clauses to define the
number of times a specific event must be raised before being used in the
correlation (inner level), or the number of times the total correlation must
be true before invoking the action (outer level):
event manager applet example

event tag e1 syslog pattern ".*UPDOWN.*Ethernet1/0.*"
event tag e2 syslog pattern ".*UPDOWN.*Ethernet1/1.*"
trigger occurs 1
correlate event e1 or event e2
attribute e1 occurs 1
attribute e2 occurs 1
action 1.0 syslog msg "Critical interface status change"
set 2.0 _exit_status 0
Service Planning
EEM 3.0: Programmatic Applet Example
event manager applet route-watch
event routing network 10.1.1.0/24 type add protocol ospf
action 001 cli command "enable"
action 002 set done 0
action 003 while $done eq 0
action 004 wait 5
action 005 cli command "ping ip 10.1.1.1"
action 005 regexp "!!!!!" "$_cli_result"
action 006 if $_regexp_result eq 1
action 007 cli command "config t"
action 008 cli command "int Tunnel0"
action 009 cli command "shut"
action 010 cli command "end"
action 011 set done 1
action 012 end
action 013 end
The applet will trigger when the route 10.1.1.0/24 is learned via OSPF
The applet will try and ping host 10.1.1.1, and when it is successful,
it will take down the backup tunnel interface
Question: how many ping attempts will be made ?

Service Planning
EEM 3.1: SNMP Notification + Description
Router(config}# event manager applet test_trap

router(config-applet)# description test snmp notification unmanaged service
router(config-applet)# event snmp-notification oid 1.3.6.1.6.3.1.1.4.1.0
oid-val "1.3.6.1.6.3.1.1.5.3" op eq src-ip-address 10.51.89.176
direction incoming
router(config-applet)# action 1.0 … snmpTrapOID
router(config-applet)# action 2.0 …
“snmp-notification” can intercept incoming or outgoing

notifications, but outgoing only for locally generated
notifications
Note: SNMPv2c notification contains the snmpTrapOID OID, which

contains an unique value per notification type

Service Planning
Example: Synchronizing EEM Scripts 1/2
Problem: Synchronize EEM Policy .tcl files from a central Repository
Solution 1: Use event manager update commands
1. Configure the default Repositiory:
router(config)# event manager directory user repository tftp://172.16.64.1
2. Single exec command to download, un-register and re-register:

router# event manager update user policy name my
%EEM: Update will use the repository path: tftp://172.16.64.1
%EEM: Attempting to copy tftp://172.16.64.1/my.tcl to flash:/eemtcl/my.tcl
Loading my.tcl from 172.16.64.1 (via FastEthernet0): !
[OK - 647 bytes]
%EEM: Copied 647 bytes from tftp://172.16.64.1/my.tcl to flash:/eemtcl/my.tcl
%EEM: Policy my.tcl has been successfully copied and re-registered
*Dec 10 20:12:43.198: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes

*Dec 10 20:12:43.230: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully
2bis. Can also synch entire groups, based on regular expression match:
router# event manager update user policy group m.*
3. Verify using show command:

router# show event manager policy registered
No. Class Type Event Type Trap Time Registered Name
1 script user syslog Off Wed Dec 10 20:12:43 2008 my.tcl
occurs 1 pattern {.*%NTP-5-PEERSYNC.*}
nice 1 queue-priority low maxrun 90.000 scheduler rp_primary
Service Planning
Solution 2: Use new event manager update command
1. Single exec command to specify repository, download, un-register and re-register:

router# event manager update user policy name my.tcl repository tftp://10.1.1.1/
[OK - 647 bytes]
*Dec 16 22:09:11.303: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes from
*Dec 12 22:09:11.329: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully re-r

Available from: IOS 15.0(1)M

Service Planning
Using EEM step-by-step
1. Which problem do you want to solve?
2. Which event detector and action do you need?
– Upgrade to the right IOS image
– Use show event manager detector <detector-type> detailed
3. Check whether a suitable script/applet is available already
– http://www.cisco.com/go/ciscobeyond
– http://www.cisco.com/go/eem
– http://www.cisco.com/go/easy
4. Work from an existing example
5. Deploy and Monitor via CiscoWorks

– CWLMS 3.1 added support for EEM in RME
http://www.cisco.com/go/lms
6. If customization/new development/testing is required

– “Integrated Development Environment for EEM” http://www.nidussoft.com/
– “Network Programming Advisors“ http://www.progrizon.com/
– Cisco Advanced Services
7. Don’t forget to ask to (and share with) the EEM forum
Service Planning
1. Browse and Download EASy Packages
www.cisco.com/go/easy
2. Make Sure to also download EASy Installer
3. Browse Other Embedded Automations

www.cisco.com/go/ciscobeyond
4. Learn About The Technology Under The Hood

www.cisco.com/go/instrumentation
www.cisco.com/go/eem
www.cisco.com/go/pec
5. Discuss, Ask Questions, Suggest Answers

supportforums.cisco.com
6. Upload your own Examples to CiscoBeyond

7. Engage via ask-easy@cisco.com

Agenda

Service Planning
Service Testing, Verification & Assurance 196

Summary

‘Configuration‘ in a Service Life Cycle
scripts and tools network engineer support staff applications
scripts
IOS MOH & IVR xDM

*.mdf *.tcl config images files files
device groups individual devices large scale

Command Line Interface
(CLI) – The Basics

Command Line Interface (CLI) – Modes
Line Configuration Sub-Mode
router(config-line)#
Global Configuration Mode Routing Configuration Sub-Mode
router(config)# router(config-router)#
hostname interface Interface Configuration Sub-Mode

ip route router(config-if)#
shutdown
interface ... Running
ip address
... Configuration
do ..
encapsulation ...
conf t
...
t
ar
Priviledged EXEC Mode User EXEC Mode
st
router# router>
n
ru
show show (limited) Startup
py
ping ping
Configuration
co
debug enable
enable
... ...
ROM Monitor Diagnostic Boot (only on ASR)

Config Register
rommon # > router(diag)#
See: www.cisco.com/en/US/docs/ios/preface/usingios.html
Command Line Interface (CLI) – Basics 1/2
A Series of usability features are available in IOS:
Exec Commands from within Config Mode (from 12.0(21)S, 12.2(8)T)
Issue Exec commands without leaving Config Mode
router# conf t
router(config)# do copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
router(config)#
Command Aliases (from 10.3, 12.2(33)SRA)

Pre-defines Aliases are available on the CLI
router# show aliases
Exec mode aliases:
Custom Aliases can be defined per (Sub-)Mode h help
router# conf t lo logout
Enter configuration commands, one per line. End with CNTL/Z. p ping
router(config)# alias exec shib show ip interface brief r resume
router(config)# alias exec shru show running-config s show
router(config)# alias exec shrb show running-config | begin u undebug
router(config)# alias configure h hostname un undebug
Router(config)# alias interface nsh no shutdown w where
Note: ROM Monitor also provides an alias command

Command Line Interface (CLI) – Basics 2/2
Interface Ranges and Macros (from 12.1(5)T, 12.1(1)E, IOS XE 2.1)
Define Interface Ranges / Groups
Apply Config to Interface Ranges / Groups
router(config)# interface range FastEthernet 1 - 3
router(config-if-range)# no shut
Consequtive Range
Define and Use immediately
router(config)# define interface-range mylist FastEthernet 2 , FastEthernet 4 - 6

router(config)# interface range macro mylist
router(config-if-range)# no shut
Arbitrary Group
Define Once
Use multiple times
router(config)# interface range FastEthernet 5/1.1 – FastEthernet 5/1.4

router(config-if-range)# encapsulation dot1Q 220
router(config-if-range)# no shut Works on
Subinterfaces and
This will apply: VLAN Ranges too
VLAN ID 220 FastEthernet 5/1.1 from 12.2(8)T
VLAN ID 221 FastEthernet 5/1.2
Where to start with CLI ?
Feature Navigator:
http://www.cisco.com/go/fn
Command Lookup Tool: http://tools.cisco.com/Support/CLILookup/

(CLI) – More Advanced

(CLI) – More Advanced
Son: Dad, why are there always 2 Pilots ?

Dad: one has to prevent the other from doing stupid things
Son: which one is doing the stupid things ?

Deployment & Activation
IOS CLI Configuration ‚Safety‘ Features
Contextual configuration diff utility (from 12.3(4)T, 12.2(25)S)
Easily show differences between running and startup configuration
Compare any two ASCII files
Config change logging and notification (from 12.3(4)T, 12.2(25)S)
Tracks config commands entered per user, per session
Notification sent indicating config change has taken place—changes can be retrieved
via SNMP
Configuration replace and rollback (from 12.3(7)T, 12.2(25)S)
Replace running config with any saved configuration (only the diffs are applied) to
return to previous state
Configuration revert (from 12.4(23)T)
Automatically Rollback un-confirmed configurations
Configuration locking (from 12.3(14)T, 12.2(25)S)
Ensures exclusive configuration change access

Example: Using Config Rollback
Problem: critical config change to a remote router may result in loss of
connectivity, requiring a reload
Solution: replace the running configuration with the latest good
archive after two minutes – unless the change made is confirmed
router# show archive
There are currently 4 archive configurations saved.
The next archive file will be named disk0:/config-archive-4
Archive # Name
0
1 disk0:/config-archive-1
2 disk0:/config-archive-2
3 disk0:/config-archive-3 <- Most Recent
router# config replace disk0:/config-archive-3 time 120

:
... your Config Change work here ...
:
router# no config replace disk0:/config-archive-3
Available from: IOS 12.3(7)T, 12.2(25)S
Example: Using Config Revert
Problem: critical config change to a remote router may result in loss of
connectivity, requiring a reload
Solution: revert the running configuration after two minutes – unless
the change made is confirmed
router# config terminal revert time 2
Rollback Confirmed Change: Backing up current running config to flash:bk-2
Enter configuration commands, one per line. End with CNTL/Z.

:
... your Config Change work here ...
:
router# hostname oops
oops(config)# end
oops# Rollback Confirmed Change: Rollback will begin in one minute. Enter
"configure confirm" if you wish to keep what you've configured
oops# Rollback Confirmed Change: oops# config confirm

rolling to:flash:bk-2 or oops#
Total number of passes: 1
Rollback Done
router#
Available from: IOS 12.4(23)T, 12.2(33)S

Role-Based CLI Access (CLI Views) – 1/3
View-based Access Control (CLI Views)
Starting in 12.3(7)T IOS has the capability to selectively or partially
access IOS commands and Configuration information so that
administrators can exercise granular control over access to a Cisco
device.
New name !
Role-Based CLI Access
In 12.3(11)T the capability was extended to restrict user access on a per-
interface level, and additional CLI views were introduced to support the
extended view capability.
Also supports to group multiple CLI views into a superview.
TACACS+:
Shell Configuration
Custom Attributes: cli-
AAA is a prerequisite for CLI-Views view-name
To associate a CLI-View to a user you need external AAA, or you could
also authenticate locally:
Router#username marisol view first password 0 xxx
See: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Available from: IOS 12.3(7)T / 12.3(11)T
How to configure a view
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local Always a good practice
Router(config)# username marisol view first pass ww
Router(config)# username root view root pass ww
Router(config)# parser view first
Router (config-view)# pass 5 ww
Router (config-view)# commands exec include sho version
Router (config-view)# exit
How to enable a view?

Router>enable view first
Password:
Router#
Dec 29 21:02:39.541: %PARSER-6-VIEW_SWITCH: successfully set to view 'first'.
Router# show ?
flash: display information about flash: file system
parser Show parser commands
version System hardware and software status
Show command
Router# show parser view [all]
Current view is ‘first'

Privilege vs. CLI view
Router> show privilege
Current privilege level is 1
Router> enable
Router# show privilege
Current privilege level is 15
Router# show parser view
No view is active ! Currently in Privilege Level Context
Router# disable
Router>
Router> enable view
% AAA must be configured.
Superview
parser view second
secret www
commands exec include-exclusive show ip interface
commands exec include show ip
commands exec include show
commands exec include logout
!
parser view mysuperview1 superview
secret wwww
view first
view second
What if I need a simple
script?
IOS Shell Scripting

IOS Shell
Problem: Sometimes we need more than what Interface ranges,
Macros, Auto SmartPorts and other CLI features already offer.
But we may not want all the power and complexity of Tcl Scripting or
Embedded Event Manager
Solution: Use IOS Shell (IOS.sh)

IOS Shell offers
Environment Variables MY_VAR=value, %n
Pipe and Redirection |
Condition Testing if […]; then else fi
Loops
IOS.sh # _
Built-in Functions show shell functions
shell exec <function>
Custom Function Definitions function <name>(…){…}
Phase I Available from: IOS 12.2(52)SE

IOS Shell - Example
The pre-built shell functions for Auto SmartPorts are a good starting point:
switch# show shell functions CISCO_AP_AUTO_SMARTPORT
function CISCO_AP_AUTO_SMARTPORT () {
if [[ $LINKUP -eq YES ]]; then
conf t
interface $INTERFACE
macro description $TRIGGER
switchport trunk encapsulation dot1q
switchport trunk native vlan $NATIVE_VLAN
switchport trunk allowed vlan ALL
switchport mode trunk
switchport nonegotiate
auto qos voip trust
mls qos trust cos
exit
end
fi
if [[ $LINKUP -eq NO ]]; then

What if the Config Change is
more complex?
Tcl Scripting and Cron

Tool Command Language (TCL)
Language resources found at: http://www.tcl.tk/

TCL 7.x has been in Cisco IOS since 1994
TCL 8.3.4 first released in Cisco IOS in 12.3(2)T
and merged into 12.2(25)S
Use 12.3(14)T or later for best results
Signed TCL Scripts introduced in 12.4(15)T
Router#tclsh slot0:myscript.tcl
Router#tclsh
Router(tcl)#source tftp://10.1.1.1/myscript.tcl
Use low-memory to prevent malloc failures

Router(config)# scripting tcl low-memory <water_mark>
TCL process runs at medium priority, so be careful with loops

Tool Command Language (TCL)
http://www.cisco.com/go/ciscobeyond
http://www.cisco.com/go/eem
http://www.cisco.com/go/ioscommercial
Example: A VPN failure is defined as failure to reach a set of remote
peer’s L3 tunnel interface(s) that are configured using GRE + IPSEC
over DMVPN
“Guide To Writing EEM Policies” documentation
Router#tclsh
Router(tcl)#puts "Hello There"
Hello There TCL Cisco IOS
Router(tcl)#ios_config "interface fa0/0" Extended Commands
"description Main Uplink" TCL Built In Command
Router(tcl)#exit Cisco IOS Command
Router#

Signed TCL Scripts
TCL has the capability to verify a digital signature in order to

indicate trust:
A script can run in two modes:

If TCL script contains the right signature: TRUSTED MODE
It will be authenticated and run with trusted access to TCL

interpreter
If TCL script doesn´t contain the right signature: UNTRUSTED MODE
It will run in a limited mode for untrusted scripts or not run at all
See: http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html
Available from: IOS 12.4(15)T, 12.4(11)XW
Platforms: 8xx, 18xx ISRs, 26xx, 36xx, 37xx, IAD, 72xx, 7301, UC520, …
Signed TCL Scripts – Trusted Mode
Cisco or customer private key Cisco or customer public key
Router verifies signature

Signed Tcl script
Tcl script signing server
Tcl script runs in trusted mode
By default: disabled
CLI to enable signature check
Router(config)# scripting tcl secure-mode
crypto pki trustpoint <name>
crypto pki authenticate <name>
Link TCL to the trustpoint
Router(config)# scripting tcl trustpoint name <name>

Signed TCL Scripts – Untrusted Mode
Cisco or customer public key
Router verifies signature

Unsigned Tcl script
Tcl checks config,

Tcl script may be terminated,
or run in trusted or untrusted Tcl mode
End user written Tcl script
When verifying the signature of the TCL script fails,

because an invalid signature:
Router(config)# scripting tcl trustpoint untrusted

<execute | execute-safe | terminate>
Script will be executed Script will be executed in Default

safe mode

Kron Scheduler
Run EXEC commands periodically or
at a specified time
First introduced in 12.3(1)
Runs commands in a
fully-automated mode
Interactive commands (e.g. reload)
are NOT supported
Note:
NTP must be configured or the router
clock must be authoritative
Kron and Tcl can run together since 12.4(4)T
Alternative Option: use Embedded Event Manager (EEM) Timer ED

Kron Scheduler vs. EEM Timer ED
Kron was introduced in 12.3(1)

EEM “event timer cron” was introduced in 12.2(25)S and 12.3(14)T
Kron & EEM: Trigger a set of CLI commands at reload / periodic
intervals
Only Kron has the ability to specify different username for each
event
Drawback in Kron vs EEM
– Cannot collect outputs with Kron, and not all EXEC commands are
working under the kron policy cli ...
– Interactive commands (e.g. reload) are NOT supported by Kron
Kron is (still) more widely available in installed base

EEM Timer ED offers more flexible and feature-rich superset

How to be triggered by a
Config Change ?

(EEM)

Using EEM to trigger upon config change
Two Options:
Syslog Event Detector upon any potential config change
CLI Event Detector upon specific CLI command
– Asynchronous:
• Trigger Policy and then execute CLI command
• Trigger Policy and skip CLI command
– Synchronous:
• Trigger Policy and execute/skip based on exit status
_exit_status == 0 skip CLI command (default)
_exit_status == 1 execute CLI command
event [tag event-tag] cli pattern regular-expression
{[default] [enter] [questionmark] [tab]}
[sync {yes | no skip {yes | no}]
[mode variable]
[occurs num-occurrences] [period period-value]
[maxrun maxruntime-number]
Available from: EEM 2.1, integrated with XML PI from EEM 3.0 92
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Example: Using EEM CLI Event Detector
Problem: VLAN 380 should not be accidentally removed from a trunk
Other Examples:
Solution: use EEM CLI Event Detector: • no mpls ip
Option a: Don’t prevent anything, just issue a syslog notification: • no router isis
event manager applet cli-async • debug all
event cli pattern "switchport trunk allowed vlan remove.*380.*" sync no skip no
action 1.0 syslog msg "Removing VLAN 380"
Option b: Prevent the entire command and issue a syslog notification:

event manager applet cli-async-skip
event cli pattern "switchport trunk allowed vlan remove.*380.*" sync no skip yes
action 1.0 syslog msg "Will NOT remove VLAN 380"
Option c: Ask for confirmation, then allow or prevent the entire command:
event manager applet cli-sync
event cli pattern "switchport trunk allowed vlan remove.*380.*" sync yes
action 1.0 puts "Confirm removing VLAN 380 [yes|no]:"
action 2.0 gets response
action 3.0 if $response eq yes goto 5.0
action 4.0 puts "NOK - VLAN 380 will NOT be removed"
action 4.1 exit 0
action 5.0 puts "OK - VLAN 380 will be removed"
action 5.1 exit 1
Caveats: command may be (much) bigger than what you match! Ranges!
Editing Files on the CLI

Editing Files
Problem: Often ASCII files are being used when using Device
Manageability Instrumentation in IOS:
Tcl scripts and EEM Tcl Policies
EMM Menu Definition Files
Config Templates and other text files
During Development and Test it would be useful to be able to

edit these files directly from IOS.
But: IOS does not include an ASCII Editor ...
Solution: Use a Tcl implementation of an Editor in IOS

The GNU <ed> editor is a very simple,
line-based editor available as Tcl
implementation
see: http://en.wikipedia.org/wiki/Ed_(Unix)
see: http://www.gnu.org/software/ed/ed.html

Editing Files – Using ed.tcl
1. Copy ed.tcl and a simple test file to the flash:
router# show flash
:
8 27091 Nov 19 2008 10:51:26 ed.tcl
9 68 Nov 19 2008 11:00:12 testfile.txt
2. Define an Alias for simplicity:

router(config)# alias exec ed tclsh flash:/ed.tcl
3. Edit the file using ed:

router# ed flash:/testfile.txt a a – add lines
65 1,$p – print lines 1 to last and here are
1,$p yet another two lines
line one of the test file . . – end adding
line two of the test file ,n
another line 1 line one of the test file
,p – print all lines
,p 2 line two of the test file
line one of the test file 3 another line
line two of the test file 4 and here are
another line 5 yet another two lines
,n – numbered print all lines
,n w
1 line one of the test file 99 w – write file
2 line two of the test file q
3 another line router#
q – quit
Available from www.cisco.com/go/ciscobeyond (http://tinyurl.com/ed-on-ios)
( See http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1461 )
Archiving and keeping Files
up to date

Example: Archiving Configuration – 1/6
Problem: Device configurations must be archived periodically, collecting
them from the outside should not be the only answer.
Solution 0: Manually create meaningful copies of the running config:
nexus-7000# copy run bootflash:/$(TIMESTAMP)-$(SWITCHNAME).conf
nexus-7000# dir bootflash:

29796 Apr 27 17:38:16 2009 2009-04-27-17.38.16-nexus-7000.conf
nexus-7000# show cli variable

VSH Variable List
-----------------
SWITCHNAME=“nexus-7000"
TIMESTAMP="2009-04-27-17.47.48"
Note: from IOS 12.3T onwards, refer to $h and $t variables within archive config path option

Solution 1: Archive the running configuration once every day locally:
archive
path disk0:/config-archive
maximum 7
time-period 1440
View the content of the archive:

Router#show archive
There are currently 3 archive configurations saved.
The next archive file will be named disk0:config-archive-3
Archive # Name
0
1 disk0:config-archive-1
2 disk0:config-archive-2 <- Most Recent
3
4
5
6
7

Solution 2: Archive the running configuration to tftp upon write:
archive
path tftp://10.1.1.1
write-memory
Note: Config can also be archived on-demand:

Router#archive config
Solution 3: Use Kron to schedule periodic archiving (plus other activity)

archive
path tftp://10.1.1.1
!
kron policy-list backupconfig
cli archive config
!
kron occurrence backup-occur at 23:23 recurring
policy-list backupconfig
multiple policy-lists possible
Solution 4: Use Embedded Event Manager (EEM) with a Syslog Event

Detector and a TCL Applet to only archive configs if there
was a change
Define EEM Environment Variable
Router(config)# event manager environment filename <myfile.txt>

Router(config)# event manager directory user policy "flash:/TCL"
Router(config)# event manager policy archive.tcl type user
Router(config)# archive
Router(config-archive)# path flash:disk0
Router(config-archive)# maximum 14
Register EEM TCL Script
Configure Archive Location and Size
This script is available from www.cisco.com/go/ciscobeyond

( See http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1103 )
::cisco::eem::event_register_syslog pattern ".*%SYS-5-CONFIG.*" maxrun 90
#########################################################
# EEM TCL Script to archive the config upon change
#
# Developed by Marisol Palmero Sylog Event
#
# The following EEM environment variable is used:
# - filename: name of the file specified in the path command within
#
# Lets check if all the variable exists, otherwise quit
#########################################################
if {![info exists filename]} {
set result "Policy cannot be run: variable filename not set"
} Policy runtime
Default = 20 seconds
namespace import ::cisco::eem::* Increase this value if you see
a “Process Forced Exit” message
namespace import ::cisco::lib::* from the router.
if [catch {cli_open} result] {

puts stderr $result
exit 1
} else {
array set cli1 $result
}
if [catch {cli_exec $cli1(fd) "en"} result] {
puts stderr $result
exit 1
}
set showarchive [cli_exec $cli1(fd) "show archive"]

set lines [split $showarchive "\n"]
foreach line $lines {

set result [regexp {<- Most Recent} $line ]
if {$result != 0} {
set result1 [regexp {^\s+\d+\s+(.+)-(\d+)\s+<-} $line -> path extension]
set output [cli_exec $cli1(fd) "show archive config differences
system:/running-config flash:$filename-$extension"]
if { [regexp "!No changes were found" $output] } {
break
} else {
cli_exec $cli1(fd) "archive config"
break
} Archive if there was a
} } change of if there was
if {$result == 0} { no archived version yet
cli_exec $cli1(fd) "archive config"
}
Problem: Synchronize EEM Policy .tcl files from a central Repository
Solution 1: Use event manager update commands
1. Configure the default Repositiory:
router(config)# event manager directory user repository tftp://172.16.64.1
2. Single exec command to download, un-register and re-register:

router# event manager update user policy name my
[OK - 647 bytes]
*Dec 10 20:12:43.198: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes

*Dec 10 20:12:43.230: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully

Solution 2: Use new event manager update command
1. Single exec command to specify repository, download, un-register and re-register:

router# event manager update user policy name my.tcl repository tftp://10.1.1.1/
[OK - 647 bytes]
*Dec 16 22:09:11.303: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes from
*Dec 12 22:09:11.329: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully re-r

Available from: IOS 15.0(1)M
Example: Install Embedded Automations
Problem: Embedded Automations based on Tcl Scripting or Embedded
Event Manager may include multiple scripts, policies, configurations,
variables and pre-requisites. How can we install (and un-install) all of
these in a consistent manner?
Solution: Create a package and use the EASy Installer
Router# easy-installer tftp://10.1.1.1/my-package.tar flash:/easy
-----------------------------------------------------------------------
Configure and Install EASy Package ‘my-package'
-----------------------------------------------------------------------
1. Display Package Description
2. Configure Package Parameters
3. Deploy Package Policies
4. Verify Installed Package
5. Exit
Enter option:
See: http://www.cisco.com/go/easy
How to pre-commission new
Cisco Devices ?
AutoInstall (DHCP Opt 150)
How to deal with new routers ...
How to deal with new routers – Auto Install
IOS AutoInstall Feature consists of:
Ethernet Interface up
DHCP Client + Option 150
Combined with external

DHCP and TFTP Server
this enables a new router to
automatically retrieve a default configuration
without manual interaction via console cable or telnet
See: http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dt_dhcpa.html
Available from: IOS 12.1(5)T, IOS-XE 2.1.0
Platforms: ASR 1000, x8xx ISR, x9xx ISR, 37xx, ME3400, ME4900, Cat4k, Cat6k, 76xx, 10k, UC520
See also: Smart Install
Example: Automated Pre-Commissioning
Problem: How to automatically pre-commission a new Cisco ISR without
manual intervention on the Console
Solution: Use the AutoInstall Feature combined with an external DHCP
and TFTP server
0. Power up the CPE and

connect to Ethernet
1. CPE sends DHCP Discover
2. DHCP Server replies with Offer
3. CPE sends DHCP Request
4. DHCP Server replies with option 150
5. CPE requests hostname-confg
file from TFTP
6. TFTP erver sends hostname-
config file to CPE
CPE is now pre-commissioned
Example: Automated Pre-Commissioning
NE is connected
to the Network
NE gets an IP address via

BOOTP, SLARP or DHCP
What exactly happens in Step 5

NE gets network-
config file from TFTP
IP maps to
No No
Default config No
Reverse DNS hostname in
file exists on
successful? network-
TFTP?
config file?
Yes
Yes
NE attempts to get Yes
hostname-config or NE gets
AutoInstall
hostname.cfg from TFTP router-config or
Fails
router.cfg from TFTP
File exists on No
TFTP?
AutoInstall
Yes Completes
AutoInstall
AutoInstall Fails
Completes manual config
completion
copy run start

Caveat: Combine Auto Install and SDM
Caveat: Routers ordered with Security Device Manager (SDM) are
pre-configured, but AutoInstall only works on factory-default
Solution:
1. Order Router with no factory pre-config option:
2. Run AutoInstall
Ensure commissioning includes SDM specific pre-config and
downloaded SDM files: logging buffered 51200 warnings
ip http server
ip http access-class 23
ip http secure-server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
access-list 23 permit 10.10.10.0 0.0.0.7
username username privilege 15 secret 0 password
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
transport input telnet ssh
line vty 5 15
3. Run SDM access-class 23 in
privilege level 15
login local
transport input telnet
ID © 2009 Cisco Systems, Inc. All rights reserved.
transport input telnet ssh
Cisco Confidential 112
How to automate entire
deployment / maintenance
scenarios ?
Zero Touch Deployment
Sometimes we need to automate ...
Typical Challenges:
• Large Scale
- more than just a few 12 image updates
- more than a few 100 config or file updates
• Robustness
- unreliable / un-managed access
- interruptions, outages
• Security
- authentication, privacy,
- trust and skills of on-site staff
- unknown hostnames / ip addresses
• Time
- de-coupling of deployment and activation
- many devices within small time window
• Cost
- manual, skilled labour cost vs. automated solution
Automate initial and partial configuration, image upgrades or

distribution of files (any file, any place)
Zero-Touch Deployment Methods
Cisco IOS External Mediation
Method Notes
Deployment Agents Server
Cisco Broadband For Cable Modem Access Only
DOCSIS DOCSIS
Access Center (BAC) Widely Standardized
For DSL Access
Cisco Broadband Standard Is Work in Progress with
TR-069 TR-069
Access Center (BAC) Currently Loose Definition, Check
Interop Test from Plugfest
Flexibility for Scenarios Not
Embedded Event Covered by Any Other Method
EEM FTP, TFTP, SCP,…
Manager Sometimes Used in Concert
with Other Methods
Kron Kron and TCL FTP, TFTP, SCP,… When EEM Is Not Available
Agnostic of Access Technology
Cisco Network
DHCP DHCP Partially Standardized,
Registrar, TFTP
Multiple Options Used
CNS Config Agent Most Secure and Robust
CNS Image Agent Cisco Configuration
CNS Agnostic of Access Technology
CNS Inventory Agent Engine
CNS Event Agent Agnostic of IP Addressing
Zero-Touch Deployment = Embedded Agents + External Mediation

Example: Zero-Touch Deployment – 1/3
Problem: A large number of Teleworker Routers have to be deployed.
Access Technology and Service Provider vary; IP Addressing is not known
in advance
Solution: Pre-Configure Routers with a generic boostrap config
This config ensures initial IP connectivity, identifies the device and
communicates back to Configuration Engine for appropriate config
Router # cns id hardware-serial
Router # cns config initial MyConfigEngine 80 event no-persist
Router # cns id hardware-serial event
Router # cns event MyConfigEngine 11011
Note: Many other options for ID

exist and are often used instead
of hardware-serial:
CPE DHCP TFTP CCE
CNR 1. CPE sends DHCP Discover

DHCP Discover 2. DHCP Server replies with Offer
1
Warehouse
DHCP Offer 3. CPE sends DHCP Request

2
4. DHCP Server replies with option 150
DHCP Request
3
5. CPE requests bootstrap-confg file
DHCP Ack - Option 150
via TFTP
4
6. TFTP server sends CPE bootstrap-
TFTP Request:
bootstrap config
config file
5
TFTP Response:
⇒ CPE is shipped to Customer Site
⇒
bootstrap config 6
Customer Order linked to CPE ID
CNS Config Request (HTTPS)
7
Object ID
8
7. CPE sends HTTP request to CNS-CE
Customer Premise
LDAP
Device ID 9
8. CNS-CE verifies object ID
Read Temp. 10 CE
FS
9. CNS-CE verifies Device ID
10. CNS-CE reads template from File System
Send Config
11
11. CNS-CE sends Config
Success/Fail
Event
(= template + parameters from LDAP)
12
12. Successful event
ed
est
Publish
Success/Fail 13
13. Publish success event T
n
Event
olutio
S 117
There are:
Data- / Information Flow via the NMS
Systems (left Hemisphere)
Physical Flow (CPE) to the Branch Office
or Customer Premise (right Hemisphere)
router(config)#cns id ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface ZTD Automation uses:
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink
Port-channel
Multilink-group interface
Ethernet Channel of interfaces
Separation to allow for Efficiency
Service-Engine
Tunnel
cisco service engine module
Tunnel interface
and Flexibility
Vif PGM Multicast Host interface
Virtual-Dot11Radio
Virtual-PPP
Virtual dot11 interface
Virtual PPP interface
CNS Device ID and CNS Config
Virtual-Template
Virtual-TokenRing
Virtual Template interface
Virtual TokenRing
ID to link the two Flows
hardware-serial Use hardware serial number as unique ID
hostname Use hostname as unique ID
string Use an arbitrary string as the unique ID
udi Use the UDI as unique ID
vmi Virtual Multipoint Interface
What about Applications?
NETCONF and XML PI
What are NETCONF and XML PI ? – 1/2
NETCONF NETCONF
Client
is a Protocol designed to securely exchange
configuration information with a network element
Response
Request
NETCONF
aims to provide simplicity to allow easy adoption
in the industry and across hardware vendors
aims to provide extensibility to allow devices to
express their unique capabilities
NETCONF Server
See: http://www.ops.ietf.org/netconf/
Cisco IOS XML PI

Provides an XML Interface to Cisco IOS Network Elements
Is a secure, unabigous and robust way of sending and receiving of CLI
commands, without having to screen scrape, mediate or expect script
Uses NETCONF and either SSHv2 or BEEP
Available from: IOS 12.4(9)T, 12.2(33)SRA, SB, SXI, IOS-XE 2.1, NX-OS 4.0
Platforms: ASR 1000, x8xx ISRs, 37xx, Cat4k, Cat6k, 72xx, 73xx, 76xx, 10k, UC520, Nexus 7k 120
What are NETCONF and XML PI ? – 2/2
GET-CONFIG Retrieve the

running config
Response
EDIT-CONFIG Change the

Response
running config
GET Run a “show”

command
Response
Example: Edit the running config
<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="3"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<edit-config>
<target><running/></target>
<config>
<xml-config-data>
<Device-Configuration> Request
<ip>
<host>
<NameHost>
valhalla
</NameHost>
<HostIPAddress>
10.2.3.5
</HostIPAddress>
</host>
</ip>
</Device-Configuration>
</xml-config-data>
</config>
</edit-config>
</rpc>]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
Response
<rpc-reply message-id="3" xmlns="urn:ietf:params:netconf:base:1.0">
<ok/>
</rpc-reply>
XML PI – Why do we care ?
IETF standard-based configuration management

Provides reliable and secure transport of configurations
over encrypted TCP connections
Improves the speed of configuration changes since it is
not limited to console speeds
Eliminates scripting and “screen scraping” via telnet
Allows concurrent configuration changes
Leverages the vast number of XML tools available
Foundation for future XML configuration capabilities
Using NETCONF over SSH step-by-step
1. Configure SSH
router(config)# crypto key generate rsa
The name for the keys will be: router.yourdomain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
router(config)# ip ssh version 2
router(config)# ip ssh time-out 60
2. Enable NETCONF over SSH: Optional ACL

router(config)# netconf ssh acl 777
router(config)# netconf lock-time 30 Default: 10 Seconds
router(config)# netconf max-sessions 5
3. Configure NETCONF payload format using *.ODM Spec Files

router(config)# netconf format flash:my-spec-file.odm
4. Configure Your NETCONF Client Application (XML Files see links below)
See:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cns_netconf.html
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srnetcon.html
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/srbnetbe.html
An Open API for Automation
Web Services Management

Agents (WSMA)
Web Services Management Agents (WSMA)
Problem: There are CNS Agents in IOS and Config Engine to automate some
typical zero-touch-deployment and maintenance scenarios. How can I automate
other scenarios directly from my own Applications ?
Solution: Web Services Management Agents

(WSMA) provides a standards-based, open WSMA Application
API to embedded management Agents.
Notification
Phase I:
Response
Request
XML/SOAP
- Config Agent
- Exec Agent
- File System Agent
- Notify Agent (Config Change Events)
WSMA Engine + Agents
See: http://tinyurl.com/wsma-in-150M
Platforms: x8xx ISRs, 72xx, 73xx, UC520
WSMA – Architecture
SSH HTTP HTTPS
WSMA Transport
XML / SOAP
Messages
WSMA Engine
Listeners Initiators
WSMA XML
Schema
WSMA Agents
Config Exec File System Notify
Agent Agent Agent Agent
running
exec
startup file system
mode
config
WSMA Exec Request Example
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" >

<SOAP:Body>
<request xmlns="urn:cisco:wsma-exec" correlator="14">
<execCLI format="disk2:/spec.odm” > <cmd> show arp</cmd> </execCLI>
</request>
</SOAP:Body>
</SOAP:Envelope>]]>]]>
WSMA Exec Response Example
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" > <SOAP:Body>
<response xmlns="urn:cisco:wsma-exec" correlator="14" success="1” > <execLog>
<dialogueLog><sent> show arp</sent> <received> <ShowArp
xmlns="ODM://disk2:/spec.odm//show_arp">
<SpecVersion>1.0.0</SpecVersion>
<ARPTable>
<entry>
<Protocol>Internet</Protocol>
<Address>2.1.1.1</Address>
<Age>0</Age>
<MAC>0001.42df.59e2</MAC>
<Type>ARPA</Type>
<Interface>GigabitEthernet0/1</Interface>
</entry>
<ARPTable>
</ShowArp></received></dialogueLog></execLog></response>
</SOAP:Body> </SOAP:Envelope>]]>]]>
Using WSMA step-by-step
1. Configure Desired WSMA Transport – HTTP, HTTPS or SSH v2:
router(config)# crypto key generate rsa
The name for the keys will be: router.yourdomain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
router(config)# ip ssh version 2
router(config)# ip ssh time-out 60
2. Enable WSMA Service Listener (WSSL):

router(config)# wsma profile listener my-wsma-profile
router((config-wsma-listen)# transport ssh subsys wsma
3. Enable WSMA Agent(s): Other Options:

• hardware-serial
router(config)# wsma agent exec profile my-wsma-profile • MAC Address
• Hostname
4. Assign WSMA ID(s): • string
router(config)# wsma id ip-address fastethernet 0/0
5. If XML Formatted Exec Output is desired, deploy and use *.ODM Spec Files
See: http://tinyurl.com/wsma-in-150M and
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_wsma.html
Wrap-Up & Close
In Summary
All ‘Configuration’ tasks

are NOT equal
There are a Range of Users / Applications with different

configuration Skills and Needs
It‘s not only about telnet and running-config
Cisco IOS offers a plethora of configuration features to

address the specific needs
Always choose the best fit

Agenda

Service Planning
Summary
Testing, Verification & Assurance
Two Types of Questions
Is it working ? Testing and Verification
Verify planning and design assumptions were valid
Ensure Deployment & Activation Phase was successful
Proactively eliminate well-known potential problems
Periodically verify design assumptions
Are we meeting SLA ? Service Assurance

Ensure business objectives and service level agreements are
met on an ongoing basis
Proactively mitigate well-known potential incidents
Two Types of Connectivity
Connectivity, Yes/No Testing and Verification
If the user can reach the IP endpoint the service is available
Can be calculated using basic availability equation
[Probes with No Response]

Availability = 1−
[Total Probes Sent ]
Bounded Criteria Connectivity Service Assurance

The user can reach the IP endpoint within some bounded criteria agreed
upon between the service provider and customer
Connectivity is a prerequisite for bounded crieria connectivity
Verify (bounded criteria) Connectivity
Proposal:
CLI
SNMP/MIBs:
– IF-MIB, CBQoS-MIB
– Expression-MIB & Event-MIB, RMON
NetFlow
NBAR Network Monitoring
FPM
IPSLAs
Core
RouterA
RouterB

RouterC 135
IPSLA – Introduction 1/2
Applications
Multiprotocol
Service Level
Network Label
VoIP Agreement Network Trouble
Availability Performance Switching
Monitoring (SLA) Assessment Shooting
Monitoring (MPLS)
Monitoring
Monitoring
Measurement Metrics
Packet Network Dist. of
Latency Connectivity
Loss Jitter Stats
Operations
Jitter FTP DNS DHCP DLSW ICMP UDP TCP HTTP LDP H.323 SIP RTP Radius Video
Defined Packet Size, Spacing IP Server

COS and Protocol
IP Server
Cisco IOS
Software
Source IP SLAs
MIB Data Active Generated Traffic to Destination
Cisco IOS measure the network IP SLAs
Software Cisco IOS
IP SLAs Software
Responder
IPSLA – Introduction 2/2
Cisco IOS feature available on most platforms Accessible via CLI and SNMP
(CISCO-RTTMON-MIB)
Measure Delay, Jitter, Loss Probability
IPSLAs responder and ICMP echo probe were available within IP Base in
12.4(6)T and above
IPSLAs functionality is available in IPVoice and above packages
In 12.3T a customer can still obtain the old package types and use IPSLAs
As of 12.4T the old packages have been removed
Since IOS 11.2
12.2(15)T2, 12(3)3, 12.2(25)S
time
Engine: Engine 1 Engine 2
Feature Name: RTR SAA IPSLAs

CLI: rtr… ip sla mon… ip sla …

12.3(12)T 12.4(6)T 137
IPSLA – ICMP and UDP Jitter Examples
RouterA
RouterC
RouterA(config)#
ip sla 1
icmp-echo RouterC RouterD
timeout 500
frequency 10
ip sla monitor schedule 1 start-time now
ip sla 10
udp-jitter RouterD 16384 num-packets 1000 interval 20
request-data-size 172
tos 20
frequency 60
ip sla schedule 10 start-time now
IPSLA – ICMP Echo Operation
Router#show ip sla sta mon 1

Round trip time (RTT) Index 1
Latest RTT: 1 ms
Latest operation start time: *05:26:00.226 UTC Fri Jan 4 2008
Latest operation return code: OK
Number of successes: 1
Number of failures: 0
Operation time to live: 188 sec
Router#sh ip sla mo sta 1 detail

Latest RTT: 1 ms
Latest operation return code: OK
Over thresholds occurred: FALSE
Operational state of entry: Active
Last time this entry was reset: Never
IPSLA – UDP Jitter Operation
Router#sh ip sla statistics 10
Latest RTT: 1 ms
Latest operation return code: OK RTT Values
Number Of RTT: 10
RTT Min/Avg/Max: 1/1/1 ms
Latency one-way time milliseconds
Number of one-way Samples: 0
Source to Destination one way Min/Avg/Max: 0/0/0 ms
Desination to source one way Min/Avg/Max: 0/0/0 ms
Jitter time milliseconds
Number of Jitter Samples: 9
Source to Destination Jitter Min/Avg/Max: 20/20/23 ms
Destination to Source Jitter Min/Avg/Max: 22/21/24 ms
Packet Loss Values
Loss Source to Destination: 0 Loss Destination to
Source: 0
Out Of Sequence: 0 Tail Drop: 0 Packet Late
Arrival: 0
Design Decisions and Factors
Topology
- partial mesh based on traffic matrix
- full mesh
- hub and spoke
Scheduling
- minimize the number of concurrent operations
- minimize resource competition
Use the same operation across various classes of

service to generate comparable metrics.
Full Mesh
Nodes Operation
2 1
3 3
4 6
5 10
n 2
6 15
7 21
8 28
… …
100 4950
• Number of operations is
proportional to the square
of the number of nodes
• Does not scale
Full Mesh CE-to-CE [Example]
CE CE
PE Core PE
PE
Accurate: direct measurement from end-to-end, best

user-perspective view
CE
Expensive: for n nodes, requires n(n-1)/2 operations
In certain cases, it might be difficult to poll the results with SNMP
on the CE
Partial Mesh
London
Full mesh is not
Amsterdam San Jose always desirable
Select only critical
path, like branch
offices to
headquarters
Raleigh Paris
Dramatically reduces
the number of probes
Brussels
Composite SLA for Delay [Example]
CE CE
PE Core PE
PE
Easy: Total delay can be easily calculated by adding the

measured delay along the path
Flexible: You can split the measurement for Core
CE
Edge, and total
Measurements are less accurate, as each measurement carry
its own error tolerance (typically ± 1 ms per measurement)
Composite SLA for Packet Drop [1/2]
A trivial solution might is to consider the sum of drop

probabilities; this is conservative
A more accurate approach is to invert the probability of a
successful packet delivery
If Πx is the loss probability across section x, then the total
loss probability is:
∏1... x = 1 − [(1 − ∏1 ).(1 − ∏ 2 ) L (1 − ∏ n )]

Composite SLA for Packet Drop [2/2]
Example: We Have Three Sections with
Various Drop Probabilities:
Π1 = 0.01 Π2 = 0.02 Π3 = 0.03

r1 r2 r3 r4
First solution:
0.01+0.02+0.03=0.06 (6%)
Second solution:
1-[(1-0.01).(1-0.02).(1-0.03)]=0.058906 (5.8%)
Composite SLA for Jitter
2 ms 4 ms 3 ms
Can We Add a Jitter Value to a Jitter Value?
Short answer: NO!

This is not a valid approach to calculate total jitter based on
measured jitter
(jitter is not additive)
Too many factors: positive jitter, negative jitter, percentile-95 of
jitter, average jitter,…
You’d better measure it, not calculate it
IPSLA – Recurring Scheduling
You can schedule a single IPSLAs operation to start automatically
at a specified time and for a specified duration every day:
The life value for a recurring IPSLAs operation should be less than
one day.
The ageout value for a recurring operation must be "never" (which is
specified with the value 0, this is the value by default), or the sum of
the life and ageout values must be more than one day.
Example:
Router(config)# ip sla schedule 5 start-time 12:00:10

life 3600 recurring
*12.3(8)T
IPSLA – Multiple Operations Scheduling
Operations of the same type and same frequency should be used
with IPSLA multiple operations scheduling:
Notion of group, it lets you start many operations at once
Reduced load on the network
If you do not specify a frequency, the default frequency will be the
same as that of the schedule period)
Example, start operations 1 to 3 within the next 20 seconds
Router (config)# ip sla 1

Router (config)# icmp-echo RouterC
Router (config)# icmp-echo RouterD
Router (config)# icmp-echo RouterE
Router (config)#ip sla group schedule 1 1-3 sch 20 start now

Router #show ip sla group schedule

*12.3(8)T150
IPSLA – Random Scheduling
Problem: Strictly periodically starting IPSLA operations might be subject
to ‘synchronization effects’ with other processes (ie. routing updates),
leading to inaccurate data.
Solution: Use IPSLA Random Scheduling to randomize start time
This example starts operation 1 to 3 within the next 44 seconds, and each operation
will have a random frequency varying between 10 and 15 seconds:
Router(config)#ip sla group schedule 1 1-3 schedule-period 44 frequency range
10-15 start-time now life forever
Router#sh ip sla op | i start

Latest operation start time: *12:56:12.243 PST Fri Jan 4 2008
router#sh ip sla op | i start
Latest operation start time: *13:00:21.015 PST Fri Jan 4 2008 *12.4(2)T
Example: Problem Description
Need to monitor connectivity to a server

Using a simple “ping” approach
When unreachable, then notify the user.
We will see three ways to perform the same action:
Sending SNMP trap with IP SLAs embedded threshold
Sending en email using EOT and EEM
Sending a custom SYSLOG message with the new EEM 3.0 IP
SLAs Event Detector
IP SLAs – Reaction Configuration
RouterA(config)#
ip sla 10
icmp-echo 3.3.3.3
frequency 10
ip sla reaction-configuration 10 react timeout threshold-type consecutive 3
action-type trapAndTrigger
ip sla schedule 10 life forever start-time now
ip sla reaction-trigger 20 30
logging on
ip sla logging trap
snmp-server host nms_server version 2c public
snmp-server enable traps syslog
Sending SNMP trap with IP SLAs embedded threshold
Service Testing, Verification and Assurance
Example: Track Server Reachability
IP SLA Embedded Object Tracking (EOT)
ip sla 10 track 10 rtr 10 reachability
icmp-echo 3.3.3.3 delay down 10 up 20
timeout 500
frequency 3
ip sla schedule 10 life forever start-time now
X
Environment Variables IP SLA/EOT/EEM
($_* variables to be defined)
EEM Applet
event manager applet email_server_unreachable email
3.3.3.3
event track 10 state down
action 1.0 syslog msg "Ping has failed, server unreachable!"
action 1.1 cli command "enable"
action 1.2 cli command "del /force flash:server_unreachable"
action 1.3 cli command "show clock | append server_unreachable"
action 1.4 cli command "show ip route | append server_unreachable"
action 1.5 cli command "more flash:server_unreachable"
action 1.6 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Server Unreachable: ICMP-Echos
Failed" body "$_cli_result"
action 1.7 syslog msg "Server unreachable alert has been sent to email server!"
EEM 3.0: IP SLA Event Detector
Router(config)# ip sla 10
Router(config-ip-sla)# icmp-echo 3.3.3.3
Router(config)# ip sla enable reaction-alerts
Router(config)#ip sla reaction-config 1 react Timeout

action-type none threshold-type consecutive 3
Router(config)# ip sla schedule 10 start now
Router(config}# event manager applet test

router(config-applet)# event ipsla operation-id 10 reaction-type Timeout
router(config-applet)# action 1.0 syslog priorities emergencies
msg “IP SLA operation $_ipsla_oper_id to server XYZ has timed out”
Send a customized syslog message when the IP SLA

operation threshold is crossed
How To Identify Applications?
Application/Protocol How to Identify?
VoIP UDP TOS = 5
IPVC TOS = 4
H.323 TCP Port = 1719 , 1720 and TOS = 3
IPv6 Multicast Format Prefix (FP) = 1111 1111
VOD TCP Port 507
L3 and L4 Access Control Lists:

Identifies protocols based on IP address, protocol type and port
number
NetFlow
Provides statistics such as traffic volume details (packets, bytes)
and time information (start/stop timestamp, duration)
Classify Network Traffic into Traffic Classes (QoS):
Allows Accounting per class-of-service
How To Identify Applications – ACL
Access Control List (ACL)
Layer 3 and Layer 4 ACL
Protocol Port Number
Protocol Type
access-list 103 permit tcp any host 192.168.1.1 eq telnet (23)

access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq ftp (20)
access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq www (80)
access-list 103 deny ip any any log
Server/Network IP Address
interface ethernet 0
ip access-group 103 in
Apply acl to the Interface:
In/Out
How To Identify Applications – NetFlow
NetFlow v5 (“classic”)
Packet Sizes
Router# show ip cache flow
IP packet size distribution (85435 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .125 .125 .250 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .500 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes # of Active Flows

2728 active, 1368 inactive, 85310 added
463824 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes Rates and Duration
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-X 2 0.0 1 1440 0.0 0.0 9.5
TCP-other 82580 11.2 1 1440 11.2 0.0 12.0
Total: 82582 11.2 1 1440 11.2 0.0 12.0
Flow Details
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 132.122.25.60 Se0/0 192.168.1.1 06 9AEE 0007 1
Et0/0 139.57.220.28 Se0/0 192.168.1.1 06 708D 0007 1
Et0/0 165.172.153.65 Se0/0 192.168.1.1 06 CB46 0007 1
How To Identify Applications – CBQoS
Classify Network Traffic into Traffic Classes (QoS):
Variety of match criteria such as the IP Precedence value,
differentiated services code point (DSCP) value, class of service
(CoS) value, source and destination Media Access Control (MAC)
addresses, input interface, or protocol type
Define Class-map
Router# configure terminal (cbQosClassMapCfg)
Router(config)# class-map myclass
Router(config-cmap)# match fr-dlci 500
Define Policy-map
(cbQosPoliceCfg)
Router(config)# policy-map mypolicy
Router(config-pmap)# class myclass
Router(config-pmap-c)# bandwidth percent 50
Assigne Policy to
Router(config)# interface serial4/0 Interface (In or Out)
Router(config-if)# service-policy output mypolicy
Router(config-if)# end
Show policy statistics

Router#show policy-map interface
Well-known protocols
IP Protocol based Services (Non-UDP/Non-TCP Protocols):
EGP, ICMP, GRE, IPSec, ...
UDP and TCP Protocols:
DNS, Finger, Gopher, http, https, ntp, PCAnywhere, RIP, ...
But, what about “not well-known” applications?
Link Utilization
Citrix 5%
Telnet 5%
HTTP 90%
Network Based Application Recognition
My Application Is
Too Slow!
Full-packet, stateful inspection E-mail

Backup, Voice
identifies traffic type etc.
Best Real-
Protocol discovery analyzes Effort Time
multi-packet behavior and ≥ 25% ≤ 33%
P2P Interactive-
application signatures Bulk Critical
Video
Data
Layers 4-7
Streaming- Routing
Enables application of QoS Video
Net Mgmt Call-Signaling
policies to traffic flows
Transactional Mission-Critical
Link Utilization
NBAR Principles
Network-Based Application Recognition classifies traffic by
protocol (Layers 4–7)
Protocol discovery analyzes application traffic patterns in real
time and discovers which applications are running on the
network
NBAR supports Cisco IOS QoS features to apply application-
level QoS policies
Guaranteed bandwidth with Class-based Weighted Fair Queuing (CBWFQ)
Policing and limiting bandwidth
Marking (ToS or IP DSCP)
Drop policy with weighted random early detection (WRED)
Accounting functionality is provided by the NBAR “protocol

discovery” feature
NBAR Deep Packet Inspection (DPI)
Stateful and Dynamic Inspection
IP Packet TCP/UDP Packet Data Packet
Source Dest Src Dst

ToS Protocol Sub-Port/Deep Inspection
IP Addr IP Addr Port Port
Identifies over 90 applications and protocols TCP and UDP

port numbers
Statically assigned
Dynamically assigned during connection establishment
Non-TCP and non-UDP IP protocols

Data packet inspection for matching values
Header classification and data packet inspection
NBAR – PDL and PDLM
PDLM (Protocol Description Language Module), the heart of
the NBAR engine
PDL (native): Part of the Cisco IOS image (show ip nbar
version)
PDLM (non-native extensions): Download from Cisco Connection
Online
PDLMs are separated files that add quick support for new
protocols
and applications
PDLMs become PDLs in the next Cisco IOS release (show ip nbar
pdlm)
PDLM are loaded from flash memory, usually no reboot
Do not require an Cisco IOS upgrade; exception: Skype with
Cisco IOS 12.4(4)T (no PDLM)
PDLM size ~ 100kB (e.g., http 115kB)
NBAR – PDLM Show and Load Commands
Router# show ip nbar version
NBAR software version: 6
…
14 napster Mv: 3
15 fasttrack Mv: 2
16 gnutella Mv: 3, Nv: 2; disk1:gnutella.pdlm
17 kazaa2 Mv: 7 Added with a
PDLM
To Load the
PDLM
to the Router
Router(config)# ip nbar pdlm device:pdlm-name
NBAR – Supported Protocols
Enterprise Applications Security and Tunneling Network Mail Services Internet
Citrix ICA GRE IMAP FTP
PCAnywhere IPINIP POP3 Gopher
Novadigm IPsec Exchange HTTP
SAP L2TP Notes IRC
Routing Protocols MS-PPTP SMTP Telnet
BGP SFTP Directory TFTP
EGP SHTTP DHCP/BOOTP NNTP
EIGRP SIMAP Finger NetBIOS
OSPF SIRC DNS NTP
RIP SLDAP Kerberos Print
Network Management SNNTP LDAP X-Windows
ICMP SPOP3 Streaming Media Peer-to-Peer
SNMP STELNET CU-SeeMe BitTorrent
Syslog SOCKS Netshow Direct Connect
RPC SSH Real Audio eDonkey/eMule
NFS Voice StreamWorks FastTrack
SUN-RPC H.323 VDOLive Gnutella
Database RTCP RTSP KaZaA
SQL*NET RTP MGCP WinMX 2.0
MS SQL Server SIP Signaling
SCCP/Skinny RSVP
Skype
NBAR – Recent and Upcoming Protocols
Enterprise Applications Enterprise Applications
Citrix ICA Priority Tagging DiCom
SAP(c-app, c-msg, app-app) HL7
Peer-to-Peer FIX
BitTorrent CIFS
Direct Connect Messaging
eDonkey/eMule Yahoo
FastTrack AOL
Gnutella (update) MSN
WinMX 2.0 Sametime / Lotus
Streaming Media GoogleTalk
RTSP Voice
MGCP SKYPE 2.0, 3.0
Voice Softphone
RTCP
SIP Network Mail Services
SCCP/Skinny Exchange 2003
Skype v1, v2, v3
Security and Tunneling Peer to Peer
L2TP
User-Defined
On PISA in Summer,
HTTP header field 12.3(11)T followed by IOS 2HCY08
Multiple matches per port 12.4(2)T
Cisco Software Download: NBAR Packet Description Language Modules
ID
See: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268437899
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 168
NBAR Main Supported Platforms
Cisco IOS Release
12.4T 12.4 Mainline 12.2S
Cisco 800 Cisco 800 Cisco 7200
above 871 above 831
Cisco 7301
Cisco 1700 Cisco 1700
Cisco 7304-NPE
Cisco 2600XM Cisco 2600XM
Cisco 7500 with
VIP2-50 or above
Cisco Catalyst® 6500
SUP1/SUP1a/SUP2: software-based implementation
SUP720: SIP-200, FlexWAN and enhanced FlexWAN interfaces (software-based implementation)
SUP32 PISA. Also supports the enhanced FlexWAN, SIP-200, SIP-400
Also supported on the Multiprocessor WAN Application Module (MWAM) (6*7200 on a board)
NBAR Two Modes Of Operation
Passive Mode CISCO-NBAR-PROTOCOL-DISCOVERY-MIB
Protocol discovery per interface
Discovers and provides real time statistics on applications
Per-interface, per-protocol, bi-directional statistics:
Bit rate (bps), Packet counts and Byte counts
Active Mode CISCO-CLASS-BASED-QOS-MIB
Modular QoS traffic Classification

NBAR ensures that network bandwidth is used efficiently by
QoS features:
Guaranteed bandwidth
Bandwidth limits
Traffic Shaping and Packet coloring
Note: Accounting Functionality Is Provided by “Protocol Discovery” Feature

NBAR Two Modes Of Operation
Passive Mode
Router(config-if)#interface fastethernet 0/0
Router(config-if)#ip nbar protocol-discovery
Active Mode
Router(config)#class-map [match-any|match all] myProt
Router(config-cmap)#match protocol protocol
class-map match-any my-video

match protocol cuseeme
match protocol h323
match protocol rtp video
Testing, Verification & Assurance Passive Mode
Example: NBAR Protocol Discovery
router# show ip nbar protocol-discovery interface FastEthernet 6/0
FastEthernet6/0
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
----------- ------------------------ ------------------------
http 316773 0
26340105 0
3000 0
pop3 4437 7367
2301891 339213
3000 0
snmp 279538 14644
319106191 673624
0 0
ftp 8979 7714
906550 694260
0 0
…
Total 17203819 151684936
19161397327 50967034611
4179000 6620000
NBAR Protocol Discovery MIB
Traffic Classification and Real-Time Statistics
Automatically uses all PDLMs
Run protocol discovery instead of specifying individual protocols
Provides statistics per application recognized by NBAR via SNMP:

Bit rate (bps), Packet counts, Byte counts
Includes statistics for traffic identified with user-defined custom
application classification
Enable or disable protocol discovery per interface

Configure and view multiple top-n tables listing protocols by
bandwidth usage
Configure thresholds
and configure
notifications when
these thresholds
are crossed
Testing, Verification & Assurance Active Mode
NBAR Defining A Class-Map
Router(config)#class-map match-all nbar_test
Router(config-cmap)#match ?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service
destination-address Destination address
discard-class Discard behavior identifier
dscp Match DSCP in IP(v4) and IPv6 packets
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls MPLS specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) packets
protocol Protocol
Enables NBAR
qos-group Qos-group
source-address Source address
Testing, Verification & Assurance Active Mode
NBAR Configuring Traffic Classification
router(config)# interface FastEthernet 0/1 Enable Protocol Discover
router(config-if)# ip nbar protocol discovery
Define Traffic Match,

router(config)# class-map match-all MyTraffic with Match Statements
router (config-cmap)# match protocol gnutella file-transfer “*”
router (config-cmap)# match protocol gnutella file-transfer “*.mpeg”
router(config)# policy-map MyPolicy

router(config-pmap)# class MyTraffic
router(config-pmap-c)# Option to Create a Policy
router(config-pmap-c)# set dscp 1
router(config-pmap-c)# set ip precedence 5
router(config-pmap-c)# police rate percent 50
router(config)# interface FastEthernet 0/1 Apply Policy

router(config-if)# service-policy output MyPolicy
NBAR Custom Classification – 2 Options
1) Static port mapping
Used for static TCP/UDP port-based applications that are not supported in
NBAR PDLMs
Up to ten custom applications can be added
Each custom application can have max. 16 TCP and 16 UDP ports mapped
Statistics appear in the Protocol Discovery
Router(config)#ip nbar port-map custom-01 ?
tcp TCP ports
udp UDP ports
2) Custom protocol traffic

ip nbar custom name [offset [format value]] [variable
field-name field-length] [source|destination] [tcp |
udp] [range start end | port-number]
Note: Custom protocol traffic can only be inspected the first 255 bytes of payload
NBAR User-Defined Custom Application
Classification Example
IP Packet TCP/UDP Packet Data Packet
Source Dest Src Dst

ToS Protocol F0F0F0F0MoonbeamF0F0
IP Addr IP Addr Port Port
• Name—Name the match criteria up to 24 characters

Router(config)# >> lunar light
ip nbar custom lunar_light • Offset—Specify the beginning byte of string or value
4 ascii Moonbeam tcp to be matched in the data packet, counting from zero
for the first byte >> Skip first 4 bytes
range 2000 2999
• Format—Define the format of the match criteria
ASCII, hex or decimal >> ascii
class-map solar_system • Value—Should match with the value in the packet if
ASCII, up to 16 characters >> Moonbeam
match protocol lunar_light • [Source or destination port]—Optionally restrict the
policy-map astronomy direction of packet inspection; defaults to both
directions if not specified >> [source | destination]
class solar_system
set ip dscp AF21 • TCP or UDP— Indicate the protocol encapsulated in
the IP packet >> tcp
interface Serial1 • Range or selected port number(s)—“Range” with
start and end port numbers >> Range 2000 2999
service-policy output astronomy
NBAR User-Defined Custom Application
Multiple Matches per Port*
“Multiple Matches Per Port” increases flexibility of user-

defined application recognition
Router(config)# ip nbar custom <name> [offset [format value]]
[variable field-name field-length] [source|destination] [tcp | udp]
[range start end | port-number]
Example: identify UDP packets with destination port

between 5000 - 5005 and 0x56 in the 7th byte of payload
Router(config)# ip nbar custom virus_home 20 hex variable scid 1
dest udp range 5001 5005
Router(config)# class-map active-craft
Router(config-cmap)# match protocol virus_home scid 0x15
Router(config)# class-map passive-craft
Available from: IOS 12.4(2)T Hex Variable 1 Byte

Note: Successor – Flexible Packet Matching (FPM)
NBAR Top-N Statistics
Router#show ip nbar protocol-discovery top-n 5 Serial0/0
Input Output
Interface where NBAR PD is
Byte Count Byte Count enabled
5 minute bit rate (bps) 5 minute bit rate (bps)Top-N for all
---------- ------------------------ ------------------------ interfaces with
custom-01 40565 40565 NBAR protocol
2596160 2596160 discovery enabled
3000 3000
telnet 395 75 NBAR-PD- MIB
28539 6415 provides Top-N for
0 0 all interfaces where
icmp 101 100 N can differ for
7360 6860 each interface
0 0
snmp 28 0
1988 0
0 0
netbios 9 0
738 0
0 0
unknown 205 204
14976 10404
0 0
Total 41304 40944
2649809 2619839 How effective is my NBAR
3000 3000
deployment?
How effective is my NBAR deployment ?
Problem: Application protocols as well as user behavior are changing,
hence the traffic mix changes too. We need to permanently assess how
effective the NBAR deployment is ...
Solution: Compare ‘unknown’ versus ‘total’ traffic

Router#show ip nbar protocol-discovery top-n 5 Serial0/0
Input Output
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
---------- ------------------------ ------------------------
: : :
unknown 205 204
14976 10404
0 0
Total 41304 40944
2649809 2619839
3000 3000
Upon low % of traffic recognized by NBAR, maybe it’s time to check for new PDLMs …
[(total − unknown) × 100]
NBARrecognized (%) =
[total ]
See: This is available from CiscoBeyond (and soon as an EASy Package)
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2101
Flexible Packet Matching (FPM)
Principles
Developed to identify virus signatures anywhere in the packet
No flow concept, stateless
match statements define signatures, every packet is inspected
and dropped, if any match occurs
Ability to match on arbitrary bits of a packet at arbitrary depth
(offset) inside the packet
Layer 2–Layer 7 stateless classification and match capability
Possibility to identify attacks on legitimate ports—for example
an attack on port 80
Accelerated in HW with Sup32-PISA at a speed of up to 2Gbps
0111111010101010000111000100111110010001000100100010001001
Match Pattern Match Pattern

Platforms: x8xx ISRs, 26xx, 37xx, 72xx, 7301, Cat6k Sup23-PISA 181
Flexible Packet Matching (FPM)
Matches any characteristics in a packet header and payload:
Matches L2-L7 information/Specify arbitrary bits/bytes at any offset
Traffic matching a given protocol stack is subject to an FPM
Deep Packet inspection rule
Supports pattern matching through regular expressions and string
matching: up to 48 regular expressions (32 Bytes window in 12.2(18)ZY)
Slammer class-map type access-control match-all slammer
description "match on slammer packets"
IP UDP Payload match field UDP dest-port eq 1434
match field IP length eq 404
Stack match start UDP payload-start offset 196 size 4 eq 0x4011010
Gnutella
class-map type access-control match-all gnutella
IP TCP Payload match start TCP payload-start offset 0 size 32 regex "^GNUTELLA
CONNECT“
Stack class-map type access-control match-any cm-nimda1

Nimda match start l3-start offset 40 size 32 regex "[\\/]csrss\.exe"
match start l3-start offset 40 size 32 regex "[\\/]httpodbc\.dll"
IP TCP HTTP match

match
start
start
l3-start
l3-start
offset
offset
40
40
size
size
32
32
regex
regex
"[\\/]sample\.exe"
"[\\/]dnsservice\.exe"
match start l3-start offset 40 size 32 regex "[\\/]puta\.eml"
Stack match start l3-start offset 40 size 32 regex "[\\/]puta\.scr"
match start l3-start offset 40 size 32 regex "[\\/]readme\.eml"
FPM – Policy CLI step-by-step
1. Define and load packet header load protocol disk0:ip.phdf
load protocol disk0:ip.phdf
load protocol disk0:<>.phdf
characteristics: load protocol disk0:<>.phdf
Use predefined Protocol Header Definition

File (PHDF) or build custom PHDF. Examples
include Ethernet, IP, TCP, UDP, GRE, ICMP, class-map type stack match-all FPM-Stack
class-map type stack match-all FPM-Stack
match field <IP/TCP, IP/UDP, …>
HTTP PHDF match field <IP/TCP, IP/UDP, …>
2. Define the protocol stack for packets class-map type access-control match-all FPM-Filter
class-map type access-control match-all FPM-Filter
match field <stack header fields>
subject to the FPM rule match field <stack header fields>
match start <pattern at specific offset>
match start <pattern at specific offset>
Examples of protocol stacks include IP,
IP/TCP, IP/UDP, IP/TCP/HTTP, IP/GRE/IP
3. Define the FPM filter policy-map type access-control FPM-Rule-Child

policy-map type access-control FPM-Rule-Child
class FPM-Filter
This defines the payload class FPM-Filter
<action>
characteristics/pattern <action>
policy-map type access-control FPM-Parent

4. Define the FPM rule policy-map type access-control FPM-Parent
class FPM-Stack
class FPM-Stack
service-policy FPM-Rule-Child
For a given FPM filter, the traffic can be service-policy FPM-Rule-Child
permitted, dropped, or/and logged
5. Associate the FPM rule with the <interface X>

<interface X>
relevant protocol stack service-policy access-control input FPM-Parent
service-policy access-control input FPM-Parent
Only specific types of packets are subject
to the FPM rule
What if I need Awareness of
Application Traffic Flows?
Network Based Application Recognition
NetFlow and NBAR Differentiation
Link Layer
Header Interface
NetFlow
NetFlow
ToS
Monitors data in Layers 2 - 4
Protocol
IP Header
Determines applications by port
Source
IP Address Utilizes a seven-tuple for flow
Destination Flow information who, what,
IP Address
when, where
Source
TCP/UDP Port NBAR
Header Destination
Port Examines data from
Layers 3 - 7
Utilizes Layers 3 and 4
plus packet inspection
Data Deep Packet for classification
Packet (Payload)
Inspection Stateful inspection of
dynamic-port traffic
NBAR
Packet and byte counts
NetFlow and NBAR Integration
NetFlow is the de-facto mechanism to provide visibility

on network utilization—who/what/where/when
Applications can no longer be identified by just
L3/L4 information
Application visibility is a must
Example: port 80 is overloaded
NBAR (Network Based Application Recognition)

Offers a Deep Packet Inspection (DPI) mechanism
NBAR is integrated in flexible NetFlow on all software

based platforms 8xx–38xx/19xx–39xx/7200/7300,
ASR1000, PISA from IOS 15.0(1)M
Example: Application Flow Aware – 1/3
Problem: We want to be aware of application traffic flows
(ie.: who, when, where, what)
Solution: Use Flexible Netflow and NBAR Integration
1. Configure flexible Netflow to match Application Name, Source- and

Destination Address
flow exporter <my-exporter>
destination 10.10.10.1
:
flow record <my-record>
match ipv4 source address
match ipv4 destination address
match application name
collect counter bytes
:
flow monitor <my-monitor>
record <my-record>
exporter <my-exporter>
:
interface <my-interface>
ip flow monitor <my-monitor> input
:
2. Then either handle within IOS and/or …
router# show flow monitor <my-monitor> cache

Cache type: Normal
Cache size: 4096
Current entries: 2
High Watermark: 9
Flows added: 4464

Flows aged: 4463
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 4463
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SRC ADDR IPV4 DST ADDR APP NAME bytes

=============== =============== ================== ==========
10.55.146.53 10.51.89.177 nbar ssh 10484
10.51.81.117 10.51.89.177 nbar icmp 1000
3. Export to your favorite Reporting System (Screenshot courtesy of Plixer)
Agenda

Service Planning
Summary
Be Prepared – Some Good
Practices
Be Prepared – Some Good
Practices
Good Practice: Reserve Memory for Cons.
Problem: Network or Device Problems may consume a lot of
Memory and/or Memory may become extensively fragmented –
potentially there won’t be enough Memory left for the Console …
Solution: Reserve Memory for the console ahead of time, on
every device
Router(config)# memory reserved console <number-of-kilobytes>
Rule of Thumb: for the number of kilobytes use a value greater than 3
times the NVRAM size
IOS Default is 256 kilobytes

available since 12.0(22)S, 12.2(28)SB (7300), 12.4(15)T
Good Practice: Check SNMP OID Statistics
Which OIDs are my NMS Apps (CiscoView) polling ?
Router#show snmp statistics oid
time-stamp #of times requested OID

16:16:50 CET Jan 12 2005 97 sysUpTime
16:16:50 CET Jan 12 2005 9 cardTableEntry.7
16:16:50 CET Jan 12 2005 16 ifAdminStatus
16:16:50 CET Jan 12 2005 16 ifOperStatus
16:16:50 CET Jan 12 2005 6 ciscoEnvMonSupplyStatusEntry.3
16:16:50 CET Jan 12 2005 17 ciscoFlashDeviceEntry.2
16:16:50 CET Jan 12 2005 2 ltsLineEntry.1
16:16:50 CET Jan 12 2005 2 chassis.15
16:16:27 CET Jan 12 2005 2 cardIfIndexEntry.5
16:16:24 CET Jan 12 2005 1 ciscoFlashDevice.1
Available from: IOS 12.0(22)S, 12.4(20)T

Good Practice: IfIndex Persistence – 1/3
Feature which can make ifIndex persist across reboots (In
Switches is on by default)
ifIndex persistence means that the mapping between the ifDescr
(or ifName) and ifIndex object values from the IF-MIB is retained
across reboots.
Useful:
SNMP: monitoring the interfaces counters
NetFlow: reporting of the interface ifIndex
RMON: events/alarms based on specific interfaces
25 bytes of NVRAM used by this feature per interface.
Applying ifIndex persistence to
all interfaces
Router(conf)# snmp-server ifindex persist
Router(config-if)# snmp-server ifindex persist
Applying ifIndex persistence to
an specific interface 195
Now there is a show command:
Router# show snmp mib ifmib ifindex

Ethernet0/0: Ifindex = 1
Loopback0: Ifindex = 39
Null0: Ifindex = 6
:
Router# snmp mib ifmib ifindex loopback 0

Loopback0: Ifindex = 39
Introduced in 12.0(7)S, 12.2(2)T

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1839/products_feature
_guide09186a0080087b0d.html
Router(config)# snmp-server ifindex persist
Router(config)# snmp mib persist event EVENT-MIB
Router(config)# snmp mib persist expression
Router(config)# snmp mib persist circuit EXPRESSION-MIB
Router(config)# snmp mib persist cbqos CIRCUIT-MIB
CISCO-CLASS-BASED-QOS-MIB
You must perform a copy running starting
command to persist the newly assigned ifIndex
values.
copy running start!
Router # dir nvram:ifIndex-table
Directory of nvram:/ifIndex-table
2 -rw- 283
0 <no date> ifIndex-table
126968 bytes total (114116 bytes free)
What about Syslog
messages indicating
an ACL hit ?
ACL Syslog Correlation
Problem: ACL hits can produce a Syslog message – but often in the
NOC / SOC we want to know which specific line of an ACL (ie.: ACE –
Access Control Entry) was kicking-in ...
Solution: Make use of IOS ACL Tags and Syslog Correlation
1. Define Tags for your ACEs:

ip access-list extended access-control
permit ip any host 10.10.10.100 log red-server
permit ip any host 10.10.10.200 log blue-server
permit ip any any
2. Tags will be appended to Syslog Messages:

*Apr 13 16:31:18.958: %SEC-6-IPACCESSLOGDP: list access-control permitted
icmp 192.168.1.100 -> 10.10.10.100 (0/0), 11 packets [ red-server ]
*Apr 13 16:32:18.953: %SEC-6-IPACCESSLOGDP: list access-control permitted
icmp 192.168.1.100 -> 10.10.10.200 (0/0), 3 packets [ blue-server ]
See: http://www.cisco.com/en/US/partner/docs/ios/security/configuration/guide/sec_acl_syslog.html
Platforms: 18xx, 28xx, 38xx, 72xx, 73xx, 76xx
Example: ACL Syslog Correlation and EEM
Problem: Let’s assume we not only need a syslog message, but also
want to take specific actions ...
Solution: Combine ACL Syslog Correlation with EEM
1. Define Tags for your ACEs:
access-list 100
deny tcp host 10.0.2.2 host 10.0.2.181 eq 9000 log ThisIsBlocked
permit ip any any
2. Define an EEM Applet to match the Tag and take action:

event manager applet catch-an-ace-tag
event syslog pattern "ThisIsBlocked"
action 1.0 syslog priority emergencies msg “Start... "
:
Your Actions Here
:
action 9.0 syslog priority emergencies msg "... done"
3. A matching packet will generate a syslog message, which will in turn trigger EEM :
*Apr 13 16:58:06.386: %SEC-6-IPACCESSLOGDP: list 100 denied tcp
10.0.2.2(56273) 10.0.2.181(9000), 1 packet [ThisIsBlocked]
*Apr 13 16:58:06.394 UTC: %HA_EM-0-LOG: catch-an-ace-tag: Start ...
*Apr 13 16:58:07.025 UTC: %HA_EM-0-LOG: catch-an-ace-tag: ... done
Reliable Delivery and
Filtering of Syslog
Reliable Delivery and Filtering of Syslog
Provides for reliable and secure delivery for syslog

messages using Blocks Extensible Exchange Protocol
(BEEP)
RFC 3195, “Reliable Delivery for syslog”
Provides a filtering mechanism per syslog session,

called a message discriminator
Provides a rate-limiter per syslog session
Integrated in 12.4(11)T, even if the BEEP framework
was supported for quite some time, 12.4(2)T
Which syslog servers support BEEP?
http://www.syslog.cc/ietf/rfcs/3195.html
Example: Filtering of Syslog – 1/2
Production SyslogD
BEEP for highest

severities, with a UDP for lowest
maximum rate-limit severities, with a
rate-limit of 100/s
(10000/s)
Troubleshooting
SyslogD
UDP for the debug

syslog messages
with OSPF in the
message body
Example: Filtering of Syslog – 2/2
Router(config)# logging discriminator filter1

severity includes 0,1,2,3 rate-limit 10000
Router(config)# logging discriminator filter2
severity includes 4,5,6,7 rate-limit 100
Router(config)# logging discriminator filter3 msg-
body includes debug includes facility OSPF
Router(config)# logging trap debugging
Router(config)# logging host <production> transport

beep discriminator filter1
Router(config)# logging host <production> transport
udp port 1471 discriminator filter2
Router(config)# logging host <troubleshooting>
discriminator filter3
Good to know: any traffic with
low TTL?
Good Practice: Know about low-TTL
TTL is:
An IP Header field used to limit packet life time (upon routing loops)
Each routing hop along a packet’s path decrements this value
Upon TTL==0 the packet is dropped
Low TTL Values are also (mis-)used:

to establish bidirectional TCP sessions across NAT
(aka TCP hole-punching)
by some applications (multicast, load-balancing, …)
by security attacks (denial of service, break-in, ...)
Hence Low TTL can indicate:

Routing issues
Funny application behaviour
Security incidents (what is my normal low-TTL traffic ?)
How to report on low-TTL in my network ?

Example: Monitor low-TTL Traffic ...
Problem: We want to know about low-TTL traffic
Concept: Use Flexible Netflow and Embedded Event Manager 3.0
to detect traffic flows with TTL < 5
1. Configure flexible Netflow to match on TTL, Source- and Destination Address
flow record <my-record>
match ipv4 ttl
match ipv4 source address
match ipv4 destination address
: -Top (unexpected) Talkers with low-TTL traffic ?
flow monitor <my-monitor> - Deviation from Normal ?
record <my-record> - Senders with many low-TTL flows ?
: - Take Actions (block suspicious senders) ?
2. Configure the Netflow Event Detector in EEM to notify upon a new flow record
event manager applet my-ttl-applet
event nf monitor-name "my-ttl-monitor" event-type create event1
entry-value "5" field ipv4 ttl entry-op lt
action 1.0 syslog msg “Low-TTL flow from $_nf_source_address"
3. Syslog message and/or use show flow monitor <my-monitor> cache command
*Dec 2 17:39:31.221: %HA_EM-6-LOG: my-ttl-applet: Low-TTL flow from 192.168.2.248
What if I need a Packet
Capture ?
Embedded Packet Capture (EPC)
Problem: Sometimes a Packet Capture would be useful for
Troubleshooting, Security or Application Analysis, Baselining, etc.
BUT: deploying Packet Sniffers is slow, expensive and requires local skills
and equipment ...
Solution: Make use of IOS Embedded Packet Capture to capture PCAP
format data and/or analyze on the device
1. Defining a capture buffer on the device
Router# monitor capture buffer …
2. Defining a capture point

Router# monitor capture point …
Buffer
3. Associate capture point to buffer
Router# monitor capture point associate …
4. Start / Stop capture points
Capture
Router# monitor capture point start … Point
5. Show and/or Export the content of the buffer

Router# monitor capture buffer <tracename> export
See: http://www.cisco.com/go/epc
ID
Platforms: 8xx, 18xx, 28xx, 38xx
© 2009 Cisco Systems, Inc. All rights reserved.
ISRs, 72xx
Cisco Confidential 209
Example: process-switched traffic – 1/2
We want to capture process-switched traffic:
1-3. Define a capture buffer, capture point and associate the two
Router# monitor capture buffer my-buffer size 100 max-size 1000 circular
Router# monitor capture point ip process-switched my-capture in
Router# monitor capture point associate my-capture my-buffer
4. Start capturing traffic

Router# monitor capture point start all
*Nov 25 10:00:58.990: %BUFCAP-6-ENABLE: Capture Point my-capture enabled.
5. Show / Analyze on the router …
Router# show monitor capture buffer all parameters
Capture buffer my-buffer (circular buffer)
Buffer Size : 102400 bytes, Max Element Size : 1000 bytes, Packets : 28
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : my-capture, Status : Active We have. some traffic
Configuration:
monitor capture buffer my-buffer size 100 max-size 1000 circular
monitor capture point associate my-capture my-buffer
Router# show monitor capture buffer my-buffer dump
10:14:05.914 UTC Nov 25 2008 : IPv4 Process : Fa0/0 None
66A3C5B0: FFFFFFFF FFFF0001 64FF4C01 ........d.L.
66A3C5C0: 080045C0 00300000 00000111 0B5AACA1 ..E@.0.......Z,!
66A3C5D0: 0103FFFF FFFF02C7 02C7001C 85F60001 .......G.G...v..
66A3C5E0: 0010AC12 01020000 5D4C0F03 0004AC12 ..,.....]L....,.
Example: process-switched traffic – 2/2
5. … or export as PCAP file and analyze externally
Router# monitor capture buffer my-buffer export tftp://10.10.10.10/mypcap
EPC – Additional Considerations
Capture stop criteria:
– manual stop
– after a specified time interval
– after given number of packets
Capture point:
– IPv4 or IPv6
– CEF (drop, punt) or process switching
– interface specific or all interface
– Direction: in, out, both, from-us (process-switched specific)
– multicast: only ingress packets are captured, not the replicated egress packets
– MPLS: does not capture MPLS encapsulated frames today
Buffer can be defined as linear or circular
Buffer filter based on an access-list
Router# monitor capture buffer my-buffer filter access-list 10
Buffer export options: FTP, HTTP, HTTPS, RCP, SCP, or TFTP
Note: exec mode commands only, nothing in the configuration

EPC – EASy Package
EPC EASy Package Supports:
Interactive Installation
Timed or manual capture start
Linear or curcular buffer
Buffer Export
To use the Package:

1. Browse and Download EPC EASy Package
3. Watch VOD and/or read documentation

4. Customize and tailor to your needs
5. Install and Use
What if I need to quickly
share some information from
a router?
Sharing Information 1/2
Problem: Often we need to quickly share information from a router (or a
neighboring device) across organizational and technical borders. Sometimes
in ways which were not initially planned for …
Solution I: Initiate a Project to make use of SNMP, Syslog, Event
Management Software, Reporting, Trouble Ticketing and CRM Systems ...
Solution II: Use Cisco IOS DMI to gather the information and EEM/Tcl to
post it via http to a shared location
1. Import the http package into your EEM TCL Policy
namespace import ::http::*
2. Gather and format whatever information you need
3. Build your query for the HTTP POST operation

set my_query [::http::formatQuery "status" $my_info]
4. Use HTTP POST to share your information
set my_reply [::http::geturl $my_server_url -query $my_query]
See: http://twitter.com/EASyDMI
Note: it is NOT recommended to use a public site or feed other than for demo purpose
Sharing Information 2/2
> 200 d
ownloa
ds from
ciscobe
yond in
th e 1 st m
onth
See: http://twitter.com/EASyDMI
Note: it is NOT recommended to use a public site or feed other than for demo purpose
Custom Interactive Menus on
the CLI
Menu Command and

Embedded Menu Manager
(EMM)
Interactive Menus on the CLI
Problem: How to make some CLI commands available in a guided way
(for example to 1st Line Support, Local IT, Field Force, etc)
Solution I: Configure a Menu using the old <menu> commands
Solution II: Define a custom Menu in Embedded Menu Manager (EMM)
IOS menu Command Embedded Menu Manager (EMM)

☺ easy to learn, simple to use ☺ easy to learn, simple to use
limited functionality and flexibility ☺ very flexible
menu only, cli only ☺ menus and wizards, cli and tcl
selections only ☺ selections, inputs, actions, help texts
part of the IOS config ☺ separate MDF file(s)
☺ widely available recent development – 12.4(20)T
Menu Config Command – 1/2
Simple Menu Defined in the Config
Custom ASCII Menus
Part of IOS Config
Simple CLI Actions
Menu name
menu OldMenu title ^C
A simple example of the OLD menu command^C
menu OldMenu prompt ^C Menu Title
Please select a menu item:^C
menu OldMenu text 1 Run a ping test Menu Item Label
menu OldMenu command 1 ping 10.1.1.1
menu OldMenu options 1 pause Menu Item Action
menu OldMenu text 9 Exit
menu OldMenu command 9 exit
menu OldMenu status-line
Caveats:
– Remember to provide an <exit> option
– Simple menus and actions only
– No user input other than menu items
– Part of the running- and startup-config
Available from: IOS 10.0, 12.2(33)S 219
Menu Config Command – 2/2
router# menu OldMenu
Server “router" Line 0 Terminal-type (unknown)
A simple example of the OLD menu command
1 Run a ping test
9 Exit
Please select a menu item: 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
--More—
Server “router" Line 0 Terminal-type (unknown)
A simple example of the OLD menu command
1 Run a ping test
9 Exit
Please select a menu item:

Embedded Menu Manager (EMM)
Programmable Menu Framework
Custom ASCII Menus
XML based Menu Definition Files (MDF)
Range / Type Checking
TCL Scripting Actions
Nested and Sequential Menus (Wizards)
================================================================================
Branch Router Operations Menu on branch-99
Enter ? for help or ?# for item help
--------------------------------------------------------------------------------
1. Install Diagnostic Scripts
2. Change Hostname
3. Run CPU Diagnostic Script
4. Check for most recent EEM Policy Files
5. Run WAN Diagnostic Script
6. Instant World Peace
7. Exit
Enter selection [6]:

See: http://tinyurl.com/emm-in-124t
https://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_emm_ps6441_TSD_Products_Configuration_Guide_Chapter.html
EMM Menu Definition File Example – 1/2
<?xml version="1.0"?> Menu name and required
schema version
<Menu MenuName="NMS" schemaVersion="1.1">
<MenuTitle>
<EmbTCLValue>
<TCLCommand>
return " Branch Router Operations Menu on [hostname]"
</TCLCommand>
</EmbTCLValue> Title can be constant or generated
with Tcl
</MenuTitle>
<HelpString>
<Constant String="View and modify some common Network Management
configuration parameters"/>
</HelpString> The menu and each item can have
<GlobalTCL> its own help text
<TCLCommand>
proc get_config { regex } {
set config [exec "show run | inc $regex"]
return $config
}
</TCLCommand>
</GlobalTCL> Optional global Tcl section to store procs
: used throughout menu
:
EMM Menu Definition File Example – 2/2
From simple menu choices to complete customized wizards
:
:
<Item ContinuePrompt="true" ItemJustification="LEFT">
<ItemTitle>
<Constant String=“Change Hostname" />
</ItemTitle>
<HelpString>
<Constant String="This selection lets you type a new hostname" />
</HelpString>
<Wizard>
<QueryPrompt>
<Constant String="What hostname do you suggest?" />
</QueryPrompt>
<FreeForm />
</Wizard>
<IOSConfigCommand>
"hostname $r(1)"
</IOSConfigCommand>
:
:
POST (Power-On Self-Test) is a great thing ...
... but some errors you prefer to know while

the system is still running ...
... and: can you afford to power-cycle a box

after OIR just for POST to run ?
Generic OnLine Diagnostics (GOLD)
CLI and scheduling for Functional Runtime Diagnostics
Bootup Diagnostics (upon bootup and OIR)
Good Practice: schedule all
Periodic Health Monitoring (during operation) non-disruptive tests
periodically
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include:
– Packet switching tests
• Are supervisor control plane & forwarding plane
functioning properly?
• Is the standby supervisor ready to take over?
• Are linecards forwarding packets properly?
• Are all ports working?
• Is the backplane connection working?
– Memory Tests
– Error Correlation Tests
Complementary to POST
Available from: CatOS 8.5(1), IOS 12.2(14)SX
Platforms: CBS 3xxx, Cat 3560, 3750, 6500, ME6524, 72xx, 10k, CRS
Example: The effect of wear and tear – 1/2
Problem: Repeated insertion and removal of Modules can lead to wear
and tear damage on connectors. This in turn can cause failures … how do
you find out during operation, without power-cycling the box ?
Solution: Use GOLD to verify functionality of a mis-behaving module
1) Let’s see which GOLD tests are available and scheduled for our Module:
Router# show diagnostic content module 3
Module 3:
Diagnostics test suite attributes:

M/C/* - Minimal level test / Complete level test / Not applicable
B/* - Bypass bootup test / Not applicable
P/* - Per port test / Not applicable
D/N/* - Disruptive test / Non-disruptive test/ Not applicable
S/* - Only applicable to standby unit / Not applicable
X/* - Not a health monitoring test / Not applicable
F/* - Fixed monitoring interval test / Not applicable
E/* - Always enabled monitoring test / Not applicable
A/I - Monitoring is active / Monitoring is inactive
ID Test Name Attributes (day hh:mm:ss.ms)

==== ================================== ============ =================
1) TestScratchRegister -------------> *B*N****A 000 00:00:30.00
2) TestSPRPInbandPing --------------> *B*N****A 000 00:00:15.00
:
18) TestL3VlanMet -------------------> M**N****I not configured
:
See: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/diagtest.html
Example: The effect of wear and tear – 2/2
2) Now let’s run TestL3VlanMet on-demand for Module 3:
Router# diagnostic start module 3 test 18
:
00:09:59: %DIAG-SP-3-MINOR: Module 3: Online Diagnostics detected a
Minor Error. Please use 'show diagnostic result <target>' to see
test results.
show diagnostics result module 3 detail
3) Then check the test results:
Router# show diagnostic result module 3
Module 3: CEF720 48 port 1000mb SFP SerialNo : xxxxxxxx
Overall Diagnostic Result for Module 3 : MINOR ERROR

Diagnostic level at card bootup: minimal
Test results: (. = Pass, F = Fail, U = Untested)

1) TestTransceiverIntegrity:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
----------------------------------------------------------------------------
U U U U U U U U U U U U U U U U U U U U U U U U
Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
----------------------------------------------------------------------------
U U U U U U U U U U U U U U U U U U U U U U U U
:
:
18) TestL3VlanMet -------------------> F
GOLD and Embedded Event Manager
Combine GOLD and

GOLD Event Detector: to trigger EEM actions

based on GOLD test results
(custom alerts, failover, diagnostics, ...)
OIR or CLI Event Detector: to trigger an

on-demand GOLD test as post-validation of
deployment or maintenance work
Enabling GOLD using CiscoWorks LMS
CiscoWork LMS 3.1 adds support for GOLD via RME
Good Practice: schedule all
non-disruptive tests
periodically
Smart Call Home
Smart Call Home
Smart Call Home
Smart Call Home
Network EMS, NMS Network Network Support
Device Software Operator Engineer Engineer From
Late Surprises
Multiple Manual
SNMP, Syslog
Escalation Steps
UI, email
Iterative Problem
TTS, email, voice
Isolation
CRM, email, voice
CRM, email, voice Phone, Email based

Data Exchange
Registered Network Network SmartCallHome Support

Device Operator Engineer on cisco.com Engineer To
Early Warnings
Automated Flow
Smart Call Home Message
CRM Pinpoint Detailed Events

CRM, email, voice
Reporting and Exports
Smart Call Home
Customer
Cisco Smart Cisco TAC

Call Home
Diagnostics
Rules
Installed Base
Smart Call Home – CCO Application
Before
Personalized Reports
– Messages, diagnostics and
recommendations
– Inventory and configuration for
all Call Home devices
– Security alerts, Field notices,
and End-of-Life notices
– Configuration Sanity Analysis
– PDF and XLS Export
Smart Call Home – The Impact
Before
45 min 3.75 hrs 12 hrs 25 hours 29 hours
F S
W TH
M T 1
S
7 8
4 6
2 14 15
10 11 12 13 22
9 20 21
17 18 19 29
16
25 27 28
23 24 28 29
25 26 27
23 24
30
Minor hardware P3 Service Problem Look into various Logs received Replacement part
failure—undetected Request opened narrowed to known issues and and analyzed received (4 –hour
specific Cat bugs on WS- replacement
Customer’s Ops Cisco RP team Identify online
6500 ports X6548-GE-TX. coverage)
team discovers IP checks diagnostics
multicast IP Multicast Re-queued to Find nothing. failure for test
configuration configuration LAN SW team Request logs from TestL3VlanMet
problem customer RMA created
After
12 min 42 min 1.2 hrs 5.5 hrs
Minor hardware P3 SR opened Informs RMA created and Replacement part

failure—detected due to GOLD customer of part dispatched. received (4 –hour
and Service failure. Diag. problem and replacement
Request info attached confirms coverage)
automatically hardware
Cisco LAN SW
generated fault
team takes
ownership
Smart Call Home with a Partner
Customer Partner
Cisco Smart Cisco TAC

Call Home
Diagnostics
Rules
Installed Base
Smart Call Home – Transport Gateway
Customer Partner
Customer Cisco Smart Cisco TAC

DMZ Call Home
?
Transport
Gateway Diagnostics
mailbox
Rules
Linux, Solaris, Installed Base

Windows OS
Smart Call Home – Transport Gateway
Registered Mail Transport SmartCallHome
Device Server Gateway on cisco.com
1
SMTP
2
POP / IMAP
3
HTTPS
Platform Support
– Redhat Linux
– Solaris
– Microsoft Windows
Free Download and Install Guide
www.cisco.com/go/smartcall
Smart Call Home – How to get started ...
Before Available
Verify Device Coverage Committed

Planned
– Across segments
– Platform support
Enroll TG first if needed
Step-by-Step Quick Start

Enrollment Guides:
www.cisco.com/go/smartcall
Complete Enrollment by providing

Security Token received via email
Agenda

Service Planning
Summary
Wrap-Up & Close
Questions during a Service Life Cycle
Is there room for yet How to configure? Is it working as specified?
another service? • CLI Config Diff and Archive • IF-MIB, CB-QoS-MIB
• CLI Config Locking • EVENT-, EXPRESSION-MIB
• Embedded Event Manager (EEM) • TCL and Cron • NBAR
• Embedded Resource Manager (ERM) • IOS Deployment Agents • NetFlow
• Data Collection Manager (DCM) • CLI Views • Sup Engine 32 PISA
• NetFlow MIB and Top Talkers • Enhanced Device Interface • Flexible Packet Matching
• ... (E-DI) • IP SLA
• ... • ...
• SNMP, CLI
• Embedded Menu Manager (EMM) • SNMP Stat OID
• Embedded Packet Capture (EPC) • IF-MIB, CB-QoS-MIB
• Reliable Syslog • NBAR
• TCL • NetFlow
• Embedded Event Manager (EEM) • Embedded Event Manager (EEM)
• GOLD & Smart Call Home • IP SLA and EOT
• ... •...
What if something goes wrong? Are we meeting SLA?
Q&A
References – Instrumentation
Device Manageability Instrumentation (DMI) www.cisco.com/go/instrumentation
Embedded Event Manager (EEM): www.cisco.com/go/eem
Cisco Beyond – EEM Community: www.cisco.com/go/ciscobeyond
Embedded Menu Manager (EMM): http://tinyurl.com/emm-in-124t
Embedded Packet Capture (EPC): www.cisco.com/go/epc
Flexible NetFlow: www.cisco.com/go/netflow and www.cisco.com/go/fnf
GOLD: http://www.cisco.com/en/US/products/ps7081/products_ios_protocol_group_home.html
IPSLA (formerly SAA, formerly RTR): www.cisco.com/go/ipsla
Network Analysis Module: http://www.cisco.com/go/nam
Network Based Application Recognition (NBAR): www.cisco.com/go/nbar
Security Device Manager (SDM): http://www.cisco.com/go/sdm
Smart Call Home: www.cisco.com/go/smartcall
Web Services Management Agents (WSMA): http://tinyurl.com/wsma-in-150M
Feature Navigator: www.cisco.com/go/fn

MIB Locator: www.cisco.com/go/mibs
Q&A
References – Embedded Automations
1. Browse and Download EASy Packages
3. Browse Other Embedded Automations

4. Learn About The Technology Under The Hood

www.cisco.com/go/instrumentation
www.cisco.com/go/eem
www.cisco.com/go/pec
5. Discuss, Ask Questions, Suggest Answers

supportforums.cisco.com
6. Upload your own Examples to CiscoBeyond

7. Engage via ask-easy@cisco.com
Session ID Title Day
TECNMS-1003 Designing Manageability and Embedded Automations Mon
BRKNMS-2000 13 Smart ways to Configure your Cisco IOS Device Tue
BRKNMS-2421 Network Configuration and Compliance Management Tue
BRKNMS-2004 Management at work in the small and medium customer Tue
BRKNMS-2005 Managing Cisco Security Wed
BRKNMS-2001 Data Centre - Management End to End Wed
BRKNMS-2007 Deploying DHCP and DNS : Basic to Advanced Wed
BRKNMS-2008 Understanding the benefits of Ethernet OAM (E-OAM) Wed
BRKNMS-2009 UC Network Management: How to Ensure Your UC Services Are Operating as Expected! Wed
BRKNMS-2011 The economical impact of NMS/OSS features on Managed Services Wed
BRKNMS-2012 Cisco IOS Strategy and Evolution Wed
BRKNMS-3132 Advanced NetFlow Wed
BRKNMS-3003 Advanced Using CiscoWorks LMS to its full potential Thu
BRKNMS-2006 Performance Measurement for Critical IP traffic with IP SLAs Thu
BRKNMS-2361 Accounting and Performance Management with Network Based Application Recognition Thu
LABNMS-2001 Advanced Network Automation and Solutions using Cisco IOS EEM Tue + Thu
LABNMS-2005 Implementing Manageability and Embedded Automation Tue + Wed
Panel Large Scale Network Management Tue
Panel Cisco Software Activation Thu
Questions ?
Wrap-Up & Close
In Summary
Embedded Automation Systems (EASy) and

Device Manageability Instrumentation (DMI) allow you to
capture relevant and accurate information efficiently
and evaluate results to trigger appropriate actions
customize and program the network for your needs
How will you leverage EASy in your Network?

What new possibilities does EASy offer to you ?
What would you have done differently last week ... ?
Please Complete Your Evaluations
… thank you …
bklauser@cisco.com
Appendix I:
Feature Availability
Note: The following information is provided in confidence and ‘as is’.
May include futures, subject to change; no commitments implied.
Embedded Management – SNMP Roadmap
Cisco
Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301 Cisco 800,
Catalyst 3750 & ASR-
10000 7600 7500 7304 and 7200 Catalyst 1800 &
Platforms Series Series Series Router Routers
6500
4500 Series
2900 1000
2800
Series Series
Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
XNA
Periodic MIB Data Collection 12.2(33)SR 12.2(33)SX 12.2(35) 12.2(33)
12.2(33)SB 12.2(22)S 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
and Transfer Mechanism A H SE1 XNA
VPN aware SNMP 12.2(33)SR 12.2(33)SX 12.2(7th) 12.2(33)
12.2(33)SB 12.2(22)S 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
Infrastructure A H SE XNA
12.2(33)SR 12.3(14)T 12.2(44)S 12.2(33) 12.3(14)
SNMP over IPv6 12.2(33)SB
B
12.2(33)SB 12.2(33)SRB 12.2(33)SXI 12.2(44)SG
E XNA T
AES (RFC 3826) and 3DES 12.2(33)SR 12.2(7th) 12.2(33)
12.2(33)SB 12.2(33)SB 12.2(33)SRB 12.2(33)SXI 12.2(44)SG 12.4(2)T
Encryption for SNMP v3 B SE XNA
12.2(33)SR 12.2(33)SRB 12.2(33)
ISSU - SNMP 12.2(33)SB
B1
12.2(33)SB
1
12.2(33)SXI 12.2(44)SG
XNA
12.2(33)SR 12.2(31)S 12.2(33)SX 12.2(33)
Interface MIB Enhancements 12.2(31)SB
A B
12.2(31)SB 12.2(33)SRA
H
12.2(44)SG
XNA
12.2(33)SR 12.2(31)S 12.2(TBD) 12.2(33) 12.4(20)
CEF-MIB 12.2(33)SB 12.2(33)SB 12.2(33)SRC 12.2(44)SG
SE T
C B XNA
12.2(33)SR 12.2(31)S 12.2(TBD) 12.2(33) 12.4(20)
URPF-MIB 12.2(31)SB
C B
12.2(31)SB 12.2(33)SRC 12.2(44)SG
SE XNA T
12.2(33)SR
SNMP Infrastructure for MTR 12.2(33)SB
B
12.2(33)SB 12.2(33)SRB
12.2(33)SR 12.2(33) 12.4(20)

IP-TUNNEL-MIB 12.2(33)SB
B
12.2(33)SB 12.2(33)SRB 12.2(44)SG
XNA T
Interfaces MIB: SNMP 12.2(33)SR 12.2(7th) 12.2(33)
12.2(33)SB 12.2(33)SB 12.2(33)SRB 12.2(44)SG
context based access B SE XNA
CISCO-DATA-COLLECTION- 12.2(33)SB
12.2(33)SR
12.2(33)SB 12.2(33)SRC 12.2(44)SG
12.2(TBD) 12.2(33) 12.4(20)
MIB C SE XNA T
CISL - SNMP Support 12.2(37)S 12.4(20)
(Licensing MIB) E T
12.2(33)SR 12.2(33)SX 12.2(7th) 12.2(33)
SNMP secure Views 12.2(33)SB
A
12.2(22)S 12.2(33)SB 12.2(33)SRA
H
12.2(44)SG
SE XNA
12.3(2)T
Shipping
Code Committed
ID EC’d © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 250
Embedded Management – SNMP Roadmap
Cisco
Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301 Cisco 800,
Catalyst 3750 & ASR-
10000 7600 7500 7304 and 7200 Catalyst 1800 &
6500
4500 Series
2900 1000
2800
Series Series
Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE
XNA M&T
Alarm filtering support in 12.2(33)SR
12.2(33)SRB 12.2(33)SXI 12.2(44)SG
12.(33)X
12.4(4)T
Cisco-Entity-Alarm-MIB B NA
12.2(33)SR
SNMP Trap Simulation E
12.2(33)SRE 12.2(33)SXI
RMON-MIB enhancement 12.2(33)SR

12.2(33)SRE 12.2(33)SXI
for 64 bit counter support E
12.2(33)SR
Support for HC-Alarm-MIB E
12.2(33)SRE 12.2(33)SXI
RFC2576: SNMP v1/v2c

PDU conversions for proxy 12.3(2)T
forwarder
SCP, FTP & RCP Support in 12/3(2)T
CISCO-CONFIG-COPY-MIB
FileType support in CISCO-
12.3(2)T
FLASH-MIB
Event MIB and Expression 12.2(33)SR 12.2(1st)S
12.2(44)SG
12.4(20)
12.2(33)SRE
MIB Enhancements E Y T
Show Port Status 12.2(33)SR
12.2(33)SRE 12.2(33)SXI
Command E
SNMP Diagnostic 12.2(33)SR 12.4(20)
12.2(33)SRE 12.2(33)SY
Enhancements E T
SNMP Support for Cisco 12.2(52) SG
12.2(50)S
Power Extension E
12.4(22)
SNMP trap support for EEM T
SNMP support for Named 12.3(2)T
Access List
Licensing MIB 12.4(11)
Enhancement for STG T
Embedded Management – Fault/Diag Roadmap
Cisco Cisco Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco 7301
Cisco 7304 Catalyst Catalyst 3750 & ASR- 800, 1800
10000 7600 7500 and 7200
Platforms Series Series Series
Router
Routers
6500 4500 2900 1000 & 2800
Series Series Series Series
12.2
XNA
12.2(33)SR 12.2(33)SR 12.2(7th) 12.2(33)
Embedded Syslog Manager 12.2(33)SB
C
NA 12.2(33)SB
C
12.2(33)SXI 12.2(44)SG
SE XNA
12.3(2)T
12.2(33)SR 12.2(33)SR 12.2(7th) 12.2(33)

Syslog for EAL4 Certification 12.2(33)SB
B
NA 12.2(33)SB
B
12.2(33)SXI 12.2(44)SG
SE XNA
12.3(14)T
12.2(33)SR 12.2(33)SR 12.2(44)S 12.2(33)

Syslog over IPv6 12.2(33)SB
B
NA 12.2(33)SB
B
12.2(33)SXI 12.2(44)SG
E XNA
12.4(4)T
12.2(33)SR 12.2(33)SR 12.2(33)

Syslog to ATA Flash 12.2(33)SB
B
NA 12.2(33)SB
B
NA 12.2(44)SG
XNA 12.4(15)T
Reliable Delivery for Syslog
(RFC 3195 Syslog over BEEP, 12.2(33)SB
12.2(33)SR
NA 12.2(33)SB
12.2(33)SR
12.2(33)SXI 12.2(44)SG
12.2(7th) 12.2(33)
12.4(11)T
Rate Limiting, and Message B B SE XNA
Filtering)
12.2(52)S
Embedded Menu Manager E
12.4(20)T
12.2SY *i
12.2(33)SR 12.2(33)SR
Embedded Resource Manager 12.2(33)SB
B
12.2(33)SB
C 2H09 12.3(14)T
Embedded Management - Configuration
Cisco Cisco Cisco Cisco Cisco 800,
Cisco IOS Software Cisco Cisco Cisco Cisco
7301 and Catalyst Catalyst 3750 & ASR- 1800 &
10000 7600 7500 7304
Platforms Series Series Series Router
7200 6500 4500 2900 1000 2800
Router Series Series Series Series
12.2
XNA
UDI Support and Configuration 12.2(28)SB

12.2(18)SX 12.2(18)SX 12.2(33)SR 12.2(18)SX 12.2(25)SE 12.2(33)
12.3(4)T
Enhancements E5 E5 C E5 C XNA
CNS Agents (Configuration

12.2(33)SR 12.2(31)S 12.2(44)S 12.2(25)SE 12.2(33)
Agent Event Agent, Image 12.2(33)SB
B B
12.2(33)SB 12.2(31)SB 12.2(33)SXI
G E XNA
12.3(1)
Agent)
12.2(33)SR 12.2(33)SR 12.2(44)S 12.2(33)
Config Retrieve Retry 12.2(33)SB
C
12.2(33)SB
C
12.2(1st)SY
G
12.2(44)SE
XNA
12.4(15)T
12.2(33)SR 12.2(33)SR 12.2(44)S 12.2(33)

CNS Agents over IPv6 12.2(33)SB
C C
12.2(1st)SY
G XNA
12.4(20)T
12.2(33)SR 12.2(33)SR 12.2(33)SX 12.2(44)S 12.2(33)

Netconf over SSHv2, BEEP 12.2(33)SB
A
12.2(33)SB
A H G XNA
12.4(9)T
Config Change Notification 12.2(33)SR 12.2(33)SR 12.2(33)SX 12.2(44)S 12.2(33)

12.2(33)SB 12.2(33)SB 12.4(9)T
(Netconf) A A H G XNA
12.2(33)SR 12.2(33)SR 12.2(44)S 12.2(33)
Netconf over IPv6 12.2(33)SB
C
12.2(33)SB
C
12.2(1st)SY
G XNA
12.4(20)T
Cisco Software Licensing 12.2(37)SE 12.4(20)T
12.2(33)SR 12.2(33)SR 12.2(44)S 12.2(33)

CNS-Interactive CLI C C
12.2(33)SXI
G XNA
Command scheduler Policy for 12.2(33)SB
12.2(33)SR
12.2(33)SB
12.2(33)SR
12.2(1st)SY
12.2(44)S 12.2(33)
12.4(15)T
system startup C C G XNA
TR-69 agent, Ethernet LAN,
Time, ATM, loopback,
12.4(20)T
traceroute profiles, HTTP client
API to close persistent conn.
Web Services Management
Planning Planning 12.2(1st)SY Planning Planning Planning 12.4(24)T
Agent
Embedded Management – Infra - Transports
Cisco Cisco Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301
Catalyst Catalyst 3750 & ASR- 800, 1800
10000 7600 7500 7304 and 7200
6500 4500 2900 1000 & 2800
Series Series Series Series
12.2
XNA
12.2(33)SR 12.2(33)SX 12.2(25)S 12.2(33)
HTTPS - HTTP with SSL 3.0 12.2(33)SB NA 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
A H E XNA
HTTP(S) USB Support For
Content Delivery from USB 12.2(33)SR 12.2(33)SX
12.2(33)SB NA 12.2(33)SB 12.2(33)SRC 12.2(44)SG 12.4(15)T
Media; PAI enhancement; C I
TACAC+ Accounting support
12.2(33)SR 12.2(1st)S 12.2(44)S 12.2(33)
HTTP IPv6 Support 12.2(33)SB
C
NA 12.2(33)SB 12.2(33)SRC
Y
12.2(44)SG
E XNA
12.4(20)T
BEEP Infrastructure; IPV6 12.2(33)SR 12.2(33)SX 12.2(7th) 12.2(33)

12.2(33)SB NA 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.4(4)T
Support A H SE XNA
12.2(33)SR 12.2(1st)S 12.2(7th) 12.2(33)
SOAP IPv6 Support 12.2(33)SB
C
NA 12.2(33)SB 12.2(33)SRC
Y
12.2(44)SG
SE XNA
12.4(20)T
12.2(33)SR 12.2(33)SX 12.2(TBD) 12.2(33)

Cisco IOS Scripting with TCL 12.2(33)SB
C
NA 12.2(33)SB 12.2(33)SRC
H
12.2(44)SG
SE XNA
12.3(2)T
12.2(33)SR 12.2(33)SX 12.2(7th) 12.2(33)

TCL SNMP MIB access 12.2(33)SB NA 12.2(33)SB 12.2(33)SRC 12.2(44)SG 12.3(7)T
C H SE XNA
Signed TCL scripts NA 12.4(15)T
12.2(33)SR 12.2(1st)S 12.2(7th) 12.2(33)

TCL over IPv6 12.2(33)SB
C
NA 12.2(33)SB 12.2(33)SRC
Y
12.2(44)SG
SE XNA
12.4(20)T
HTTP Cookie support 12.2(1st)S

12.4(20)T
(RFC2965) RE
HTTP Digest Authentication
12.4(20)T
Support
Embedded Management – Config/Parser
Cisco
Cisco Cisco 800,
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco Cisco
7301 and 3750 & 1800
10000 7600 7500 7304 Catalyst Catalyst ASR-1000
Platforms Series Series Series Router
7200
6500 Series 4500 Series
2900 &
Routers Series 2800
Series
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE 12.2 XNA M&T
Configuration Replace and

Configuration Rollback, 12.2(33)SR 12.2(31)SB 12.2(40)S 12.2(33)XN 12.3(7)
12.2(33)SB 12.2(25)S 12.2(33)SB 12.2(33)SXH 12.2(44)SG
including config versioning A 2 E A T
(archive) and timed rollback
Configuration Change 12.2(33)SR 12.2(25)S 12.2(33)XN 12.3(4)
12.2(33)SB 12.2(25)S 12.2(33)SB 12.2(25)S 12.2(33)SXH 12.2(44)SG
Notification and Logging A EC A T
Contextual Configuration Diff 12.2(33)SR 12.2(40)S 12.2(33)XN 12.3(4)
12.2(33)SB 12.2(25)S 12.2(33)SB 12.2(33)SXH 12.2(44)SG
Utility A E A T
Configuration Generation 12.2(33)SR 12.2(33)SR 12.2(33)XN 12.3(7)
12.2(33)SB 12.2(25)S 12.2(33)SB 12.2(33)SXI 12.2(44)SG
Performance Enhancement C C A T
Role-Based Access Control CLI 12.2(33)SR 12.2(33)XN 12.3(11
12.2(33)SB 12.2(33)SB 12.2(33)SXI 12.2(44)SG
commands B A )T
12.2(33)SR 12.2(33)SR 12.2(7th)S 12.2(33)XN
Configuration Partitioning 12.2(33)SB
B
12.2(33)SB
B
12.2(33)SXI 12.2(44)SG
E A
Configuration Rollback 12.2(33)SR 12.2(33)SR 12.2(33)XN 12.4(20
12.2(33)SB 12.2(33)SB 12.2(33)SXI 12.2(44)SG
Confirmed Change C C A )T
12.2(33)SR 12.2(33)SR 12.2(7th)S 12.2(33)XN 12.4(20
IPv6 for Config Logger 12.2(33)SB
C
12.2(33)SB
C
12.2(1st)SY 12.2(44)SG
E A )T
12.2(33)SR 12.2(33)XN 12.4(11
Config Logger Persistency 12.2(33)SB
A
12.2(33)SB 12.2(33)SXH 12.2(44)SG
A )T
Exclusive Configuration
12.2(33)SR 12.2(33)XN 12.4(11
Change Access and Access 12.2(33)SB
A
12.2(33)SB 12.2(33)SXH 12.2(44)SG
A )T
Session Locking
Config Change Tracking 12.2(33)SR 12.2(33)SR 12.2(33)XN 12.4(20
12.2(33)SB 12.2(33)SB 12.2(33)SXI 12.2(44)SG
Identifier C C A )T
XML Programmatic Interface 12.2(1st)S 12.2(1st)S 12.2(7th)S 12.4(20
12.2(1st)SY 12.2(47)SG
w/TLS and Initiator RE RE E )T
EEM Version/Product Support Matrix
CISCO ACCESS ROUTERS - Current models
EEM Cisco 800 Cisco 1800 Cisco 2800 Cisco 3800 Cisco 1900 Cisco 2900 Cisco 3900
Version Series Series Series Series Series Series Series
1.0 12.3(11)T 12.3(11)T 12.3(11)T
2.0
2.1 12.3(14)T1 12.3(14)T1 12.3(14)T1
2.1.5
2.2 12.4(2)T 12.4(2)T 12.4(2)T 12.4(2)T
2.3 12.4(11)T 12.4(11)T 12.4(11)T 12.4(11)T
2.4 12.4(20)T 12.4(20)T 12.4(20)T 12.4(20)T
3.0 12.4(22)T 12.4(22)T 12.4(22)T 12.4(22)T
3.1 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M
3.2 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T
3.4 Planning Planning Planning Planning Planning Planning Planning
CISCO ACCESS ROUTERS - Old models

Cisco
EEM Cisco 1700 Cisco 2600 Cisco 2691 Cisco 3600 Cisco 3700
2600XM
Version Series Series Series Series Series
Series
1.0 12.3(4)T 12.3(4)T 12.3(4)T 12.3(4)T
2.0
2.1 12.3(14)T1 12.3(14)T1 12.3(14)T1 12.3(14)T1 12.3(14)T1 12.3(14)T1
2.1.5
2.2 12.4(2)T 12.4(2)T 12.4(2)T 12.4(2)T 12.4(2)T 12.4(2)T
2.3 12.4(11)T 12.4(11)T 12.4(11)T 12.4(11)T 12.4(11)T 12.4(11)T
2.4 Shipping
3.0 EC
3.1
Planning
3.2
EEM Version/Product Support Matrix, cont.
CISCO SERVICE AGGREGATION/CORE ROUTERS
Cisco Cisco Cisco Cisco Cisco Cisco Cisco
EEM Cisco Cisco Cisco XR Cisco
ASR1000 7200 7600 UBR UBR 12000 ASR
Version 7301 7304 12000 CRS-1
Series Series Series 10000 7200 Series 9000
1.0 12.0(26)S
2.0 12.2(27)SBC FM FM FM
2.1 12.3(14)T1 12.3(14)T1 12.2(28)SB 12.2(18)SXF5 12.2(28)SB 12.2(28)SB FM FM FM
2.1.5 FM FM FM
2.2 12.4(2)T 12.4(2)T1 FM FM FM
2.3 2.1XE 12.4(11)T 12.2(33)SB 12.2(33)SB 12.2(33)SRB 12.2(33)SB 12.2(33)SB FM FM FM
2.4 12.2(33)XN RLS7 12.4(20)T 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE FM FM FM
3.0 12.2(33)XN RLS7 12.4(22)T 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE 12.2(33)SRE FM FM FM
3.1 Planning 15.0(1)M Planning Planning Planning Planning Planning Planning Planning Planning Planning
3.2 Planning 15.1(3)T Planning Planning Planning Planning Planning Planning Planning Planning Planning
3.4 Planning Planning Planning Planning Planning Planning Planning Planning Planning Planning Planning
CISCO CATALYST SWITCHES

Cisco Catalyst Catalyst Catalyst
EEM Catalyst 3000
3400ME 4500 4900 6500
Version Switches
Switches Switches Switches Switches
1.0
2.0
IOS w/o Modularity

2.1
12.2(18)SXF5
Shipping
w/ Modularity
2.1.5
12.2(18)SXF4 EC
2.2 Planning
2.3 12.2(40)SE 12.2(40)SE 12.2(44)SG 12.2(44)SG 12.2(33)SXH
2.4 12.2 (50) SE 12.2 (50) SE 12.2(52)SG 12.2(52)SG 12.2(33)SXI
Summer'10
3.0 12.2 (52) SE 12.2 (52) SE 12.2 (1st)SY 12.2 (1st)SY
(Zanzibar)
Summer'10
3.1 12.2 (52) SE 12.2 (52) SE Planning Planning
(Zanzibar)
Summer'10
3.2 12.2 (52) SE 12.2 (52) SE Planning Planning
(Zanzibar)
3.4 Planning Planning Planning Planning Planning
Embedded Management – IPSLAs
Release 12.2S and T Family Roadmap
Cisco 800,
Cisco IOS Software Cisco Cisco Cisco 7301 Cisco Cisco Cisco 3750
Cisco 7600 Cisco 7304 1800 &
10000 7500 and 7200 Catalyst Catalyst & 2900
Platforms Series Router 2800
Series Series Routers 6500 Series 4500 Series Series
Series
IP SLAs Responder NA NA NA NA NA NA NA 12.2(25)SEE 12.4(7)
IP SLAs CLI Introduction 12.2(31)SB 12.2(33)SRB 12.2(31)SB 12.2(31)SB 12.2(1st)SRC 12.2(1st)SXH 12.2(11th)SG 12.2(40)SE 12.3(14)T
IP SLA CLI Phase 2 12.2(31)SB 12.2(33)SRB 12.2(31)SB 12.2(31)SB 12.2(1st)SRC 12.2(1st)SXH 12.2(11th)SG 12.2(40)SE 12.4(2)T
IP SLA CLI Phase 3 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(4)T
IP SLAs - LSP Health Monitor 12.2(27)SBB 12.2(33)SRA 12.2(30)S 12.2(27)SBB 12.2(27)SBB 12.2(1st)SXH 12.4(6)T
IP SLAs Accuracy Improvements 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.3(14)T
IP SLAs Additional Threshold Traps
12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(2)T
(VoIP)
IP SLAs Random Scheduler 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(2)T
IP SLAs - LSP Health Monitor with
12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(11th)SG 12.2(40)SE 12.4(20)T
LSP Discovery
IP SLAs for Metro-Ethernet 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(40)SE
Auto IP SLAs with QoS Integration

15.0(1)M
and Responder Auto-Registration
IP SLAs for IPv6 (UDP Jitter, UDP
12.2(1st)SRC 15.1(1)T
Echo, ICMP Echo, TCP Connect)
Auto IP SLAs for MPLS Pseudo Wire
12.2(1st)SRC
(PWE3) via VCCV
IP SLAs - ICMP Jitter Operation 12.4(6)T
IP SLA - VoIP Gatekeeper Delay
NA NA 12.3(14)T
Monitoring
IP SLAs VoIP Call Setup (Post Dial
NA NA 12.3(14)T
Delay) Monitoring
Cisco IOS IP SLAs
M & T Roadmap
Cisco 7301 Cisco 7200 Cisco 3800 Cisco 1800
Cisco IOS Software Platforms Router Series & 2800 Series & 800 Series
M&T
IP SLAs Engine 3.0 15.1(1)T 15.1(1)T
IP SLAs NG v1.0 15.1(1)T 15.1(1)T
IP SLAs for Metro-Ethernet (v1.0) 12.4(20)T
IP SLAs IPv6 (v1.0) 12.4(20)T 12.4(20)T 12.4(20)T
12.4(20)T 12.4(20)T 12.4(20)T

IP SLA’s VRF Aware v2.0
For further information please contact: mailto: cs-ipsla@cisco.com
Cisco IOS IP SLAs
Release 12.0S/12.2S Family Roadmap
Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco
Cisco 7600 Cisco 7304 3000 &
7301 7200 Catalyst 6500 Catalyst
Platforms Series Router
Router Series Series 4500 Series
2000
Series
12.2SR 12.2SB 12.2SB 12.2SB 12.2SX 12.2SG 12.2SEE
12.2(33)
IP SLAs Metro-Ethernet 3.0
SRE
12.2(33)
SRD
IP SLAs TWAMP Responder 12.2(53)SE
12.2
IP SLA’s PWE’s VCCV Ping (33)SRC
IP SLAs for Metro-Ethernet
12.2(33)SRB 12.2(33)SXI 12.2(40)SE
(v1.0)
IP SLAs (initial support) 12.2(44)SG 12.2(40)SE
IP SLAs for IPv6 12.2(33)SRC
IP SLAs Engine-2 (major update) 12.2(33)SXH 12.2(44)SG 12.2(40)SE
Cisco IOS IP SLAs
Release 12.0S/12.2S Family Roadmap
Cisco 12000 Cisco 10000 Cisco uBR1000 Cisco ASR 1000
Cisco IOS Software Platforms Series Series Series Series
12.0S 12.2SB IOS-XE
IP SLAs TWAMP Responder
IP SLA’s PWE’s VCCV Ping 12.2SB5 1Q2008
IP SLAs for Metro-Ethernet (v1.0)
IP SLAs (initial support) 12.2(33)SCB 12.2(33)XNA
IP SLAs for IPv6 12.2(33)XNA
IP SLAs Engine-2 (major update)
IP SLAs - Path Jitter Operation 12.2(33)XNA
IP SLAs – UDP Jitter Operation 12.2(33)XNA
IP SLAs – UDP Echo Operation 12.2(33)XNA
IP SLAs - TCP Connect Operation 12.2(33)XNA
IP SLAs – ICMP Echo Operation 12.2(33)XNA
NBAR
Release 15.0 Roadmap
Cisco 800, 1800, 1900, 2800, 2900, 3800, 3900 Series
NBAR Features Cisco 7200, 7300 Series
Cisco IOS 15.0(1)M

NBAR Application Id Persistency VNC pdlm
NBAR Integration with Flexible NetFlow X pdlm
SAP pdlm XDMPC pdlm
FIX pdlm Echo pdlm
HL7 pdlm IBM DB2 pdlm
Improved HTTP pdlm IPX pdlm
Oracle pdlm ISAKMP pdlm
SQL-Exec pdlm ISI-GL pdLM
AppleQTC pdlm Klogin pdlm
Charggen pdlm Kshell pdlm
Corba pdlm LockD pdlm
ClearCase pdlm
DayTime pdlm
RCP pdlm
Rtelnet pdlm
NBAR
Release 15.1 Roadmap
Cisco 800, 1800, 1900, 2800, 2900, 3800, 3900 Series
NBAR Features Cisco 7200, 7300 Series
IOS 15.1(2)T
NBAR HotIce WinMx pdlm Enhancements
Enhanced HTTP inspection Softphone + skinny pdlm Enhancements
Yahoo Messenger pdlm Updated Mapi pdlm
YouTube pdlm Updated Bittorrent pdlm
DiCom pdlm Wow pdlm
CIFS pdlm Updated eMule pdlm
AIM pdlm TelePresence pdlm
MSN pdlm Updated Gnutella pdlm
NBAR
Release IOS XE – Protocol Library
NBAR Features Cisco ASR1000
IOS XE – release 2.1

cuseeme skype (TCP-only)
dhcp http (no options including url and host)
dns ftp
pop3 H.323
telnet
https (security-http)
rtsp
sip
NBAR

Miscellaneous LockD
AppleQTC MSSQL
Chargen Nickname
Corba NPP
ClearCase RCP
Daytime RTelnet
Doom Spooler (same as print)
Echo Sysstat
IBMDB2 Tacacs
IPX Time
ISAKMP VNC
ISI-GL Whois
KLogin X
KShell XDMCP
NBAR

Enterprise Applications RPC
ORACLE NFS
PCAnywhere Database
Novadigm SQL-exec
Routing Protocols Network Mail Services
BGP IMAP
EGP SMTP
EIGRP Directory
OSPF Finger
RIP Kerberos
Network Management Signaling
ICMP RSVP
SNMP
Syslog
NBAR

Security and Tunneling STELNET
GRE SOCKS
IPINIP SSH
IPsec Internet
L2TP Gopher
LADP IRC
PPTP NetBIOS
SFTP NOTES
SIMAP NNTP
SIRC NTP
SLDAP
SNNTP
SPOP3
NBAR

RTP – Base and Sub Classification (audio and video) DirectConnect pdlm
SAP pdlm eDonkey/eMule pdlm
Sun-RPC pdlm FastTrack pdlm
Citrix – Base and Sub Classification pdlm Gnutella pdlm
TFTP pdlm KazaA pdlm
Customer Protocol pdlm WinMX pdlm
SQL-NET pdlm Exchange 2003 pdlm
HTTP URL and Options pdlm Exchange 2007pdlm
FIX pdlm Skype 2.0, 3.0 pdlm
BitTorrent pdlm Features
NBAR Protocol Discovery MIB
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
New Flexible NetFlow CLI 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Multiple User Defined Caches 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Normal Cache 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Immediate Cache 12.4(9)T 15.0(1)M 12.4(9)T Radar

Permanent Cache 12.4(9)T 15.0(1)M 12.4(9)T Release 8*
Dynamic TopNTalkers 12.4(22)T 15.0(1)M 12.4(22)T Release 8*
FNF EEM Monitor 12.4(22)T 15.0(1)M 12.4(22)T Release 9*
*: not committed yet
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 269
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus1000V
New Flexible NetFlow CLI 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Multiple User Defined Caches 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Normal Cache 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Immediate Cache 12.2(50)SYA Radar

Permanent Cache 12.2(50)SYA Radar
Dynamic TopNTalkers 12.2(50)SYA 12.2SG*
FNF EEM Monitor
ID
Available Now
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
New Flexible NetFlow CLI 3.2 3.3.0 3.9(1) 12.0(33)S
Multiple User Defined Caches Radar Radar 3.9(1) 12.0(33)S
Normal Cache 3.2 3.3.0 3.9(1) 12.0(33)S
Immediate Cache 3.2 3.3.0 3.9(1) 12.0(33)S

Permanent Cache 3.2 3.3.0 3.9(1) 12.0(33)S
Dynamic TopNTalkers Radar Radar Radar
FNF EEM Monitor
ID
Available Now
Flexible NetFlow
Sampling
Full Flow support 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Random Sampling 1:M 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Random Sampling N:M
Activation
Ingress support 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Egress support 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Per Interface 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Per Sub-Interface 12.4(9)T 15.0(1)M 12.4(9)T Release 7
On VRF Interface 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Per Vlan
Per Class-map 15.1(3)T 15.1(3)T 15.1(3)T Release 9*
ID
Available Now
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
Sampling
Full Flow support 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Random Sampling 1:M 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Random Sampling N:M 4.0 4.0(4)SV1
Activation
Ingress support 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Egress support 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Per Interface 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Per Sub-Interface 12.2(50)SYA 12.2SG* 4.0 N/A
On VRF Interface 12.2(50)SYA 12.2SG* N/A N/A
Per Vlan 12.2SG*
Per Class-map
ID
Available Now
Flexible NetFlow
Sampling
Full Flow support 3.2 3.3.0 3.9(1) 12.0(33)S
Random Sampling 1:M 3.2 3.3.0 3.9(1) 12.0(33)S
Random Sampling N:M
Activation
Ingress support 3.2 3.3.0 3.9(1) 12.0(33)S
Egress support 3.2 3.3.0 3.9(1) 12.0(33)S
Per Interface 3.2 3.3.0 3.9(1) 12.0(33)S
Per Sub-Interface 3.2 3.3.0 3.9(1) 12.0(33)S
On VRF Interface 3.2 3.3.0 3.9(1) 12.0(33)S
Per Vlan
Per Class-map
ID
Available Now
Flexible NetFlow
Exporter
NetFlow v5 Export Format 12.4(22)T 15.0(1)M 12.4(22)T Release 7
NetFlow v9 Export Format 12.4(9)T 15.0(1)M 12.4(9)T Release 7
IPFix Export Format Radar Radar Radar Radar

Export over UDP 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Export over SCTP (Reliable) Radar Radar Radar Radar
Export over IPv4 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Export over IPv6 Radar Radar Radar Radar
Exporter MTU Radar Radar Radar Radar
Export in a VRF 12.4(9)T 15.0(1)M 12.4(9)T Release 7
FNF QOS output features 12.4(20)T 15.0(1)M 12.4(20)T Release 7
ID
Available Now
Flexible NetFlow
Exporter
NetFlow v5 Export Format 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
NetFlow v9 Export Format 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
IPFix Export Format Radar Radar Radar Radar

Export over UDP 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Export over SCTP (Reliable) Radar Radar Radar Radar
Export over IPv4 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Export over IPv6 Radar Radar 4.2(1)
Exporter MTU Radar Radar Radar Radar
Export in VRF 12.2(50)SYA 12.2SG*
FNF QOS output features 12.2(50)SYA 12.2SG* 4.0
ID
Available Now
Flexible NetFlow
Exporter
NetFlow v5 Export Format
NetFlow v9 Export Format 3.2 3.3.0 3.9(1) 12.0(33)S
IPFix Export Format Radar Radar Radar

Export over UDP 3.2 3.3.0 3.9(1) 12.0(33)S
Export over SCTP (Reliable) Radar Radar Radar
Export over IPv4 3.2 3.3.0 3.9(1) 12.0(33)S
Export over IPv6 Radar Radar Radar
Exporter MTU Radar Radar Radar
Export in a VRF 3.2 3.3.0 3.9(1) 12.0(33)S
FNF QOS output features 3.2 3.3.0 3.9(1)
ID
Available Now
Flexible NetFlow
IPv4 Flows
IPv4 Unicast Flows 12.4(9)T 15.0(1)M 12.4(9)T Release 7
IPv4 Predefined Aggregations 12.4(9)T 15.0(1)M 12.4(9)T Release 7
IPv4 Multicast Flows 12.4(22)T 15.0(1)M 12.4(22)T Radar
IPv4 Multicast Replication Factor 12.4(22)T 15.0(1)M 12.4(22)T Radar
IPv4 Header Section Field 12.4(9)T 15.0(1)M 12.4(9)T Release 8*
IPv4 Payload Section Field 12.4(9)T 15.0(1)M 12.4(9)T Release 8*
UDP Fields 12.4(9)T 15.0(1)M 12.4(9)T Release 7
TCP Fields 12.4(9)T 15.0(1)M 12.4(9)T Release 7
SCTP Fields Radar Radar Radar Radar
Application Name (NBAR) Field 15.0(1)M 15.0(1)M 15.0(1)M Release 7
ID
Available Now
Flexible NetFlow
IPv4 Flows
IPv4 Unicast Flows 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
IPv4 Predefined Aggregations 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
IPv4 Multicast Flows 12.2(50)SYA 12.2SG* Radar
IPv4 Multicast Replication Factor 12.2(50)SYA 12.2SG* Radar
IPv4 Header Section Field Radar
IPv4 Payload Section Field Radar
UDP Fields 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
TCP Fields 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
SCTP Fields Radar
Application Name (NBAR) Field
ID
Available Now
Flexible NetFlow
IPv4 Flows
IPv4 Unicast Flows 3.2 3.3.0 3.9(1) 12.0(33)S
IPv4 Predefined Aggregations 3.2 3.3.0 3.9(1) 12.0(33)S
IPv4 Multicast Flows 3.5.0 3.5.0 3.9(1) 12.0(33)S
IPv4 Multicast Flows 3.5.0 3.5.0 3.9(1) 12.0(33)S
IPv4 Header Section Field 12.0(33)S
IPv4 Payload Section Field 12.0(33)S
UDP Fields 3.2 3.3.0 3.9(1) 12.0(33)S
TCP Fields 3.2 3.3.0 3.9(1) 12.0(33)S
SCTP Fields Radar Radar Radar
ID
Available Now
Flexible NetFlow
IPv6 Flows
IPv6 Unicast Flows 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
IPv6 Predefined Aggregations 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
IPv6 Multicast Flows Radar Radar Radar Radar
IPv6 Multicast Replication Factor Radar Radar Radar Radar
IPv6 Header Section Field 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
IPv6 Payload Section Field 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
UDP Fields 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
TCP Fields 12.4(20)T 15.0(1)M 12.4(20)T Release 8*
SCTP Fields Radar Radar Radar Radar
Application Name (NBAR) Field Radar Radar Radar Radar
ID
Available Now
Flexible NetFlow
IPv6 Flows
IPv6 Unicast Flows 12.2(50)SYA 12.2SG* 4.0 Radar
IPv6 Predefined Aggregations 12.2(50)SYA 12.2SG* 4.0 Radar
IPv6 Multicast Flows Radar Radar Radar Radar
IPv6 Multicast Replication Factor Radar Radar Radar Radar
IPv6 Header Section Field Radar
IPv6 Payload Section Field Radar
UDP Fields 12.2(50)SYA 12.2SG* 4.0 Radar
TCP Fields 12.2(50)SYA 12.2SG* 4.0 Radar
SCTP Fields Radar
ID
Available Now
Flexible NetFlow
IPv6 Flows
IPv6 Unicast Flows 3.5.0 3.6.0 3.9(1)
IPv6 Predefined Aggregations 3.5.0 3.6.0 3.9(1)
IPv6 Multicast Flows Radar Radar Radar
IPv6 Multicast Replication Factor Radar Radar Radar
IPv6 Header Section Field Radar Radar Radar
IPv6 Payload Section Field Radar Radar Radar
UDP Fields 3.5.0 3.6.0 3.9(1)
TCP Fields 3.5.0 3.6.0 3.9(1)
SCTP Fields Radar Radar Radar
ID
Available Now
Flexible NetFlow
Layer 2 Flows 12.4(22)T 15.0(1)M 12.4(22)T Radar
MPLS Flows Radar Radar Radar Radar
MPLS + IPv4 Flows Radar Radar Radar Radar
MPLS + IPv6 Flows Radar Radar Radar Radar
MPLS + IPv6/IPv4 Flows Radar Radar Radar Radar
Ingress VRF name Field 15.0(1)M 15.0(1)M 15.0(1)M Release 7
Class-map Name (C3PL) Field 15.1(3)T 15.1(3)T 15.1(3)T Release 9*
4 Bytes AS Field 15.1(2)T 15.1(2)T 15.1(2)T Release 7
ID
Available Now
Flexible NetFlow
Layer 2 Flows 12.2(50)SYA 12.2SG* 4.2(1)
MPLS Flows Radar Radar Radar
MPLS + IPv4 Flows Radar Radar Radar
MPLS + IPv6 Flows Radar Radar Radar
MPLS + IPv6/IPv4 Flows
Ingress VRF name Field 12.2(50)SYA 12.2SG*
Class-map Name (C3PL) Field Radar Radar
4 Bytes AS Field 12.2(50)SYA 12.2SG* 4.2(1) 4.2(1)
ID
Available Now
Flexible NetFlow
Layer 2 Flows Radar Radar Radar
MPLS Flows 3.3.1 3.5.0 3.9(1)
MPLS + IPv4 Flows 3.3.1 3.5.0 3.9(1)
MPLS + IPv6 Flows 3.5.0 3.6.0 3.9(1)
MPLS + IPv6/IPv4 Flows 3.6.0 3.6.0
Ingress VRF name Field Radar Radar Radar
Class-map Name (C3PL) Field Radar Radar Radar
4 Bytes AS Field 3.4.0 3.4.0 3.9(1)
ID
Available Now

Tech - Update - January 2010 - Bruno - Klauser - GOLD and Manage IOS EEM

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tech - Update - January 2010 - Bruno - Klauser - GOLD and Manage IOS EEM

Uploaded by

Copyright:

Available Formats

Manageability and

[20100112 and 13 – Denmark]

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Bad redundancy implementation

forces traffic through a 64kbit

LSP black hole issue forces

1995 2000 2005 2010 2015

1995 2000 2005 2010 2015

Airliner Router Network

8‘000 ‚instruments‘ MIB OIDs Routers

21‘000 sensors Links

With increasing scale, complexity and availability requirements,

From: Full control by a single central authority

Type 1: Automation of Manual Operational Tasks

Type 2: Automation of previousely un-solvable Challenges

Type 3: Use of Automation to Architect New Solutions

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

Introduction & Overview

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Cisco IOS® Device Manageability Instrumentation (DMI)

See also: www.cisco.com/go/instrumentation

Cisco IOS® Device Manageability Instrumentation (DMI)

See also: www.cisco.com/go/instrumentation

Have, know, live and continuosely improve your lifecycle process

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

12.2(25)S 12.2(31)SB 12.2(1st)SXH

12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(12th)SG 12.2(6th)SE 12.4(2)T

12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(12th)SG 12.2(6th)SE 12.4(4)T

12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(31)SGA NA NA

12.2(31)SB 12.2(31)SB 12.2(1st)SXH 12.2(12th)SG 12.2(6th)SE

12.2(31)SB 12.2(31)SB HD 12.2(13th)SG 12.2(7th)SE 12.5(2nd)T

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

Introduction & Overview

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

Planning starts with Gathering and Assessment of Information

The Network itself holds a lot of relevant Information

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Available from: IOS 12.2(33)SRB, 12.4(15)T

If Total CPU Usage Count Rises Above 90% at an Interval of

Feb 17 13:32:18.283: %SYS-4-CPURESRISING: System is seeing global

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

If Group CPU Usage Count Rises Above 10% at an Interval of 10s,

Feature Name: Periodic MIB Data Collection and Transfer Mechanism

2. Specify Polling Schema

3. Configure the Transfer Mechanism – and enable it !

If my link utilization is above 50% for an hour, it’s time to

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23

Calculate link utilization on all the interfaces in the

mpalmero@sweet-brew-6% snmpwalk -c public -v 2c dehors 1.3.6.1.2.1.90.1.3.1.1.2

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24

Solution: Expression-MIB provides the capability to process data

Expression-MIB can gather data from Command Line Interface (CLI

See: This is available from CiscoBeyond (and soon as an EASy package)

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

NetFlow Version 9 (RFC3954)

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29

Security Analysis Cache

ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30

2. Configure the Flow Record

3. Configure the Flow Monitor