Professional Documents
Culture Documents
Embedded Automations
with Cisco IOS® Network Elements
Bruno Klauser
Consulting Engineer NMS/OSS
European Markets
bklauser@cisco.com
wwwin-people.cisco.com/bklauser
Compute
Customize Cloud, XaaS,
Computing
Device Manageability
Instrumentation (DMI)
Transaction Experience SLA
Collaborate
Unified Comms
Configure Security
Basic Instrumentation
GET / SET
Quality of Service SLA
Increase in
Connect
- Application awareness
Managed Network
- Real-time management
Services
- Custom requirements
- Programmability
Basic SLA
DC Headquarters
• How to be prepared ?
• How to Diagnose ? • Will we breach any SLA ?
• Make use of Smart Services ? • What is our performance ?
• Could we offer even tighter SLA ? • How to identify Applications?
• Automate Remedy & Mitigation ? • ...
• ...
What if something goes wrong? Are we meeting SLA?
A set of decisions
about how to do
something in the
future.”
Cambridge Dictionary
http://dictionary.cambridge.org
ID
Presentation_ID © 2008
2009 Cisco Systems, Inc. All rights reserved. Cisco Cisco
Confidential
Public 13
Service Planning
Learn from your existing Services …
New Services Baselining
Application requirements Monitoring
SLA and SLC Performance sources
Break- Proof Indicators Collected data
Product management Historical data
Service Planning
Current Services Problem Management
SLA compliance Incidents
Resources and capacity Problem sources
Deliverables Troubleticketing
resource policy
policy my-erm-policy-1 type iosprocess
system
cpu total
critical rising 90 interval 15 falling 20 interval 10 global
major rising 70 interval 15 falling 15 interval 10 global
minor rising 60 interval 15 falling 10 interval 10 global
!
Solution: Use Bulk File MIB to define the data we need and
periodically transfer it to a convenient location
- group data from multiple MIBs
- single, common polling interval
- buffer data
- transfer using RCP, FTP, TFTP
- format ASCII or Binary
Available from: IOS 12.0(24)S, 12.2(25)S, 12.3(2)T, IOS XE 2.1, IOS XR 3.2
Platforms: ASR1k, 18xx, 28xx, 38xx, 19xx, 29xx, 39xx, 65xx, 72xx, 73xx, 76xx, 10xxx, ME3400, C4k, C6k, …
See: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.2.1.2
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Service Planning
Configuration – Example
1. Define Lists of relevant OIDs (Names for IF-MIB, ASN.1 for all others)
Router(config)# snmp mib bulkstat object-list my-if-data
Router(config-bulk-objects)# add ifIndex
What Data am I addinterested
Router(config-bulk-objects)# add ifDescr
Router(config-bulk-objects)# in?
ifAdminStatus
Router(config-bulk-objects)# add ifOperStatus
Router(config-bulk-objects)# exit
See: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup.html
Available from: IOS 12.0(5)T (EXPRESSION-MIB), 12.3(7)T (SNMPset in TCL script), 12.4(20)T (CLI)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Service Planning
Event-MIB
The EVENT MIB provides a superset of the capabilities of the
RMON alarm and event
EVENT MIB can monitor
- any MIB object (existence)
- any integer/counter (boolean, threshold)
EVENT-MIB sends an SNMP notification in response to a trigger
(like RMON) but add the concept of setting a MIB object (integers)
EVENT-MIB can specify which variables to add to the notification
RFC 2981-compliant introduced in 12.2(4)T
After 12.4(20)T configuration support via CLI added.
See: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1125529
Available from: IOS 12.2(4)T (EVENT-MIB), 12.3(7)T (SNMPset in TCL script), 12.4(20)T (CLI)
Platforms: 18xx, 28xx, 38xx, 72xx, 73xx, 76xx
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Service Planning
EXPRESSION-& EVENT-MIB
Event-MIB
2. Create an Event
If utilization > 50% generate an Event
Is the
Is a certain value from a No Expression-MIB(1)
"CLI show command" Supported in your EEM 3.1
supported in your device via SNMP? Device?
No
Yes
Yes
Running
Script #1
Yes 12.4(20)T or
higher? EEM policy based on CLI Expression-MIB
No Script #2
Reference: Yes
http://www.cisco.com/go/mibs EEM policy based on the RFC2982-MIB
•SNMP Object Navigator
Support for
•Cisco IOS MIB Locator
RFC2982-MIB?
No Script #3
EEM policy based on the Expression-MIB
Flexible NetFlow
Advantages: cache and export content flexibility Metering
User selection of flow keys
Process
User definition of the records
Key Fields Packet 1 Non-Key Fields Key Fields Packet 1 Non-Key Fields
Source IP 3.3.3.3 Packets Source IP 3.3.3.3 Packets
Destination IP 2.2.2.2 Bytes Dest IP 2.2.2.2 Timestamps
Source Port 23 Timestamps Input Interface Ethernet 0
Destination Oort 22078 Next Hop Address SYN Flag 0
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
4. Apply to an Interface
Router(config)# interface s3/0
On which Interface do I want to monitor?
Router(config-if)# ip flow monitor my-monitor input
Courtesy
of Plixer
Packets
Packets Long
Plus any of the potential “key” fields: will be the value from
the first packet in the flow
(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX
(**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX
interface pos3/0
ip flow monitor traffic-matrix-monitor
TCP Servers’
SYN network
attacks 10.10.10.0/24
The top 100 pairs of IP addresses with one or two packet(s) that
are destined for my servers' network
IOS.sh TCL
Applets
Policies Policies
3. An EEM Policy is activated that initiates a pre-
defined set of actions
Policy
Event Detector
email SNMP set SNMP SNMP Reload or Application CLI IOS.sh TCL
Syslog
notification Counter get notification switch-over specific Applets Policies Policies
Actions
EEM Applets
multi-event-correlation
Embedded Event
Manager
Event Detectors
Interface XML CDP
Syslog SNMP Timer none HW Watchdog CLI OIR ERM EOT RF GOLD NetFlow IPSLA Route 802.1x MAC
Counter RPC LLDP
ED EDs EDs ED EDs ED ED ED ED ED ED ED ED ED ED ED ED
ED ED ED
Remote:
• Fan
• Notification • Cron Process Interface
Syslog • Temp
Local: • Count Scheduler Descriptor
Event • Env
• Notification down Database Blocks
• ...
• Get/Set
Part of the Cisco IOS Separate ASCII File Separate ASCII File
Configuration my-policy.sh my-policy.tcl
Based on CLI Based on Cisco IOS Based on Cisco IOS
Commands CLI and Shell CLI and Safe TCL
Commands Commands
Simple Actions Effective shell-like Flexible and powerful
simple scripting scripting capabilities
Programmatic Applet Registered via the Registered via the
Extensions Cisco IOS Config Cisco IOS Config
Solution I: use EEM Syslog Event Detector and a CLI Applet to trigger the
change
CLI Applet
event manager applet config_upon_ntp
event syslog pattern ".*%NTP-5-PEERSYNC.*"
action 100 syslog msg "Starting ..."
:
... Your Config Changes Here ...
:
action 999 syslog msg "... done"
Solution III: use EEM Syslog Event Detector and a TCL Policy to trigger the
change …
if [catch {cli_exec $cli(fd) “enable\n conf term\n hostname $newname\n end"} result] {
action_syslog msg "Failed to set hostname: $result : $errorInfo"
error $result $errorInfo
} else {
action_syslog msg "Set hostname from $oldname to $newname"
}
router#
*Dec 10 10:43:29.061: %HA_EM-6-LOG: config_upon_ntp.tcl: Starting ...
*Dec 10 10:43:29.197: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:config_upon_ntp.tcl)
*Dec 10 10:43:29.329: %HA_EM-6-LOG: config_upon_ntp.tcl: Set hostname from router to it-worked
*Dec 10 10:43:29.329: %HA_EM-6-LOG: config_upon_ntp.tcl: ... done
it-worked#
X
Solution: Track the Route using
Enhanced Object Tracking (EOT) and
Embedded Event Manager (EEM) email EOT/EEM 1.1.1.1/32
172.27.121.177
The applet will trigger when the route 10.1.1.0/24 is learned via OSPF
The applet will try and ping host 10.1.1.1, and when it is successful,
it will take down the backup tunnel interface
Question: how many ping attempts will be made ?
*Dec 16 22:09:11.303: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes from
*Dec 12 22:09:11.329: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully re-r
1bis. Can also synch entire groups, based on regular expression match:
router# event manager update user policy group m.*
scripts
encapsulation ...
conf t
...
t
ar
Priviledged EXEC Mode User EXEC Mode
st
router# router>
n
ru
show show (limited) Startup
py
ping ping
Configuration
co
debug enable
enable
... ...
See: www.cisco.com/en/US/docs/ios/preface/usingios.html
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68
Command Line Interface (CLI) – Basics 1/2
A Series of usability features are available in IOS:
Exec Commands from within Config Mode (from 12.0(21)S, 12.2(8)T)
Issue Exec commands without leaving Config Mode
router# conf t
router(config)# do copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
router(config)#
See: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Available from: IOS 12.3(7)T / 12.3(11)T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77
Deployment & Activation
Role-Based CLI Access (CLI Views) – 2/3
How to configure a view
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local Always a good practice
Router(config)# username marisol view first pass ww
Router(config)# username root view root pass ww
Router(config)# parser view first
Router (config-view)# pass 5 ww
Router (config-view)# commands exec include sho version
Router (config-view)# exit
Show command
Router# show parser view [all]
Current view is ‘first'
Superview
parser view second
secret www
commands exec include-exclusive show ip interface
commands exec include show ip
commands exec include show
commands exec include logout
!
parser view mysuperview1 superview
secret wwww
view first
view second
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79
What if I need a simple
script?
function CISCO_AP_AUTO_SMARTPORT () {
if [[ $LINKUP -eq YES ]]; then
conf t
interface $INTERFACE
macro description $TRIGGER
switchport trunk encapsulation dot1q
switchport trunk native vlan $NATIVE_VLAN
switchport trunk allowed vlan ALL
switchport mode trunk
switchport nonegotiate
auto qos voip trust
mls qos trust cos
exit
end
fi
if [[ $LINKUP -eq NO ]]; then
Router#tclsh
Router(tcl)#puts "Hello There"
Hello There TCL Cisco IOS
Router(tcl)#ios_config "interface fa0/0" Extended Commands
"description Main Uplink" TCL Built In Command
Router(tcl)#exit Cisco IOS Command
Router#
It will run in a limited mode for untrusted scripts or not run at all
See: http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html
Available from: IOS 12.4(15)T, 12.4(11)XW
Platforms: 8xx, 18xx ISRs, 26xx, 36xx, 37xx, IAD, 72xx, 7301, UC520, …
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86
Deployment & Activation
Signed TCL Scripts – Trusted Mode
By default: disabled
CLI to enable signature check
Router(config)# scripting tcl secure-mode
crypto pki trustpoint <name>
crypto pki authenticate <name>
Link TCL to the trustpoint
Router(config)# scripting tcl trustpoint name <name>
Note:
NTP must be configured or the router
clock must be authoritative
Kron and Tcl can run together since 12.4(4)T
Available from: EEM 2.1, integrated with XML PI from EEM 3.0 92
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Example: Using EEM CLI Event Detector
Problem: VLAN 380 should not be accidentally removed from a trunk
Other Examples:
Solution: use EEM CLI Event Detector: • no mpls ip
Option a: Don’t prevent anything, just issue a syslog notification: • no router isis
event manager applet cli-async • debug all
event cli pattern "switchport trunk allowed vlan remove.*380.*" sync no skip no
action 1.0 syslog msg "Removing VLAN 380"
Option c: Ask for confirmation, then allow or prevent the entire command:
event manager applet cli-sync
event cli pattern "switchport trunk allowed vlan remove.*380.*" sync yes
action 1.0 puts "Confirm removing VLAN 380 [yes|no]:"
action 2.0 gets response
action 3.0 if $response eq yes goto 5.0
action 4.0 puts "NOK - VLAN 380 will NOT be removed"
action 4.1 exit 0
action 5.0 puts "OK - VLAN 380 will be removed"
action 5.1 exit 1
Caveats: command may be (much) bigger than what you match! Ranges!
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93
Editing Files on the CLI
Note: from IOS 12.3T onwards, refer to $h and $t variables within archive config path option
archive
path disk0:/config-archive
maximum 7
time-period 1440
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 100
Deployment & Activation
Example: Archiving Configuration – 4/6
Router(config)# archive
Router(config-archive)# path flash:disk0
Router(config-archive)# maximum 14
Register EEM TCL Script
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 103
Example: Synchronizing EEM Scripts 1/2
Problem: Synchronize EEM Policy .tcl files from a central Repository
Solution 1: Use event manager update commands
1. Configure the default Repositiory:
router(config)# event manager directory user repository tftp://172.16.64.1
*Dec 16 22:09:11.303: %HA_EM-6-FMPD_UPDATE_POLICY_COPY: Policy update has copied 647 bytes from
*Dec 12 22:09:11.329: %HA_EM-6-FMPD_UPDATE_POLICY_REGISTER: Policy update has successfully re-r
1bis. Can also synch entire groups, based on regular expression match:
router# event manager update user policy group m.*
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 105
Example: Install Embedded Automations
Problem: Embedded Automations based on Tcl Scripting or Embedded
Event Manager may include multiple scripts, policies, configurations,
variables and pre-requisites. How can we install (and un-install) all of
these in a consistent manner?
Solution: Create a package and use the EASy Installer
Router# easy-installer tftp://10.1.1.1/my-package.tar flash:/easy
-----------------------------------------------------------------------
Configure and Install EASy Package ‘my-package'
-----------------------------------------------------------------------
1. Display Package Description
2. Configure Package Parameters
3. Deploy Package Policies
4. Verify Installed Package
5. Exit
Enter option:
See: http://www.cisco.com/go/easy
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106
How to pre-commission new
Cisco Devices ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 107
How to deal with new routers ...
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108
How to deal with new routers – Auto Install
IOS AutoInstall Feature consists of:
Ethernet Interface up
DHCP Client + Option 150
See: http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dt_dhcpa.html
Available from: IOS 12.1(5)T, IOS-XE 2.1.0
Platforms: ASR 1000, x8xx ISR, x9xx ISR, 37xx, ME3400, ME4900, Cat4k, Cat6k, 76xx, 10k, UC520
See also: Smart Install
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 109
Deployment & Activation
Example: Automated Pre-Commissioning
Problem: How to automatically pre-commission a new Cisco ISR without
manual intervention on the Console
Solution: Use the AutoInstall Feature combined with an external DHCP
and TFTP server
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 110
Deployment & Activation
Example: Automated Pre-Commissioning
NE is connected
to the Network
IP maps to
No No
Default config No
Reverse DNS hostname in
file exists on
successful? network-
TFTP?
config file?
Yes
Yes
NE attempts to get Yes
hostname-config or NE gets
AutoInstall
hostname.cfg from TFTP router-config or
Fails
router.cfg from TFTP
File exists on No
TFTP?
AutoInstall
Yes Completes
AutoInstall
AutoInstall Fails
Completes manual config
completion
Solution:
1. Order Router with no factory pre-config option:
2. Run AutoInstall
Ensure commissioning includes SDM specific pre-config and
downloaded SDM files: logging buffered 51200 warnings
ip http server
ip http access-class 23
ip http secure-server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
access-list 23 permit 10.10.10.0 0.0.0.7
username username privilege 15 secret 0 password
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
transport input telnet ssh
line vty 5 15
3. Run SDM access-class 23 in
privilege level 15
login local
transport input telnet
ID © 2009 Cisco Systems, Inc. All rights reserved.
transport input telnet ssh
Cisco Confidential 112
How to automate entire
deployment / maintenance
scenarios ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 113
Deployment & Activation
Sometimes we need to automate ...
Typical Challenges:
• Large Scale
- more than just a few 12 image updates
- more than a few 100 config or file updates
• Robustness
- unreliable / un-managed access
- interruptions, outages
• Security
- authentication, privacy,
- trust and skills of on-site staff
- unknown hostnames / ip addresses
• Time
- de-coupling of deployment and activation
- many devices within small time window
• Cost
- manual, skilled labour cost vs. automated solution
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 116
Deployment & Activation
Example: Zero-Touch Deployment – 2/3
CPE DHCP TFTP CCE
TFTP Response:
⇒ CPE is shipped to Customer Site
⇒
bootstrap config 6
Customer Order linked to CPE ID
CNS Config Request (HTTPS)
7
Object ID
8
7. CPE sends HTTP request to CNS-CE
Customer Premise
LDAP
Device ID 9
8. CNS-CE verifies object ID
Read Temp. 10 CE
FS
9. CNS-CE verifies Device ID
10. CNS-CE reads template from File System
Send Config
11
11. CNS-CE sends Config
Success/Fail
Event
(= template + parameters from LDAP)
12
12. Successful event
ed
est
Publish
Success/Fail 13
13. Publish success event T
n
Event
olutio
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
S 117
Deployment & Activation
Example: Zero-Touch Deployment – 3/3
There are:
Data- / Information Flow via the NMS
Systems (left Hemisphere)
Physical Flow (CPE) to the Branch Office
or Customer Premise (right Hemisphere)
router(config)#cns id ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface ZTD Automation uses:
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink
Port-channel
Multilink-group interface
Ethernet Channel of interfaces
Separation to allow for Efficiency
Service-Engine
Tunnel
cisco service engine module
Tunnel interface
and Flexibility
Vif PGM Multicast Host interface
Virtual-Dot11Radio
Virtual-PPP
Virtual dot11 interface
Virtual PPP interface
CNS Device ID and CNS Config
Virtual-Template
Virtual-TokenRing
Virtual Template interface
Virtual TokenRing
ID to link the two Flows
hardware-serial Use hardware serial number as unique ID
hostname Use hostname as unique ID
string Use an arbitrary string as the unique ID
udi Use the UDI as unique ID
vmi Virtual Multipoint Interface
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 118
What about Applications?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 119
What are NETCONF and XML PI ? – 1/2
NETCONF NETCONF
Client
is a Protocol designed to securely exchange
configuration information with a network element
Response
Request
NETCONF
aims to provide simplicity to allow easy adoption
in the industry and across hardware vendors
aims to provide extensibility to allow devices to
express their unique capabilities
NETCONF Server
See: http://www.ops.ietf.org/netconf/
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 121
Deployment & Activation
Example: Edit the running config
<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="3"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<edit-config>
<target><running/></target>
<config>
<xml-config-data>
<Device-Configuration> Request
<ip>
<host>
<NameHost>
valhalla
</NameHost>
<HostIPAddress>
10.2.3.5
</HostIPAddress>
</host>
</ip>
</Device-Configuration>
</xml-config-data>
</config>
</edit-config>
</rpc>]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
Response
<rpc-reply message-id="3" xmlns="urn:ietf:params:netconf:base:1.0">
<ok/>
</rpc-reply>
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 122
Deployment & Activation
XML PI – Why do we care ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 123
Using NETCONF over SSH step-by-step
1. Configure SSH
router(config)# crypto key generate rsa
The name for the keys will be: router.yourdomain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
4. Configure Your NETCONF Client Application (XML Files see links below)
See:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cns_netconf.html
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srnetcon.html
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/srbnetbe.html
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 124
An Open API for Automation
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 125
Deployment & Activation
Web Services Management Agents (WSMA)
Problem: There are CNS Agents in IOS and Config Engine to automate some
typical zero-touch-deployment and maintenance scenarios. How can I automate
other scenarios directly from my own Applications ?
Notification
Phase I:
Response
Request
XML/SOAP
- Config Agent
- Exec Agent
- File System Agent
- Notify Agent (Config Change Events)
WSMA Engine + Agents
See: http://tinyurl.com/wsma-in-150M
Available from: IOS 12.4(24)T
Platforms: x8xx ISRs, 72xx, 73xx, UC520
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 126
Deployment & Activation
WSMA – Architecture
SSH HTTP HTTPS
WSMA Transport
XML / SOAP
Messages
WSMA Engine
Listeners Initiators
WSMA XML
Schema
WSMA Agents
Config Exec File System Notify
Agent Agent Agent Agent
running
exec
startup file system
mode
config
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 127
Deployment & Activation
WSMA Exec Request Example
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 128
Deployment & Activation
WSMA Exec Response Example
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" > <SOAP:Body>
<response xmlns="urn:cisco:wsma-exec" correlator="14" success="1” > <execLog>
<dialogueLog><sent> show arp</sent> <received> <ShowArp
xmlns="ODM://disk2:/spec.odm//show_arp">
<SpecVersion>1.0.0</SpecVersion>
<ARPTable>
<entry>
<Protocol>Internet</Protocol>
<Address>2.1.1.1</Address>
<Age>0</Age>
<MAC>0001.42df.59e2</MAC>
<Type>ARPA</Type>
<Interface>GigabitEthernet0/1</Interface>
</entry>
<ARPTable>
</ShowArp></received></dialogueLog></execLog></response>
</SOAP:Body> </SOAP:Envelope>]]>]]>
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 129
Deployment & Activation
Using WSMA step-by-step
1. Configure Desired WSMA Transport – HTTP, HTTPS or SSH v2:
router(config)# crypto key generate rsa
The name for the keys will be: router.yourdomain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
5. If XML Formatted Exec Output is desired, deploy and use *.ODM Spec Files
See: http://tinyurl.com/wsma-in-150M and
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_wsma.html
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 130
Wrap-Up & Close
In Summary
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 132
Testing, Verification & Assurance
Two Types of Questions
Is it working ? Testing and Verification
Verify planning and design assumptions were valid
Ensure Deployment & Activation Phase was successful
Proactively eliminate well-known potential problems
Periodically verify design assumptions
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 133
Testing, Verification & Assurance
Two Types of Connectivity
Connectivity, Yes/No Testing and Verification
If the user can reach the IP endpoint the service is available
Can be calculated using basic availability equation
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 134
Testing, Verification & Assurance
Verify (bounded criteria) Connectivity
Proposal:
CLI
SNMP/MIBs:
– IF-MIB, CBQoS-MIB
– Expression-MIB & Event-MIB, RMON
NetFlow
NBAR Network Monitoring
FPM
IPSLAs
Core
RouterA
RouterB
Operations
Jitter FTP DNS DHCP DLSW ICMP UDP TCP HTTP LDP H.323 SIP RTP Radius Video
Source IP SLAs
MIB Data Active Generated Traffic to Destination
Cisco IOS measure the network IP SLAs
Software Cisco IOS
IP SLAs Software
Responder
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 136
Testing, Verification & Assurance
IPSLA – Introduction 2/2
Cisco IOS feature available on most platforms Accessible via CLI and SNMP
(CISCO-RTTMON-MIB)
Measure Delay, Jitter, Loss Probability
IPSLAs responder and ICMP echo probe were available within IP Base in
12.4(6)T and above
IPSLAs functionality is available in IPVoice and above packages
In 12.3T a customer can still obtain the old package types and use IPSLAs
As of 12.4T the old packages have been removed
Since IOS 11.2
12.2(15)T2, 12(3)3, 12.2(25)S
time
RouterA
RouterC
RouterA(config)#
ip sla 1
icmp-echo RouterC RouterD
timeout 500
frequency 10
ip sla monitor schedule 1 start-time now
ip sla 10
udp-jitter RouterD 16384 num-packets 1000 interval 20
request-data-size 172
tos 20
frequency 60
ip sla schedule 10 start-time now
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 138
Testing, Verification & Assurance
IPSLA – ICMP Echo Operation
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 139
Testing, Verification & Assurance
IPSLA – UDP Jitter Operation
Router#sh ip sla statistics 10
Round trip time (RTT) Index 10
Latest RTT: 1 ms
Latest operation start time: *05:43:28.720 UTC Fri Jan 4 2008
Latest operation return code: OK RTT Values
Number Of RTT: 10
RTT Min/Avg/Max: 1/1/1 ms
Latency one-way time milliseconds
Number of one-way Samples: 0
Source to Destination one way Min/Avg/Max: 0/0/0 ms
Desination to source one way Min/Avg/Max: 0/0/0 ms
Jitter time milliseconds
Number of Jitter Samples: 9
Source to Destination Jitter Min/Avg/Max: 20/20/23 ms
Destination to Source Jitter Min/Avg/Max: 22/21/24 ms
Packet Loss Values
Loss Source to Destination: 0 Loss Destination to
Source: 0
Out Of Sequence: 0 Tail Drop: 0 Packet Late
Arrival: 0
Number of successes: 1
Number of failures: 0
Operation time to live: 3567 sec
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 140
Design Decisions and Factors
Topology
- partial mesh based on traffic matrix
- full mesh
- hub and spoke
Scheduling
- minimize the number of concurrent operations
- minimize resource competition
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 141
Full Mesh
Nodes Operation
2 1
3 3
4 6
5 10
n 2
6 15
7 21
8 28
… …
100 4950
• Number of operations is
proportional to the square
of the number of nodes
• Does not scale
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 142
Full Mesh CE-to-CE [Example]
CE CE
PE Core PE
PE
London
Full mesh is not
Amsterdam San Jose always desirable
Select only critical
path, like branch
offices to
headquarters
Raleigh Paris
Dramatically reduces
the number of probes
Brussels
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 144
Composite SLA for Delay [Example]
CE CE
PE Core PE
PE
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 145
Composite SLA for Packet Drop [1/2]
First solution:
0.01+0.02+0.03=0.06 (6%)
Second solution:
1-[(1-0.01).(1-0.02).(1-0.03)]=0.058906 (5.8%)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 147
Composite SLA for Jitter
2 ms 4 ms 3 ms
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 148
Testing, Verification & Assurance
IPSLA – Recurring Scheduling
You can schedule a single IPSLAs operation to start automatically
at a specified time and for a specified duration every day:
The life value for a recurring IPSLAs operation should be less than
one day.
The ageout value for a recurring operation must be "never" (which is
specified with the value 0, this is the value by default), or the sum of
the life and ageout values must be more than one day.
Example:
*12.3(8)T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 149
Testing, Verification & Assurance
IPSLA – Multiple Operations Scheduling
Operations of the same type and same frequency should be used
with IPSLA multiple operations scheduling:
Notion of group, it lets you start many operations at once
Reduced load on the network
If you do not specify a frequency, the default frequency will be the
same as that of the schedule period)
Example, start operations 1 to 3 within the next 20 seconds
This example starts operation 1 to 3 within the next 44 seconds, and each operation
will have a random frequency varying between 10 and 15 seconds:
Router(config)#ip sla group schedule 1 1-3 schedule-period 44 frequency range
10-15 start-time now life forever
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 152
Testing, Verification & Assurance
IP SLAs – Reaction Configuration
RouterA(config)#
ip sla 10
icmp-echo 3.3.3.3
frequency 10
ip sla reaction-configuration 10 react timeout threshold-type consecutive 3
action-type trapAndTrigger
ip sla schedule 10 life forever start-time now
ip sla reaction-trigger 20 30
logging on
ip sla logging trap
snmp-server host nms_server version 2c public
snmp-server enable traps syslog
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 153
Service Testing, Verification and Assurance
Example: Track Server Reachability
IP SLA Embedded Object Tracking (EOT)
ip sla 10 track 10 rtr 10 reachability
icmp-echo 3.3.3.3 delay down 10 up 20
timeout 500
frequency 3
ip sla schedule 10 life forever start-time now
X
Environment Variables IP SLA/EOT/EEM
($_* variables to be defined)
EEM Applet
event manager applet email_server_unreachable email
3.3.3.3
event track 10 state down
action 1.0 syslog msg "Ping has failed, server unreachable!"
action 1.1 cli command "enable"
action 1.2 cli command "del /force flash:server_unreachable"
action 1.3 cli command "show clock | append server_unreachable"
action 1.4 cli command "show ip route | append server_unreachable"
action 1.5 cli command "more flash:server_unreachable"
action 1.6 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Server Unreachable: ICMP-Echos
Failed" body "$_cli_result"
action 1.7 syslog msg "Server unreachable alert has been sent to email server!"
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 154
EEM 3.0: IP SLA Event Detector
Router(config)# ip sla 10
Router(config-ip-sla)# icmp-echo 3.3.3.3
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 156
Testing, Verification & Assurance
How To Identify Applications?
Application/Protocol How to Identify?
VoIP UDP TOS = 5
IPVC TOS = 4
H.323 TCP Port = 1719 , 1720 and TOS = 3
IPv6 Multicast Format Prefix (FP) = 1111 1111
VOD TCP Port 507
Server/Network IP Address
interface ethernet 0
ip access-group 103 in
Apply acl to the Interface:
In/Out
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 158
Testing, Verification & Assurance
How To Identify Applications – NetFlow
NetFlow v5 (“classic”)
Packet Sizes
Router# show ip cache flow
IP packet size distribution (85435 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .125 .125 .250 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .500 .000 .000 .000 .000 .000 .000
Link Utilization
Citrix 5%
Telnet 5%
HTTP 90%
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 161
Testing, Verification & Assurance
Network Based Application Recognition
My Application Is
Too Slow!
Best Real-
Protocol discovery analyzes Effort Time
multi-packet behavior and ≥ 25% ≤ 33%
P2P Interactive-
application signatures Bulk Critical
Video
Data
Layers 4-7
Streaming- Routing
Enables application of QoS Video
Net Mgmt Call-Signaling
policies to traffic flows
Transactional Mission-Critical
Link Utilization
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 162
Testing, Verification & Assurance
NBAR Principles
Network-Based Application Recognition classifies traffic by
protocol (Layers 4–7)
Protocol discovery analyzes application traffic patterns in real
time and discovers which applications are running on the
network
NBAR supports Cisco IOS QoS features to apply application-
level QoS policies
Guaranteed bandwidth with Class-based Weighted Fair Queuing (CBWFQ)
Policing and limiting bandwidth
Marking (ToS or IP DSCP)
Drop policy with weighted random early detection (WRED)
…
14 napster Mv: 3
15 fasttrack Mv: 2
16 gnutella Mv: 3, Nv: 2; disk1:gnutella.pdlm
17 kazaa2 Mv: 7 Added with a
PDLM
To Load the
PDLM
to the Router
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 166
Testing, Verification & Assurance
NBAR – Supported Protocols
Enterprise Applications Security and Tunneling Network Mail Services Internet
Citrix ICA GRE IMAP FTP
PCAnywhere IPINIP POP3 Gopher
Novadigm IPsec Exchange HTTP
SAP L2TP Notes IRC
Routing Protocols MS-PPTP SMTP Telnet
BGP SFTP Directory TFTP
EGP SHTTP DHCP/BOOTP NNTP
EIGRP SIMAP Finger NetBIOS
OSPF SIRC DNS NTP
RIP SLDAP Kerberos Print
Network Management SNNTP LDAP X-Windows
ICMP SPOP3 Streaming Media Peer-to-Peer
SNMP STELNET CU-SeeMe BitTorrent
Syslog SOCKS Netshow Direct Connect
RPC SSH Real Audio eDonkey/eMule
NFS Voice StreamWorks FastTrack
SUN-RPC H.323 VDOLive Gnutella
Database RTCP RTSP KaZaA
SQL*NET RTP MGCP WinMX 2.0
MS SQL Server SIP Signaling
SCCP/Skinny RSVP
Skype
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 167
Testing, Verification & Assurance
NBAR – Recent and Upcoming Protocols
Enterprise Applications Enterprise Applications
Citrix ICA Priority Tagging DiCom
SAP(c-app, c-msg, app-app) HL7
Peer-to-Peer FIX
BitTorrent CIFS
Direct Connect Messaging
eDonkey/eMule Yahoo
FastTrack AOL
Gnutella (update) MSN
WinMX 2.0 Sametime / Lotus
Streaming Media GoogleTalk
RTSP Voice
MGCP SKYPE 2.0, 3.0
Voice Softphone
RTCP
SIP Network Mail Services
SCCP/Skinny Exchange 2003
Skype v1, v2, v3
Security and Tunneling Peer to Peer
L2TP
User-Defined
On PISA in Summer,
HTTP header field 12.3(11)T followed by IOS 2HCY08
Multiple matches per port 12.4(2)T
Cisco Software Download: NBAR Packet Description Language Modules
ID
See: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268437899
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 168
Testing, Verification & Assurance
NBAR Main Supported Platforms
Cisco IOS Release
12.4T 12.4 Mainline 12.2S
Cisco 800 Cisco 800 Cisco 7200
above 871 above 831
Cisco 7301
Cisco 1700 Cisco 1700
Cisco 7304-NPE
Cisco 1800 Cisco 1800
Cisco 2600XM Cisco 2600XM
Cisco 2800 Cisco 2800
Cisco 3600 Cisco 3600
Cisco 3700 Cisco 3700
Cisco 3800 Cisco 3800
Cisco 7200 Cisco 7200
Cisco 7301 Cisco 7301
Cisco 7500 with
VIP2-50 or above
Cisco Catalyst® 6500
SUP1/SUP1a/SUP2: software-based implementation
SUP720: SIP-200, FlexWAN and enhanced FlexWAN interfaces (software-based implementation)
SUP32 PISA. Also supports the enhanced FlexWAN, SIP-200, SIP-400
Also supported on the Multiprocessor WAN Application Module (MWAM) (6*7200 on a board)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 169
Testing, Verification & Assurance
NBAR Two Modes Of Operation
Passive Mode CISCO-NBAR-PROTOCOL-DISCOVERY-MIB
Protocol discovery per interface
Discovers and provides real time statistics on applications
Per-interface, per-protocol, bi-directional statistics:
Bit rate (bps), Packet counts and Byte counts
Active Mode CISCO-CLASS-BASED-QOS-MIB
Active Mode
Router(config)#class-map [match-any|match all] myProt
Router(config-cmap)#match protocol protocol
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 171
Testing, Verification & Assurance Passive Mode
Example: NBAR Protocol Discovery
router# show ip nbar protocol-discovery interface FastEthernet 6/0
FastEthernet6/0
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
----------- ------------------------ ------------------------
http 316773 0
26340105 0
3000 0
pop3 4437 7367
2301891 339213
3000 0
snmp 279538 14644
319106191 673624
0 0
ftp 8979 7714
906550 694260
0 0
…
Total 17203819 151684936
19161397327 50967034611
4179000 6620000
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 172
Testing, Verification & Assurance Passive Mode
NBAR Protocol Discovery MIB
Traffic Classification and Real-Time Statistics
Automatically uses all PDLMs
Run protocol discovery instead of specifying individual protocols
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 175
Testing, Verification & Assurance
NBAR Custom Classification – 2 Options
1) Static port mapping
Used for static TCP/UDP port-based applications that are not supported in
NBAR PDLMs
Up to ten custom applications can be added
Each custom application can have max. 16 TCP and 16 UDP ports mapped
Statistics appear in the Protocol Discovery
Router(config)#ip nbar port-map custom-01 ?
tcp TCP ports
udp UDP ports
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
---------- ------------------------ ------------------------
: : :
unknown 205 204
14976 10404
0 0
Total 41304 40944
2649809 2619839
3000 3000
Upon low % of traffic recognized by NBAR, maybe it’s time to check for new PDLMs …
[(total − unknown) × 100]
NBARrecognized (%) =
[total ]
See: This is available from CiscoBeyond (and soon as an EASy Package)
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2101
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 180
Testing, Verification & Assurance
Flexible Packet Matching (FPM)
Principles
Developed to identify virus signatures anywhere in the packet
No flow concept, stateless
match statements define signatures, every packet is inspected
and dropped, if any match occurs
Ability to match on arbitrary bits of a packet at arbitrary depth
(offset) inside the packet
Layer 2–Layer 7 stateless classification and match capability
Possibility to identify attacks on legitimate ports—for example
an attack on port 80
Accelerated in HW with Sup32-PISA at a speed of up to 2Gbps
0111111010101010000111000100111110010001000100100010001001
Match Pattern Match Pattern
Gnutella
class-map type access-control match-all gnutella
IP TCP Payload match start TCP payload-start offset 0 size 32 regex "^GNUTELLA
CONNECT“
2. Define the protocol stack for packets class-map type access-control match-all FPM-Filter
class-map type access-control match-all FPM-Filter
match field <stack header fields>
subject to the FPM rule match field <stack header fields>
match start <pattern at specific offset>
match start <pattern at specific offset>
Examples of protocol stacks include IP,
IP/TCP, IP/UDP, IP/TCP/HTTP, IP/GRE/IP
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 183
What if I need Awareness of
Application Traffic Flows?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 184
Network Based Application Recognition
NetFlow and NBAR Differentiation
Link Layer
Header Interface
NetFlow
NetFlow
ToS
Monitors data in Layers 2 - 4
Protocol
IP Header
Determines applications by port
Source
IP Address Utilizes a seven-tuple for flow
Destination Flow information who, what,
IP Address
when, where
Source
TCP/UDP Port NBAR
Header Destination
Port Examines data from
Layers 3 - 7
Utilizes Layers 3 and 4
plus packet inspection
Data Deep Packet for classification
Packet (Payload)
Inspection Stateful inspection of
dynamic-port traffic
NBAR
Packet and byte counts
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 185
NetFlow and NBAR Integration
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 186
Example: Application Flow Aware – 1/3
Problem: We want to be aware of application traffic flows
(ie.: who, when, where, what)
Solution: Use Flexible Netflow and NBAR Integration
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 187
Example: Application Flow Aware – 2/3
2. Then either handle within IOS and/or …
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 188
Example: Application Flow Aware – 3/3
3. Export to your favorite Reporting System (Screenshot courtesy of Plixer)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 189
Agenda
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 190
Be Prepared – Some Good
Practices
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 191
Be Prepared – Some Good
Practices
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 192
Troubleshooting & Optimization
Good Practice: Reserve Memory for Cons.
Problem: Network or Device Problems may consume a lot of
Memory and/or Memory may become extensively fragmented –
potentially there won’t be enough Memory left for the Console …
Solution: Reserve Memory for the console ahead of time, on
every device
Rule of Thumb: for the number of kilobytes use a value greater than 3
times the NVRAM size
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 193
Troubleshooting & Optimization
Good Practice: Check SNMP OID Statistics
Which OIDs are my NMS Apps (CiscoView) polling ?
Router#show snmp statistics oid
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 196
Troubleshooting & Optimization
Good Practice: IfIndex Persistence – 3/3
Router(config)# snmp-server ifindex persist
Router(config)# snmp mib persist event EVENT-MIB
Router(config)# snmp mib persist expression
Router(config)# snmp mib persist circuit EXPRESSION-MIB
Router(config)# snmp mib persist cbqos CIRCUIT-MIB
CISCO-CLASS-BASED-QOS-MIB
You must perform a copy running starting
command to persist the newly assigned ifIndex
values.
copy running start!
Router # dir nvram:ifIndex-table
Directory of nvram:/ifIndex-table
2 -rw- 283
0 <no date> ifIndex-table
126968 bytes total (114116 bytes free)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 197
What about Syslog
messages indicating
an ACL hit ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 198
Troubleshooting & Optimization
ACL Syslog Correlation
Problem: ACL hits can produce a Syslog message – but often in the
NOC / SOC we want to know which specific line of an ACL (ie.: ACE –
Access Control Entry) was kicking-in ...
Solution: Make use of IOS ACL Tags and Syslog Correlation
See: http://www.cisco.com/en/US/partner/docs/ios/security/configuration/guide/sec_acl_syslog.html
Available from: IOS 12.4(22)T
Platforms: 18xx, 28xx, 38xx, 72xx, 73xx, 76xx
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 199
Troubleshooting & Optimization
Example: ACL Syslog Correlation and EEM
Problem: Let’s assume we not only need a syslog message, but also
want to take specific actions ...
Solution: Combine ACL Syslog Correlation with EEM
1. Define Tags for your ACEs:
access-list 100
deny tcp host 10.0.2.2 host 10.0.2.181 eq 9000 log ThisIsBlocked
permit ip any any
3. A matching packet will generate a syslog message, which will in turn trigger EEM :
*Apr 13 16:58:06.386: %SEC-6-IPACCESSLOGDP: list 100 denied tcp
10.0.2.2(56273) 10.0.2.181(9000), 1 packet [ThisIsBlocked]
*Apr 13 16:58:06.394 UTC: %HA_EM-0-LOG: catch-an-ace-tag: Start ...
*Apr 13 16:58:07.025 UTC: %HA_EM-0-LOG: catch-an-ace-tag: ... done
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 200
Reliable Delivery and
Filtering of Syslog
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 201
Troubleshooting & Optimization
Reliable Delivery and Filtering of Syslog
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 205
Troubleshooting & Optimization
Good Practice: Know about low-TTL
TTL is:
An IP Header field used to limit packet life time (upon routing loops)
Each routing hop along a packet’s path decrements this value
Upon TTL==0 the packet is dropped
2. Configure the Netflow Event Detector in EEM to notify upon a new flow record
event manager applet my-ttl-applet
event nf monitor-name "my-ttl-monitor" event-type create event1
entry-value "5" field ipv4 ttl entry-op lt
action 1.0 syslog msg “Low-TTL flow from $_nf_source_address"
3. Syslog message and/or use show flow monitor <my-monitor> cache command
*Dec 2 17:39:31.221: %HA_EM-6-LOG: my-ttl-applet: Low-TTL flow from 192.168.2.248
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 207
What if I need a Packet
Capture ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 208
Troubleshooting & Optimization
Embedded Packet Capture (EPC)
Problem: Sometimes a Packet Capture would be useful for
Troubleshooting, Security or Application Analysis, Baselining, etc.
BUT: deploying Packet Sniffers is slow, expensive and requires local skills
and equipment ...
Solution: Make use of IOS Embedded Packet Capture to capture PCAP
format data and/or analyze on the device
1. Defining a capture buffer on the device
Router# monitor capture buffer …
See: http://www.cisco.com/go/epc
Available from: IOS 12.4(20)T
ID
Platforms: 8xx, 18xx, 28xx, 38xx
© 2009 Cisco Systems, Inc. All rights reserved.
ISRs, 72xx
Cisco Confidential 209
Troubleshooting & Optimization
Example: process-switched traffic – 1/2
We want to capture process-switched traffic:
1-3. Define a capture buffer, capture point and associate the two
Router# monitor capture buffer my-buffer size 100 max-size 1000 circular
Router# monitor capture point ip process-switched my-capture in
Router# monitor capture point associate my-capture my-buffer
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 211
Troubleshooting & Optimization
EPC – Additional Considerations
Capture stop criteria:
– manual stop
– after a specified time interval
– after given number of packets
Capture point:
– IPv4 or IPv6
– CEF (drop, punt) or process switching
– interface specific or all interface
– Direction: in, out, both, from-us (process-switched specific)
– multicast: only ingress packets are captured, not the replicated egress packets
– MPLS: does not capture MPLS encapsulated frames today
Buffer can be defined as linear or circular
Buffer filter based on an access-list
Router# monitor capture buffer my-buffer filter access-list 10
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 213
What if I need to quickly
share some information from
a router?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 214
Troubleshooting & Optimization
Sharing Information 1/2
Problem: Often we need to quickly share information from a router (or a
neighboring device) across organizational and technical borders. Sometimes
in ways which were not initially planned for …
Solution I: Initiate a Project to make use of SNMP, Syslog, Event
Management Software, Reporting, Trouble Ticketing and CRM Systems ...
Solution II: Use Cisco IOS DMI to gather the information and EEM/Tcl to
post it via http to a shared location
1. Import the http package into your EEM TCL Policy
namespace import ::http::*
See: http://twitter.com/EASyDMI
Note: it is NOT recommended to use a public site or feed other than for demo purpose
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 215
Troubleshooting & Optimization
Sharing Information 2/2
> 200 d
ownloa
ds from
ciscobe
yond in
th e 1 st m
onth
See: http://twitter.com/EASyDMI
Note: it is NOT recommended to use a public site or feed other than for demo purpose
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 216
Custom Interactive Menus on
the CLI
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 217
Interactive Menus on the CLI
Problem: How to make some CLI commands available in a guided way
(for example to 1st Line Support, Local IT, Field Force, etc)
Solution I: Configure a Menu using the old <menu> commands
Solution II: Define a custom Menu in Embedded Menu Manager (EMM)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 218
Menu Config Command – 1/2
Simple Menu Defined in the Config
Custom ASCII Menus
Part of IOS Config
Simple CLI Actions
Menu name
menu OldMenu title ^C
A simple example of the OLD menu command^C
menu OldMenu prompt ^C Menu Title
Please select a menu item:^C
menu OldMenu text 1 Run a ping test Menu Item Label
menu OldMenu command 1 ping 10.1.1.1
menu OldMenu options 1 pause Menu Item Action
menu OldMenu text 9 Exit
menu OldMenu command 9 exit
menu OldMenu status-line
Caveats:
– Remember to provide an <exit> option
– Simple menus and actions only
– No user input other than menu items
– Part of the running- and startup-config
Available from: IOS 10.0, 12.2(33)S 219
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Menu Config Command – 2/2
router# menu OldMenu
Server “router" Line 0 Terminal-type (unknown)
9 Exit
9 Exit
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 222
EMM Menu Definition File Example – 2/2
From simple menu choices to complete customized wizards
:
:
<Item ContinuePrompt="true" ItemJustification="LEFT">
<ItemTitle>
<Constant String=“Change Hostname" />
</ItemTitle>
<HelpString>
<Constant String="This selection lets you type a new hostname" />
</HelpString>
<Wizard>
<QueryPrompt>
<Constant String="What hostname do you suggest?" />
</QueryPrompt>
<FreeForm />
</Wizard>
<IOSConfigCommand>
"hostname $r(1)"
</IOSConfigCommand>
:
:
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 223
POST (Power-On Self-Test) is a great thing ...
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 224
Troubleshooting & Optimization
Generic OnLine Diagnostics (GOLD)
CLI and scheduling for Functional Runtime Diagnostics
Bootup Diagnostics (upon bootup and OIR)
Good Practice: schedule all
Periodic Health Monitoring (during operation) non-disruptive tests
periodically
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include:
– Packet switching tests
• Are supervisor control plane & forwarding plane
functioning properly?
• Is the standby supervisor ready to take over?
• Are linecards forwarding packets properly?
• Are all ports working?
• Is the backplane connection working?
– Memory Tests
– Error Correlation Tests
Complementary to POST
Available from: CatOS 8.5(1), IOS 12.2(14)SX
Platforms: CBS 3xxx, Cat 3560, 3750, 6500, ME6524, 72xx, 10k, CRS
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 225
Troubleshooting & Optimization
Example: The effect of wear and tear – 1/2
Problem: Repeated insertion and removal of Modules can lead to wear
and tear damage on connectors. This in turn can cause failures … how do
you find out during operation, without power-cycling the box ?
Solution: Use GOLD to verify functionality of a mis-behaving module
1) Let’s see which GOLD tests are available and scheduled for our Module:
Router# show diagnostic content module 3
Module 3:
See: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/diagtest.html
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 226
Troubleshooting & Optimization
Example: The effect of wear and tear – 2/2
2) Now let’s run TestL3VlanMet on-demand for Module 3:
Router# diagnostic start module 3 test 18
:
00:09:59: %DIAG-SP-3-MINOR: Module 3: Online Diagnostics detected a
Minor Error. Please use 'show diagnostic result <target>' to see
test results.
show diagnostics result module 3 detail
3) Then check the test results:
Router# show diagnostic result module 3
Module 3: CEF720 48 port 1000mb SFP SerialNo : xxxxxxxx
Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
----------------------------------------------------------------------------
U U U U U U U U U U U U U U U U U U U U U U U U
:
:
18) TestL3VlanMet -------------------> F
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 227
Troubleshooting & Optimization
GOLD and Embedded Event Manager
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 228
Troubleshooting & Optimization
Enabling GOLD using CiscoWorks LMS
CiscoWork LMS 3.1 adds support for GOLD via RME
Good Practice: schedule all
non-disruptive tests
periodically
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 229
Smart Call Home
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 230
Troubleshooting & Optimization
Smart Call Home
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 231
Troubleshooting & Optimization
Smart Call Home
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 232
Troubleshooting & Optimization
Smart Call Home
Network EMS, NMS Network Network Support
Device Software Operator Engineer Engineer From
Late Surprises
Multiple Manual
SNMP, Syslog
Escalation Steps
UI, email
Iterative Problem
TTS, email, voice
Isolation
CRM, email, voice
Early Warnings
Automated Flow
Smart Call Home Message
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 233
Troubleshooting & Optimization
Smart Call Home
Customer
Diagnostics
Rules
Installed Base
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 234
Troubleshooting & Optimization
Smart Call Home – CCO Application
Before
Personalized Reports
– Messages, diagnostics and
recommendations
– Inventory and configuration for
all Call Home devices
– Security alerts, Field notices,
and End-of-Life notices
– Configuration Sanity Analysis
– PDF and XLS Export
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 235
Troubleshooting & Optimization
Smart Call Home – The Impact
Before
45 min 3.75 hrs 12 hrs 25 hours 29 hours
F S
W TH
M T 1
S
7 8
4 6
2 14 15
10 11 12 13 22
9 20 21
17 18 19 29
16
25 27 28
23 24 28 29
25 26 27
23 24
30
Minor hardware P3 Service Problem Look into various Logs received Replacement part
failure—undetected Request opened narrowed to known issues and and analyzed received (4 –hour
specific Cat bugs on WS- replacement
Customer’s Ops Cisco RP team Identify online
6500 ports X6548-GE-TX. coverage)
team discovers IP checks diagnostics
multicast IP Multicast Re-queued to Find nothing. failure for test
configuration configuration LAN SW team Request logs from TestL3VlanMet
problem customer RMA created
After
12 min 42 min 1.2 hrs 5.5 hrs
Diagnostics
Rules
Installed Base
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 237
Troubleshooting & Optimization
Smart Call Home – Transport Gateway
Customer Partner
?
Transport
Gateway Diagnostics
mailbox
Rules
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 238
Troubleshooting & Optimization
Smart Call Home – Transport Gateway
Registered Mail Transport SmartCallHome
Device Server Gateway on cisco.com
1
SMTP
2
POP / IMAP
3
HTTPS
Platform Support
– Redhat Linux
– Solaris
– Microsoft Windows
Free Download and Install Guide
www.cisco.com/go/smartcall
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 239
Troubleshooting & Optimization
Smart Call Home – How to get started ...
Before Available
– Across segments
– Platform support
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 240
Agenda
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 241
Wrap-Up & Close
Questions during a Service Life Cycle
Is there room for yet How to configure? Is it working as specified?
another service? • CLI Config Diff and Archive • IF-MIB, CB-QoS-MIB
• CLI Config Locking • EVENT-, EXPRESSION-MIB
• Embedded Event Manager (EEM) • TCL and Cron • NBAR
• Embedded Resource Manager (ERM) • IOS Deployment Agents • NetFlow
• Data Collection Manager (DCM) • CLI Views • Sup Engine 32 PISA
• NetFlow MIB and Top Talkers • Enhanced Device Interface • Flexible Packet Matching
• ... (E-DI) • IP SLA
• ... • ...
• SNMP, CLI
• Embedded Menu Manager (EMM) • SNMP Stat OID
• Embedded Packet Capture (EPC) • IF-MIB, CB-QoS-MIB
• Reliable Syslog • NBAR
• TCL • NetFlow
• Embedded Event Manager (EEM) • Embedded Event Manager (EEM)
• GOLD & Smart Call Home • IP SLA and EOT
• ... •...
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 242
Q&A
References – Instrumentation
Device Manageability Instrumentation (DMI) www.cisco.com/go/instrumentation
Embedded Event Manager (EEM): www.cisco.com/go/eem
Cisco Beyond – EEM Community: www.cisco.com/go/ciscobeyond
Embedded Menu Manager (EMM): http://tinyurl.com/emm-in-124t
Embedded Packet Capture (EPC): www.cisco.com/go/epc
Flexible NetFlow: www.cisco.com/go/netflow and www.cisco.com/go/fnf
GOLD: http://www.cisco.com/en/US/products/ps7081/products_ios_protocol_group_home.html
IPSLA (formerly SAA, formerly RTR): www.cisco.com/go/ipsla
Network Analysis Module: http://www.cisco.com/go/nam
Network Based Application Recognition (NBAR): www.cisco.com/go/nbar
Security Device Manager (SDM): http://www.cisco.com/go/sdm
Smart Call Home: www.cisco.com/go/smartcall
Web Services Management Agents (WSMA): http://tinyurl.com/wsma-in-150M
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 243
Q&A
References – Embedded Automations
Embedded Automation Systems (EASy)
1. Browse and Download EASy Packages
www.cisco.com/go/easy
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 244
Session ID Title Day
TECNMS-1003 Designing Manageability and Embedded Automations Mon
BRKNMS-2000 13 Smart ways to Configure your Cisco IOS Device Tue
BRKNMS-2421 Network Configuration and Compliance Management Tue
BRKNMS-2004 Management at work in the small and medium customer Tue
BRKNMS-2005 Managing Cisco Security Wed
BRKNMS-2001 Data Centre - Management End to End Wed
BRKNMS-2007 Deploying DHCP and DNS : Basic to Advanced Wed
BRKNMS-2008 Understanding the benefits of Ethernet OAM (E-OAM) Wed
BRKNMS-2009 UC Network Management: How to Ensure Your UC Services Are Operating as Expected! Wed
BRKNMS-2011 The economical impact of NMS/OSS features on Managed Services Wed
BRKNMS-2012 Cisco IOS Strategy and Evolution Wed
BRKNMS-3132 Advanced NetFlow Wed
BRKNMS-3003 Advanced Using CiscoWorks LMS to its full potential Thu
BRKNMS-2006 Performance Measurement for Critical IP traffic with IP SLAs Thu
BRKNMS-2361 Accounting and Performance Management with Network Based Application Recognition Thu
LABNMS-2001 Advanced Network Automation and Solutions using Cisco IOS EEM Tue + Thu
LABNMS-2005 Implementing Manageability and Embedded Automation Tue + Wed
Panel Large Scale Network Management Tue
Panel Cisco Software Activation Thu
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 245
Questions ?
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 246
Wrap-Up & Close
In Summary
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 249
Embedded Management – SNMP Roadmap
Cisco
Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301 Cisco 800,
Catalyst 3750 & ASR-
10000 7600 7500 7304 and 7200 Catalyst 1800 &
Platforms Series Series Series Router Routers
6500
4500 Series
2900 1000
2800
Series Series
Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
XNA
Periodic MIB Data Collection 12.2(33)SR 12.2(33)SX 12.2(35) 12.2(33)
12.2(33)SB 12.2(22)S 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
and Transfer Mechanism A H SE1 XNA
VPN aware SNMP 12.2(33)SR 12.2(33)SX 12.2(7th) 12.2(33)
12.2(33)SB 12.2(22)S 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
Infrastructure A H SE XNA
12.2(33)SR 12.3(14)T 12.2(44)S 12.2(33) 12.3(14)
SNMP over IPv6 12.2(33)SB
B
12.2(33)SB 12.2(33)SRB 12.2(33)SXI 12.2(44)SG
E XNA T
AES (RFC 3826) and 3DES 12.2(33)SR 12.2(7th) 12.2(33)
12.2(33)SB 12.2(33)SB 12.2(33)SRB 12.2(33)SXI 12.2(44)SG 12.4(2)T
Encryption for SNMP v3 B SE XNA
12.2(33)SR 12.2(33)SRB 12.2(33)
ISSU - SNMP 12.2(33)SB
B1
12.2(33)SB
1
12.2(33)SXI 12.2(44)SG
XNA
12.2(33)SR 12.2(31)S 12.2(33)SX 12.2(33)
Interface MIB Enhancements 12.2(31)SB
A B
12.2(31)SB 12.2(33)SRA
H
12.2(44)SG
XNA
12.2(33)SR 12.2(31)S 12.2(TBD) 12.2(33) 12.4(20)
CEF-MIB 12.2(33)SB 12.2(33)SB 12.2(33)SRC 12.2(44)SG
SE T
C B XNA
12.2(33)SR 12.2(31)S 12.2(TBD) 12.2(33) 12.4(20)
URPF-MIB 12.2(31)SB
C B
12.2(31)SB 12.2(33)SRC 12.2(44)SG
SE XNA T
12.2(33)SR
SNMP Infrastructure for MTR 12.2(33)SB
B
12.2(33)SB 12.2(33)SRB
Shipping
Code Committed
ID EC’d © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 250
Embedded Management – SNMP Roadmap
Cisco
Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301 Cisco 800,
Catalyst 3750 & ASR-
10000 7600 7500 7304 and 7200 Catalyst 1800 &
Platforms Series Series Series Router Routers
6500
4500 Series
2900 1000
2800
Series Series
Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE
XNA M&T
Alarm filtering support in 12.2(33)SR
12.2(33)SRB 12.2(33)SXI 12.2(44)SG
12.(33)X
12.4(4)T
Cisco-Entity-Alarm-MIB B NA
12.2(33)SR
SNMP Trap Simulation E
12.2(33)SRE 12.2(33)SXI
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 251
Embedded Management – Fault/Diag Roadmap
Cisco Cisco Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco 7301
Cisco 7304 Catalyst Catalyst 3750 & ASR- 800, 1800
10000 7600 7500 and 7200
Platforms Series Series Series
Router
Routers
6500 4500 2900 1000 & 2800
Series Series Series Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
XNA
12.2(33)SR 12.2(33)SR 12.2(7th) 12.2(33)
Embedded Syslog Manager 12.2(33)SB
C
NA 12.2(33)SB
C
12.2(33)SXI 12.2(44)SG
SE XNA
12.3(2)T
12.2SY *i
12.2(33)SR 12.2(33)SR
Embedded Resource Manager 12.2(33)SB
B
12.2(33)SB
C 2H09 12.3(14)T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 252
Embedded Management - Configuration
Cisco Cisco Cisco Cisco Cisco 800,
Cisco IOS Software Cisco Cisco Cisco Cisco
7301 and Catalyst Catalyst 3750 & ASR- 1800 &
10000 7600 7500 7304
Platforms Series Series Series Router
7200 6500 4500 2900 1000 2800
Router Series Series Series Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
XNA
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 253
Embedded Management – Infra - Transports
Cisco Cisco Cisco Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco 7301
Catalyst Catalyst 3750 & ASR- 800, 1800
10000 7600 7500 7304 and 7200
Platforms Series Series Series Router Routers
6500 4500 2900 1000 & 2800
Series Series Series Series
12.2
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
XNA
12.2(33)SR 12.2(33)SX 12.2(25)S 12.2(33)
HTTPS - HTTP with SSL 3.0 12.2(33)SB NA 12.2(33)SB 12.2(33)SRA 12.2(44)SG 12.3(2)T
A H E XNA
HTTP(S) USB Support For
Content Delivery from USB 12.2(33)SR 12.2(33)SX
12.2(33)SB NA 12.2(33)SB 12.2(33)SRC 12.2(44)SG 12.4(15)T
Media; PAI enhancement; C I
TACAC+ Accounting support
12.2(33)SR 12.2(1st)S 12.2(44)S 12.2(33)
HTTP IPv6 Support 12.2(33)SB
C
NA 12.2(33)SB 12.2(33)SRC
Y
12.2(44)SG
E XNA
12.4(20)T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 254
Embedded Management – Config/Parser
Cisco
Cisco Cisco 800,
Cisco IOS Software Cisco Cisco Cisco Cisco Cisco Cisco
7301 and 3750 & 1800
10000 7600 7500 7304 Catalyst Catalyst ASR-1000
Platforms Series Series Series Router
7200
6500 Series 4500 Series
2900 &
Routers Series 2800
Series
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE 12.2 XNA M&T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 255
EEM Version/Product Support Matrix
CISCO ACCESS ROUTERS - Current models
EEM Cisco 800 Cisco 1800 Cisco 2800 Cisco 3800 Cisco 1900 Cisco 2900 Cisco 3900
Version Series Series Series Series Series Series Series
1.0 12.3(11)T 12.3(11)T 12.3(11)T
2.0
2.1 12.3(14)T1 12.3(14)T1 12.3(14)T1
2.1.5
2.2 12.4(2)T 12.4(2)T 12.4(2)T 12.4(2)T
2.3 12.4(11)T 12.4(11)T 12.4(11)T 12.4(11)T
2.4 12.4(20)T 12.4(20)T 12.4(20)T 12.4(20)T
3.0 12.4(22)T 12.4(22)T 12.4(22)T 12.4(22)T
3.1 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M 15.0(1)M
3.2 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T 15.1(3)T
3.4 Planning Planning Planning Planning Planning Planning Planning
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 256
EEM Version/Product Support Matrix, cont.
CISCO SERVICE AGGREGATION/CORE ROUTERS
Cisco Cisco Cisco Cisco Cisco Cisco Cisco
EEM Cisco Cisco Cisco XR Cisco
ASR1000 7200 7600 UBR UBR 12000 ASR
Version 7301 7304 12000 CRS-1
Series Series Series 10000 7200 Series 9000
1.0 12.0(26)S
2.0 12.2(27)SBC FM FM FM
2.1.5 FM FM FM
2.2 12.4(2)T 12.4(2)T1 FM FM FM
3.1 Planning 15.0(1)M Planning Planning Planning Planning Planning Planning Planning Planning Planning
3.2 Planning 15.1(3)T Planning Planning Planning Planning Planning Planning Planning Planning Planning
3.4 Planning Planning Planning Planning Planning Planning Planning Planning Planning Planning Planning
Shipping
w/ Modularity
2.1.5
12.2(18)SXF4 EC
2.2 Planning
2.3 12.2(40)SE 12.2(40)SE 12.2(44)SG 12.2(44)SG 12.2(33)SXH
Summer'10
3.0 12.2 (52) SE 12.2 (52) SE 12.2 (1st)SY 12.2 (1st)SY
(Zanzibar)
Summer'10
3.1 12.2 (52) SE 12.2 (52) SE Planning Planning
(Zanzibar)
Summer'10
3.2 12.2 (52) SE 12.2 (52) SE Planning Planning
(Zanzibar)
3.4 Planning Planning Planning Planning Planning
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 257
Embedded Management – IPSLAs
Release 12.2S and T Family Roadmap
Cisco 800,
Cisco IOS Software Cisco Cisco Cisco 7301 Cisco Cisco Cisco 3750
Cisco 7600 Cisco 7304 1800 &
10000 7500 and 7200 Catalyst Catalyst & 2900
Platforms Series Router 2800
Series Series Routers 6500 Series 4500 Series Series
Series
12.2SB 12.2SR/ SX 12.2SB 12.2SB 12.2SB/SR 12.2SX/ SR 12.2SG 12.2SE M&T
IP SLAs CLI Introduction 12.2(31)SB 12.2(33)SRB 12.2(31)SB 12.2(31)SB 12.2(1st)SRC 12.2(1st)SXH 12.2(11th)SG 12.2(40)SE 12.3(14)T
IP SLA CLI Phase 2 12.2(31)SB 12.2(33)SRB 12.2(31)SB 12.2(31)SB 12.2(1st)SRC 12.2(1st)SXH 12.2(11th)SG 12.2(40)SE 12.4(2)T
IP SLA CLI Phase 3 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(4)T
IP SLAs - LSP Health Monitor 12.2(27)SBB 12.2(33)SRA 12.2(30)S 12.2(27)SBB 12.2(27)SBB 12.2(1st)SXH 12.4(6)T
IP SLAs Accuracy Improvements 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.3(14)T
IP SLAs Additional Threshold Traps
12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(2)T
(VoIP)
IP SLAs Random Scheduler 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(11th)SG 12.2(40)SE 12.4(2)T
IP SLAs - LSP Health Monitor with
12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(11th)SG 12.2(40)SE 12.4(20)T
LSP Discovery
IP SLAs for Metro-Ethernet 12.2(1st)SB5 12.2(33)SRB NA 12.2(1st)SB5 12.2(1st)SRC 12.2(1st)SXI 12.2(40)SE
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 258
Cisco IOS IP SLAs
M & T Roadmap
Cisco 7301 Cisco 7200 Cisco 3800 Cisco 1800
Cisco IOS Software Platforms Router Series & 2800 Series & 800 Series
M&T
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 259
Cisco IOS IP SLAs
Release 12.0S/12.2S Family Roadmap
Cisco
Cisco IOS Software Cisco Cisco Cisco Cisco
Cisco 7600 Cisco 7304 3000 &
7301 7200 Catalyst 6500 Catalyst
Platforms Series Router
Router Series Series 4500 Series
2000
Series
12.2SR 12.2SB 12.2SB 12.2SB 12.2SX 12.2SG 12.2SEE
12.2(33)
IP SLAs Metro-Ethernet 3.0
SRE
12.2(33)
IP SLAs Metro-Ethernet 2.0
SRD
12.2
IP SLA’s PWE’s VCCV Ping (33)SRC
IP SLAs for Metro-Ethernet
12.2(33)SRB 12.2(33)SXI 12.2(40)SE
(v1.0)
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 260
Cisco IOS IP SLAs
Release 12.0S/12.2S Family Roadmap
Cisco 12000 Cisco 10000 Cisco uBR1000 Cisco ASR 1000
Cisco IOS Software Platforms Series Series Series Series
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 261
NBAR
Release 15.0 Roadmap
Cisco 800, 1800, 1900, 2800, 2900, 3800, 3900 Series
NBAR Features Cisco 7200, 7300 Series
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 262
NBAR
Release 15.1 Roadmap
Cisco 800, 1800, 1900, 2800, 2900, 3800, 3900 Series
NBAR Features Cisco 7200, 7300 Series
IOS 15.1(2)T
NBAR HotIce WinMx pdlm Enhancements
Enhanced HTTP inspection Softphone + skinny pdlm Enhancements
Yahoo Messenger pdlm Updated Mapi pdlm
YouTube pdlm Updated Bittorrent pdlm
DiCom pdlm Wow pdlm
CIFS pdlm Updated eMule pdlm
AIM pdlm TelePresence pdlm
MSN pdlm Updated Gnutella pdlm
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 263
NBAR
Release IOS XE – Protocol Library
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 264
NBAR
Release IOS XE – Protocol Library
NBAR Features Cisco ASR1000
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 265
NBAR
Release IOS XE – Protocol Library
NBAR Features Cisco ASR1000
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 266
NBAR
Release IOS XE – Protocol Library
NBAR Features Cisco ASR1000
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 267
NBAR
Release IOS XE – Protocol Library
NBAR Features Cisco ASR1000
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 268
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
New Flexible NetFlow CLI 12.4(9)T 15.0(1)M 12.4(9)T Release 7
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 269
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus1000V
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 270
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 271
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
Sampling
Full Flow support 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Activation
Ingress support 12.4(9)T 15.0(1)M 12.4(9)T Release 7
Per Vlan
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 272
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
Sampling
Full Flow support 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Activation
Ingress support 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
Per Class-map
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 273
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
Sampling
Full Flow support 3.2 3.3.0 3.9(1) 12.0(33)S
Activation
Ingress support 3.2 3.3.0 3.9(1) 12.0(33)S
Per Vlan
Per Class-map
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 274
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
Exporter
NetFlow v5 Export Format 12.4(22)T 15.0(1)M 12.4(22)T Release 7
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 275
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
Exporter
NetFlow v5 Export Format 12.2(50)SYA 12.2SG* 4.0 4.0(4)SV1
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 276
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
Exporter
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 277
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
IPv4 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 278
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
IPv4 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 279
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
IPv4 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 280
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
IPv6 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 281
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
IPv6 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 282
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
IPv6 Flows
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 283
Platform Feature Comparison
Flexible NetFlow
Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 284
Platform Feature Comparison
Flexible NetFlow
Feature C6500/EARL8 C4500/K10 Nexus 7000 Nexus 1000V
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 285
Platform Feature Comparison
Flexible NetFlow
Feature CRS-1 XR12000 ASR9000 C12000
ID
Available Now
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not Available Roadmap 286
ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 287