Post on 14-Jan-2016
Policy-Based Management with SNMP and Comparison with COPS-PR
Steve Waldbusser
waldbusser@nextbeacon.com
5/16/01
Policy Based Management
A policy binds an action (simple or complex) to a filter
rule that determines what elements the action should
be applied to
I.e. if (an element has certain characteristics) then
(apply operation to that element)
Alternately: if (policyFilter) then (policyAction)
A Conceptual policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
Trunk AND Ethernet AND 100Mb:Trunk
EthernetGold
100Mb
TrunkEthernet
100Mb
TrunkEthernet
Silver100Mb
AutonegotiateOff
AutonegotiateOff
AutonegotiateOff
A Conceptual policy
TrunkEthernet
Gold100Mb
TrunkATMGold45Mb
TrunkEthernet
100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Silver10Mb
AccessEthernet
10Mb
TrunkEthernet
Silver100Mb
AccessEthernet
Gold100Mb
TrunkFrame
45Mb
AccessFrameGold
512Kb
AccessFrameSilver512Kb
AccessFrame
128Kb
AccessEthernetBronze10Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
Ethernet AND Access AND Gold:Access
EthernetGold10Mb
AccessEthernet
Gold100Mb
AccessEthernet
Gold10Mb
AccessEthernet
Gold10Mb
DSCP = 5
DSCP = 5
DSCP = 5 DSCP = 5
.
The Policy-Based Management MIB
The Policy Management MIB (PM MIB) provides a way to describe and install policies for any domain:– QOS
– Security
– Routing
– etc.
PM MIB Policies can manage any type of element– Interfaces
– Circuits
– Queues
– Processes
– Software
– others...
PM MIB Goals
Leverage existing infrastructure and tools– Resulting simplicity will accelerate time to market
Leverage existing MIBs– Don’t start from scratch in our data models
Flexibility for real-world policy– Simple or complex filters– Simple or complex actions
Meet operational requirements– Policy-based management is *very* different– End-users will need new tools and practices
Policy Operation
Existing SNMP MIBs
PolicyFilter PolicyAction
ifType == FastEthernet&& roleString == trunk
fullDuplexMode = ON
ifType == Ethernet&& roleString == GOLD
Set QOS parametersto provide EF PHB
Policies
(Usually local operations in which SNMP packets on network are unnecessary)
Elements of the Policy MIB Architecture
PolicyScript Language– Interpreted language that policy filters and actions are
expressed in
Accessor Function Library– Standard set of library functions available for PolicyScript code
PM MIB– Objects and attributes that describe policies, schedules and
supporting information
PolicyScript Language
Least Common Denominator of C, Perl, C++, TCL,
Python, and Javascript
No pointers, structures, typed variables, objects,
classes, etc.
Does contain expressions, variables, looping
Accessor Function Library
Library of 41 standard functions for policy processing– Convenience SNMP Functions
• getvar, exists, setvar, searchcolumn, setRowStatus, counterRate, ...
– General SNMP Functions• newPDU, readVar, writeVar, snmpsend
– Policy Functions• roleMatch, elementName, setScratchPad, getScratchPad, signalException, getParameters
– Utility Functions• regexp, regexp_replace, oidlen, oidncmp, insubtree, subid, substr, ...
– Library Functions• strncmp, strncasecmp, strlen, random, sprintf, sscanf
Extensible– Vendors and others can add new accessor functions (e.g., setCLI())
policyFilter PseudoCode
Pseudocode:
(is an ethernet
AND is operational
AND gets gold or silver service)
Scripted As:
(getvar(“ifType.$*”) == ethernet-csmacd
&& getvar(“ifOperStatus.$*”) == up
&& (roleMatch("gold") || roleMatch("silver")))
Execution Example
Filter:(getvar(“ifType.$*”) == ethernet-csmacd
&& !(roleMatch("gold") ||
roleMatch("silver")))
Action:
setvar(“ifAdminStatus.$*”, down(2), Integer)
Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Up4 Ethernet Silver Up5 Ethernet Silver Up
Index Type Roles AdminStatus
1 Ethernet Gold Up2 Frame Gold Up3 Ethernet Down4 Ethernet Silver Up5 Ethernet Silver Up
Example Policy
Web Hosting Provider gives shell accounts but prohibits long-running programs
Filter:
// if it's an application and it's
// consumed more than 5 minutes of CPU time
(getvar("hrSWRunType.$*") == 4 // app, not OS or driver
&& getvar("hrSWRunPerfCPU.$*") > 30000) // 300 seconds
Action:
// Kill it setvar("hrSWRunStatus.$*", invalid(4), Integer); // invalid(4) kills it
MIB Objects
Policy Table: Contains filter, action, scheduling info, execution instructions, debugging info, etc.– Policy installation consists of creating rows in this table
Index PolicyFilter PolicyAction Description
1 (ifType == ethernet &&!roleMatch(“connected”))
IfAdminStatus = off For security reasons, shut offall unused ports
2 (ifType == ethernet && capMatch(“DSCP”) && roleMatch(“Gold”))
diffServ6tupleDSCP = 13;diffservclassifierNext =2MbpsMeter;…
Give gold service to allethernets that have beenmarked for gold service.Works for DSCP interfaces.
3 (sysOID == acmeRouter*&& roleMatch(“Access”))
AcmeMIBLoadImage =“RouterCode12.exe”;
Load stable image in allaccess routers made byAcme.
Other Tables in PM MIB for scheduling, roles and capabilities, operational tools, debugging, etc.
...
Initial Configuration
Config Req (Get/Getnext)
Config Data
Policy Installation (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
Policy Change
Policy Install/Modify (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
Config State Change
Ack
State Change (Inform)
Policy Install/Modify (Set)
Ack
Protocol Interaction
Manager ManagedSystem
No Polling
No Traps
Features of Policy MIB
Scripting– Very flexible and understandable way to express policy– IT Personnel like the power of scripting– Much more flexible than string matching
Policies based on operational status– Capabilities, status of interface, utilization, etc.– Allows much more rich sets of policies than using human-input strings
Scheduling– Business calendars: “M-F 9-5” or “Last Friday of every month”– Videoconference from 12PM to 1PM
Conflict resolution– Follows a precedence tree to find best policy in case of conflict– COPS punts conflict resolution to the manager
Error Recovery– Scripting allows you to fallback to an alternate mechanism, an alternate policy, or to raise an alarm
Operational Requirements
Tools for Policy Creation– Need to allow an engineer to test a policy– Answer question: will this filter match the proper elements?
Tools for Ongoing Operations– Notifications if a policy undergoes errors– When debugging a problem, want to know: what policies are
managing this element– May want to disable a policy on an element so operator can
take back control (“limp-home mode”) until policy is fixed• Must document this ad-hoc decision
Advantages of the PM MIB
Built with existing infrastructure and tools
Leverages existing MIBs
Flexibility
Complete Architecture– Includes operational tools