Slide 105/05/23

Policy-Based Management With SNMP

SNMPCONF Working Group - Interim Meeting May 2000

Jon Saperia

Slide 205/05/23

Presentation Goals

Provide a common starting point for our discussions by:– Defining common terms - terms in common with Policy

Framework Working Group– Presenting an architectural overview of current work– Describing how the proposed process of policy-based

management works with SNMP

Identify areas that need further refinement

Slide 305/05/23

Presentation Outline

Definition of Terms– Policy and Levels of Abstraction– Examples

SNMP Architecture– The basic elements– The Policy MIB Module– Mechanism and Device Specific MIB Modules– Support for access in managed devices at multiple levels of

abstraction

Slide 405/05/23

Presentation Outline - Continued

Process of Configuration Management with a policy-enabled framework based on SNMP– User definition of policy– Initialization of policy components in managed devices– Configuration of the mechanism specific sub system– Manager interaction with managed devices to learn capabilities– Definition of roles– Policy transfer to managed devices– Device evaluation of policy – Mechanism/Device specific policy module interactions– Device feedback to policy management applications

Slide 505/05/23

Policy Definition

Policy means many things to different people - different levels of abstraction– The high-level -the business level - few

technical details• All authorized IP phone calls have to get enough bandwidth

for TDM equivalent telephone service

– Increasing technical detail down to the most ‘refined’ level - individual parameters for specific instances in specific devices.

Slide 605/05/23

Policy Abstraction - Domains

A general area of technology such as service quality or security.

Example domains– IPSec– Differentiated Services

More than 1 domain may be needed to fully represent business level goals.

Slide 705/05/23

Policy Abstraction - Mechanism dependence/independence

Mechanisms are technologies used within a particular domain such as:– RED– WFQ

Policies expressed at a higher levels of abstraction are mechanism independent.

Slide 805/05/23

Policy Abstraction Implementation dependence/independence

Possible to express policy in mechanism dependent and device independent way.

Expect that it will be common to combine mechanism and device dependent layers together.– This is analogous to standard MIB Modules and vendor

extensions. Even when the standard is sufficient, many vendors require additional parameters for monitoring and control.

– A policy that is defined using RED could have start and stop probabilities defined that have either different queue parameters for different vendors, or other objects that are vendor specific.

Slide 905/05/23

Policy Abstraction - Instance dependence/independence

A policy can be distributed to a managed device in an instance independent or dependent way.

The policy MIB Module is configured with the rules that the managed device use to identify which instances should have the device and mechanism specific policy applied.

Slide 1005/05/23

Policy Information at Different Levels of AbstractionLevel of Abstraction Level Specific Data

Domain, Device, Mechanism andInstance independent.

Authorized IP phone calls get enoughbandwidth for TDM equivalent telephoneservice.

Domain Specific (DIFFSERV), Device,Mechanism and Instance independent.

if sourceIPAddress == 172.3.128.0/15, &&if DSCP == 101110 THEN treat voicetraffic with Expedited Forwarding.

Domain, Mechanism, and DeviceSpecific, Instance Independent.

For DSCP value == 101110 then setWeighted Fair Queuing Parameters suchas bandwidth limits

Domain, Mechanism, Device andInstance Specific.

Instances for each of the values abovewould be visible and should beconfigurable. Interface 5 queue 3.

Slide 1105/05/23

SNMP Architecture - Basic Elements

ManagedElements

SNMP AgentThe MIB

i.e., MIB Modules

The SNMP Protocol

SNMP Managerswith one or more applications

Slide 1205/05/23

The Policy MIB Module - Overview

Filters to apply for selection of instances

Role information used in instance selection• Ethernet interface• Serves the executive offices

Pointers for schedule information

Pointers to mechanism/device dependent MIB Modules

Slide 1305/05/23

Policy MIB Module - Overview Continued

Policy state information

Optionally usage information

Device capabilities:– Domains such as quality of service or IPSec– Mechanism appropriate to specific technologies

• WFQ• WRED

Information about which instances are associated with specific roles.

Slide 1405/05/23

The Policy Module and other MIB Modules

SNMP AgentThe MIB

Other ‘traditional’Policy MIBModule

Policy Module communicateswith other modules as neededor with local instrumentation.

device and instance specificMIB Modules

Slide 1505/05/23

Mechanism, Implementation and Instance Specific MIB Modules

SNMP Agent

Policy MIB Module

Diff. Serv. Policy MIB Module - converts mechanism and implementation specific

information to instance specific level

Instance Specific MIB Module(s). Can contain vendor extensions

Dotted lines indicate that indicated level of policy information is available to management applications, e.g., all levels are available

Solid lines represent possible interactions between components containing different levels of information.

Slide 1605/05/23

Table and Information RelationshipsRole Definitions and filters for each policy Schedule Information Implementation and Mechanism

dependent information for each policy

Policy Management Application(s)

Calendar/Schedule Objects

Policy Table (an entry for every policy on the

managed element.

Role Table - roles are added to

instance specific objects (e.g., interfaces)

Capabilities Table

Mechanism and device specific

MIB Modules or tables

Slide 1705/05/23

The Entire System - Overview

Administratively defined policy

Device, Instance and Mechanism Independent ‘default’ information

Policy System allows users to create expressions of policy for each domain.

Management Application Distributes Policy Information

Configuration commands to device, mechanism, and instance specific MIB Module(s) or ‘raw’ device instrumentation

Device Dependent, Instance Independent,Mechanism Dependent information

Mechanism specific Modules expand, defaults to instances for policy from info from Policy Module

Policy MIB Module

Slide 1805/05/23

Sequence of Operations

Users provide information to management applications:– Filters/rules that managed elements used to determine which

instances to apply specific policies - to pmPolicyFilter.– Schedule information - Policy and Schedule Modules– Device and Mechanism specific information (when needed).– Assignment of roles to instances

Mechanism specific subsystem(s) register with Policy Module.

Managers learn devices capabilities from the Policy Module.

Slide 1905/05/23

Sequence of Operations - Continued

Management software sets roleStrings in each device

Management software sends policies to devices– Mechanism and device information sent to devices and

appropriate MIB Modules as necessary.

Managed devices evaluate policyFilter and policyAction objects to determine instance targets for policy.

Device/Mechanism dependent modules set necessary values - via communication with other MIB Modules.

Slide 2005/05/23

Operations - An Ongoing Activity

Monitor policy status

Monitor resource utilization

Monitor fault status