Você está na página 1de 234

Cisco Active Network Abstraction 3.

7 Administrator Guide
February 1, 2010

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Text Part Number: OL-20016-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco Active Network Abstraction 3.7 Administrator Guide 1999-2010 Cisco Systems, Inc. All rights reserved.

CONTENTS
Preface
ix ix

Organization of This Guide Conventions


xi xi

Related Documentation

Obtaining Documentation and Submitting a Service Request


1

xii

CHAPTER

Using the Cisco ANA Manage GUI Client 1-1 Logging In and Out of Cisco ANA Manage 1-2 Parts of the Cisco ANA Manage Window
1-3

Cisco ANA Manage Windows and Toolbars 1-5 ANA Servers Window 1-6 ANA Gateway and Unit Windows 1-8 AVM Window 1-10 Global Settings Windows 1-13 DB Segments Window 1-13 Event Management Settings Window 1-14 Message of the Day Window 1-15 Polling Groups Window 1-16 Protection Groups Window 1-17 Report Settings Window 1-18 Security Settings Window 1-19 Scopes Window 1-22 Topology Window 1-24 Users Window 1-25 Workflow Engine Windows 1-26 Templates Window 1-26 Workflows Window 1-27 Using Cisco ANA Manage Tables 1-29 Using the Find Function in a Table 1-30 Filtering Table Information 1-30 Sorting a Table 1-32 Exporting Table Data to a File 1-33

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

iii

Contents

CHAPTER

Deploying Cisco ANA and Working with Licenses Steps for Deploying Cisco ANA 2-1 Steps for Setting Up Users and Scopes
2-4

2-1

Managing Licenses 2-5 Checking the Status of the License Server Installing Licenses 2-6 Viewing License Properties 2-6
3

2-5

CHAPTER

Managing the Cisco ANA Gateway and Units 3-1 Managing the Cisco ANA Gateway 3-1 Overview of the Cisco ANA Gateway 3-1 Viewing Gateway Properties in Cisco ANA Manage 3-2 Managing the Gateway Processes Using the anactl Command Obtaining Diagnostic Information About the Gateway 3-3 Gateway Open Sessions Registry Settings 3-4 Managing Cisco ANA Units 3-4 Overview of Cisco ANA Units 3-4 Managing the Unit Processes Using the anactl Command 3-5 Obtaining Diagnostic Information About the Unit 3-5 Disabling MAC-Based Topology Before Adding Units 3-5 Adding New Cisco ANA Units 3-6 Viewing and Editing Cisco ANA Unit Properties 3-8 Restarting a Cisco ANA Unit 3-8 Deleting a Cisco ANA Unit 3-9

3-2

CHAPTER

Managing AVMs 4-1 Overview of AVMs 4-1 Understanding AVM Status Creating AVMs
4-3 4-5 4-5 4-2

Viewing and Editing AVM Properties Changing AVM Status (Start or Stop) Moving AVMs Deleting AVMs
4-6 4-7 4-7

Finding an AVM or VNE

Cisco Active Network Abstraction 3.7 Administrator Guide

iv

OL-20016-01

Contents

CHAPTER

Managing VNEs 5-1 Overview of VNEs 5-1 Cloud VNEs 5-2 Ethernet Cloud VNEs
5-3

Understanding VNE Status and VNE States 5-4 VNE States and the VNE Lifecycle 5-5 VNE Lifecycle: Discovery and Device Command Timeouts 5-8 VNE Discovery and Investigation State Registry Settings 5-8 Creating VNEs: Prerequisites 5-9 Device Information Required Before Adding VNEs 5-10 Device Configuration Required Before Adding VNEs 5-11 Choosing a VNE Scheme 5-14 Adding a VNE
5-17 5-19

VNEs and Device Software Updates Viewing VNE Properties 5-20 VNE General Settings 5-20 VNE SNMP Settings 5-22 VNE Telnet/SSH Settings 5-23 VNE ICMP Settings 5-32 VNE Polling Settings 5-32 VNE Event Settings 5-34

Populating a Cloud VNE with Technology and Topology Information Editing VNE Properties
5-39 5-39

5-35

Changing VNE Status (Start, Stop, Maintenance) Moving VNEs to a Different AVM Deleting a VNE
6
5-41 5-40

CHAPTER

Managing Global Settings 6-1 Viewing Database Segments 6-1 Customizing How Long Events Are Saved (Event Management) Customizing a Message of the Day
6-2 6-3 6-2

Managing Polling Groups and Adaptive Polling Polling Groups Overview 6-3 Smooth Polling and Adaptive Polling 6-5 Customizing a Polling Group 6-7 Editing a Polling Group 6-8 Deleting a Polling Group 6-9

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

Contents

Managing Protection Groups 6-9 Viewing and Editing Protection Group Properties Deleting a Protection Group 6-10 Managing Report Settings
6-11

6-10

Managing Global Security Settings 6-12 Using an External LDAP Server for Password Authentication 6-12 Configuring Cisco ANA to Communicate with the External LDAP Server Changing from External to Local Authentication 6-15 Setting Global Password Rules 6-15 Automatically Disabling Accounts for Inactive Users 6-16
7

6-13

CHAPTER

Managing Links 7-1 Creating a Static Link Removing a Static Link

7-1 7-3

CHAPTER

Workflow Administration Tasks 8-1 Workflows and the Workflow Engine Windows Viewing and Deleting Templates
8-2

8-1

Viewing Output, Aborting, and Deleting Workflows Adding Workflow Users (Using runRegTool)
9
8-6

8-4

CHAPTER

Managing User Security: Roles and Scopes 9-1 Overview of User Authentication and Authorization 9-1 External Authentication 9-2 User Access Roles and Default Permissions 9-2 Scopes 9-3 Steps for Setting Up Users and Scopes
9-5

Creating and Managing Scopes 9-6 Creating a Scope 9-6 Editing and Viewing Scope Properties Deleting Scopes 9-7

9-7

Managing User Accounts and Controlling User Access 9-8 Creating User Accounts and Assigning Default Permissions 9-8 Changing User Information and Disabling Accounts (General Tab) 9-10 Controlling User Permissions and Access to Scopes (Security Tab) 9-11 Controlling User Access to Maps (Maps Tab) 9-12 Deleting a Cisco ANA User Account
9-13 9-13

Changing a Users Cisco ANA Password

Cisco Active Network Abstraction 3.7 Administrator Guide

vi

OL-20016-01

Contents

CHAPTER

10

Cisco ANA System Security 10-1 Communication Security 10-1 Device Communication Security: SSH and SNMPv3 Registry Security
10-4 10-4 10-3

User Authentication and Authorization


11

CHAPTER

System Health and Diagnostics 11-1 Logging Into the Diagnostics Tool 11-1 Overview of the Diagnostics Tool Window Viewing Diagnostic Information
11-3 11-6 11-2

Use Cases for the Diagnostics Tool


12

CHAPTER

Managing the Event Listener 12-1 Overview of the Event Listener 12-1 Installing and Configuring the Event Listener 12-1 Configuring a Single Event Listener 12-2 Configuring Multiple Event Listeners Using runRegTool

12-2

CHAPTER

13

Purging Data and Maintaining System Stability 13-1 Purging Old Data Using the Integrity Service 13-1 Disabling Auto-Archiving of Raw Events Received from Devices
13-2

APPENDIX

Backing Up and Restoring the Registry

A-1

Backing Up the Cisco ANA Registry A-1 Overview of the Registry Backup Procedure A-1 Before You Begin Backing Up the Registry A-2 Performing a Manual Backup A-2 Changing the Periodic Backup Time A-3 Restoring the Cisco ANA Registry
B
A-4

APPENDIX

System-Wide Commands and Utility Scripts Restarting a Cisco ANA Unit Using anactl Adding Multiple VNEs in Bulk
B-2

B-1 B-1

Restarting the Cisco ANA Gateway Using anactl


B-2

Changing Passwords: Cisco ANA Database

B-5 B-7

Changing Passwords: bosenable, bosconfig, bosusermanager

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

vii

Contents

Changing Passwords: Diagnostics Tool

B-8 B-8

Running a Command on All Cisco ANA Units


C

APPENDIX

Working with the Registry

C-1 C-1 C-3

Overview of the Cisco ANA Registry

Changing Registry Settings Using runRegTool


D

APPENDIX

Using High Availability

D-1

Overview of High Availability D-1 Watchdog Protocol D-2 Unit N+m High Availability D-2 Estimating Down Time in Case of Failure Catastrophic Process Failure D-4 Timeout Process Failure D-5 Timeout Machine Failure D-7

D-4

Configuring Cisco ANA Units for High Availability D-8 Configuring Units for High Availability Using Protection Groups Configuring Standby Units D-9 Checking the Assignment of Units to Protection Groups D-10 Changing the Protection Group of a Unit D-11 Switching to a Standby Unit D-11 Managing the Watchdog Protocol D-12 Configuring AVMs for High Availability D-12 Viewing and Changing Watchdog Protocol Settings High Availability Registry Settings
E
D-13

D-8

D-13

APPENDIX

VNE Persistency Mechanism Persistency Overview Alarm Persistency Topology Persistency


E-2 E-1

E-1

Instrumentation Persistency
E-6

E-5

APPENDIX

CPU Utilization and Cisco ANA

F-1 F-1

Key Factors That Affect CPU Consumption

Cisco ANA Solutions for CPU Consumption Problems F-2 CPU Monitoring for Cisco IOS XR Devices F-2 CPU Overutilized Alarm Support for Cisco IOS XR Devices F-2 VNE Adaptive Polling Settings for Cisco IOS XR Devices F-4

Cisco Active Network Abstraction 3.7 Administrator Guide

viii

OL-20016-01

Contents

Optimizing the Type of Queries Issued by Cisco ANA VNEs Optimizing the Rate of Queries Issued by Cisco ANA VNEs
INDEX

F-6 F-6

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

ix

Contents

Cisco Active Network Abstraction 3.7 Administrator Guide

OL-20016-01

Preface
This guide describes the structure and features of Cisco Active Network Abstraction (Cisco ANA). Cisco ANA Manage is the GUI client application designed to simplify and facilitate administration. It enables you to configure and control Cisco ANA. Cisco ANA Manage interacts with the Cisco ANA registry to query and modify configuration information. This guide is intended for use by trained administrators. This preface contains the following sections:

Organization of This Guide, page ix Conventions, page xi Related Documentation, page xi Obtaining Documentation and Submitting a Service Request, page xii

Organization of This Guide


This guide includes the following chapters and appendixes: Chapter/ Appendix 1 2

Title Using the Cisco ANA Manage GUI Client Deploying Cisco ANA and Working with Licenses Managing the Cisco ANA Gateway and Units Managing AVMs Managing VNEs Managing Global Settings

Description Describes how to open and operate the Cisco ANA Manage application. Describes the steps needed to deploy Cisco ANA in your environment, and how to install and view licenses. Describes how to manage the gateway, and how to define and manage units. Describes how to define and manage AVMs. Describes how to define and manage VNEs, including cloud VNEs. Describes how to define and manage Cisco ANA Manage global settings, including Cisco ANA database segments, report settings, message banners, polling groups, protection groups, and security settings (user authentication).

3 4 5 6

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

ix

Preface

Chapter/ Appendix 7

Title Managing Links

Description Describes how to add and remove a topological link between two ports of two network elements in the network. Describes how to manage workflow templates and add workflow users to Cisco ANA Manage. Describes how Cisco ANA implements a three-dimensional security engine combining a role-based security mechanism with scopes that are granted to users. In addition, it describes managing users using external authentication, and how to manage user accounts and passwords. Describes the security features used by Cisco ANA to secure communication between Cisco ANA components and to protect data, including the configurable points. Describes how to work with the system health and diagnostics tool, and the various aspects of the Cisco ANA system that can be monitored. Describes the Cisco ANA Event Listener and how to configure it.

8 9

Workflow Administration Tasks Managing User Security: Roles and Scopes

10

Cisco ANA System Security

11

System Health and Diagnostics

12 13

Managing the Event Listener

Purging Data and Maintaining System Describes how to maintain system stability and Stability remove system clutter using the Cisco ANA integrity service. Backing Up and Restoring the Registry System-Wide Commands and Utility Scripts Describes the registry backup and restore procedures. Describes the utility scripts available for use with Cisco ANA, including scripts for bulk VNE additions, restarting the Cisco ANA gateway and components, changing database passwords, and so on. Provides details of the Golden Source registry and how to edit it. Describes the high availability and protection options available for units and gateways. Describes the VNE persistency mechanism in Cisco ANA. Explains the factors that can cause ongoing CPU consumption problems and offers possible solutions.

A B

C D E F

Working with the Registry Using High Availability VNE Persistency Mechanism CPU Utilization and Cisco ANA

Cisco Active Network Abstraction 3.7 Administrator Guide

OL-20016-01

Preface

Conventions
This document uses the following conventions: Convention bold font italic font [ ] {x | y | z } [x|y|z] string
courier

Indication Commands and keywords and user-entered text appear in bold font. Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. Elements in square brackets are optional. Required alternative keywords are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars. A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.

font

Terminal sessions and information the system displays appear in courier font. Nonprinting characters such as passwords are in angle brackets. Default responses to system prompts are in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

< > [ ] !, #

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Tip

Means the following information will help you solve a problem.

Caution

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Related Documentation
Note

We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. The following documentation is available for Cisco Active Network Abstraction 3.7: Cisco Active Network Abstraction 3.7 Theory of Operations Cisco Active Network Abstraction 3.7 User Guide Cisco Active Network Abstraction 3.7 Documentation Guide Cisco Active Network Abstraction 3.7 Installation Guide

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

xi

Preface

Cisco Active Network Abstraction 3.7 Release Notes Cisco Active Network Abstraction 3.7 Customization User Guide Cisco Active Network Abstraction 3.7 Reference Guide Cisco Active Network Abstraction Integration Developer Guide is available on the Cisco ANA Technology Center. This guide describes how to use Cisco ANA integration interfaces. The Cisco ANA Technology Center is an online resource for additional downloadable Cisco ANA support content, including help for integration developers who use Cisco ANA application programming interfaces (APIs). The website provides information, guidance, and examples to help you integrate your applications with Cisco ANA. It also provides a platform for you to interact with subject matter experts. To view the information on the Cisco ANA Technology Center website, you must have a Cisco.com account with partner level access, or you must be a Cisco ANA licensee. You can access the Cisco ANA Technology Center at: http://developer.cisco.com/web/ana/home.

Obtaining Documentation and Submitting a Service Request


For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

Cisco Active Network Abstraction 3.7 Administrator Guide

xii

OL-20016-01

CH A P T E R

Using the Cisco ANA Manage GUI Client


Cisco ANA Manage is the GUI tool used for performing various system administration activities for simple system control. It provides an interface for performing the following tasks:

Adding and removing Cisco ANA units. Adding and removing AVMs and VNEs for the different units, starting and stopping VNEs, and setting polling information per VNE. Configuring system-wide settings:
Viewing the storage allocated for all database segments. Generating a message of the day (service disclaimer). Configuring default password rules and user security settings, and configuring an external

authentication server.
Customizing polling groups and protection groups. Configuring event and report purge settings.

Managing static and persistent topology links. Managing workflow templates and performing administration tasks on workflows (such as aborting running workflows). Grouping a collection of managed NEs (scopes) so that the user can view and manage the NEs based on user role. Defining and managing user accounts.

These topics describe the Cisco ANA Manage working environment and how to access Cisco ANA Manage tools and commands. They also provide instructions for launching and operating Cisco ANA Manage with its menu and toolbar options.

Logging In and Out of Cisco ANA Manage, page 1-2 Parts of the Cisco ANA Manage Window, page 1-3 Cisco ANA Manage Windows and Toolbars, page 1-5 Using Cisco ANA Manage Tables, page 1-29

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-1

Chapter 1 Logging In and Out of Cisco ANA Manage

Using the Cisco ANA Manage GUI Client

Logging In and Out of Cisco ANA Manage


Cisco ANA Manage is password-protected to ensure security, and is available only to users with administrator privileges. Before you start working with Cisco ANA Manage, make sure you know the username, password, and Cisco ANA gateway IP address or hostname that you require.

Note

If a user does not log into the Cisco ANA Manage, Cisco ANA NetworkVision, or Cisco ANA EventVision applications during a specified period of time (the default is one month), the users account is locked automatically. You can adjust this setting; see Changing User Information and Disabling Accounts (General Tab), page 9-10. To reenable a locked user account, see Changing User Information and Disabling Accounts (General Tab), page 9-10. These topics describe how to log in and out of Cisco ANA Manage:

Logging In, page 1-2 Logging Out, page 1-3

Logging In
To start Cisco ANA Manage:
Step 1 Step 2

From the Start menu, choose Programs > Cisco ANA > Cisco ANA Manage. The Cisco ANA Manage Login dialog box is displayed. Enter the username and password.

Note

We recommend that you change the login password after logging in for the first time.

The last four Cisco ANA gateways to which you logged in successfully are displayed in the Host drop-down list. The list is displayed in chronological order with the most recent gateway appearing at the top of the list. When launching Cisco ANA Manage, messages are displayed if the server and client have different versions of the application that launches the client. For more information about these messages, see the Cisco Active Network Abstraction 3.7 Installation Guide.
Step 3

In the Host field, specify the Cisco ANA gateway to log into in one of the following ways:

Choose a Cisco ANA gateway from the drop-down list.

Note

The gateway IP address or hostname that was used when you last logged in automatically appears at the top of the Host drop-down list.

Enter the Cisco ANA gateway information as an IP address or hostname.

Note

Make sure that you use the leading IP address (the IP address on which the Cisco ANA gateway was configured) when logging into the system.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-2

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Parts of the Cisco ANA Manage Window

Step 4

Click OK. The Cisco ANA Manage window is displayed with the username and host information are displayed in the window title.

Note

The content area in the Cisco ANA Manage window might appear empty when the application is opened for the first time.

Logging Out
When you have finished working with Cisco ANA Manage, you can log out of the application. Any changes that were made are automatically saved when you log out. To log out of Cisco ANA Manage, do either of the following:

Choose File > Exit. Click the top right corner to close the Cisco ANA Manage window.

Parts of the Cisco ANA Manage Window


Figure 1-1 identifies the parts of the Cisco ANA Manage window.
Figure 1-1 Cisco ANA Manage Window

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-3

Chapter 1 Parts of the Cisco ANA Manage Window

Using the Cisco ANA Manage GUI Client

1 2 3

Menu bar, with main menu choices Toolbar, with content that depends on your current selection

4 5

Content area, with content that depends on your current selection (see Content Area and Tables, page 1-5) Shortcut menu, with content that depends on your current selection Status bar, which displays the memory usage of the application process, and connection status

Navigation area, where you pick items from a navigation 6 tree to perform actions on the items (see Navigation Pane, page 1-4)

Dragging the window borders adjusts the size of each area.

Navigation Pane
The navigation pane displays a tree-and-branch representation of the Cisco ANA Manage folders. The branches can be expanded and collapsed to display and hide information as needed. The following table lists the Cisco ANA Manage branches and identifies the tasks associated with each. Badge and Branch in Cisco ANA Manage Window
ANA Servers

Manages information relating to the Cisco ANA gateway and Cisco ANA units, including AVMs and VNEs. The ANA Servers windows include:

ANA Gateway and Unit Windows, page 1-8 AVM Window, page 1-10

For more information, see ANA Servers Window, page 1-6.


Global Settings

Manages the system-wide settings. The Global Settings windows include:


DB Segments Window, page 1-13 Event Management Settings Window, page 1-14 Message of the Day Window, page 1-15 Polling Groups Window, page 1-16 Protection Groups Window, page 1-17 Security Settings Window, page 1-19 (which includes authentication method, password, and user account settings)

For more information, see Global Settings Windows, page 1-13.


Scopes

Groups a collection of managed network elements so users can view and manage network elements based on their specified role. For more information, Scopes Window, page 1-22.
Topology

Manages topology-related parameters, namely, the static links you can create between devices. For more information, see Topology Window, page 1-24

Cisco Active Network Abstraction 3.7 Administrator Guide

1-4

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Badge and Branch in Cisco ANA Manage Window


Users

Defines and manages user accounts. For more information, see Users Window, page 1-25.
Workflow Engine

Manages workflow templates and perform administration tasks on workflows (such as aborting running workflows). The Workflow Engine windows include:

Templates Window, page 1-26 Workflows Window, page 1-27

For more information, see Workflow Engine Windows, page 1-26. Click an item in the navigation tree to view information relating to the selection in the content area. Right-click an item in the navigation tree to open a shortcut menu to perform various functions.

Note

The menus and toolbar displayed in the Cisco ANA Manage window are context sensitive; the options vary depending on your selection in the navigation pane and content area.

Content Area and Tables


The content area displays Cisco ANA Manage information that is related to the item selected in the navigation pane. The content area is divided into the following two parts:

Upper paneDisplays the properties of the element that is selected in the navigation pane. Lower paneDisplays the elements nested children in table format.

Note

Use the Ctrl key to select multiple rows in a table. The status bar displays the number of selected rows and the total number of rows in the table; for example, 6/6 Selected. It also displays the location of the currently selected row in the table, such as Line 2. For more details about how to filter and manipulate table data, see Using Cisco ANA Manage Tables, page 1-29 and Using Selection Filters, page 1-31.

Cisco ANA Manage Windows and Toolbars


All main menus in Cisco ANA Manage windows contain the following options. Additional options are also displayed, depending on the selection in the navigation tree.
Table 1-1 Common Menu Options

Menu
File

Description Exits Cisco ANA Manage. See Logging Out, page 1-3.

Exit

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-5

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Table 1-1

Common Menu Options (continued)

Menu
Tools

Description Changes the password used when logging into the client application suite. The change takes effect the next time you log into the application. Manages saved reports and allows you to create new reports. Quick menu for running event report and inventory reports. Displays online help for the application. Displays application information, such as the version number.

Change User Password


Reports

Report Manager Run Reports


Help

Cisco ANA Manage Help About Cisco ANA Manage

These topics provide detailed descriptions of the information displayed in the Cisco ANA Manage window for each of the following:

ANA Servers Window, page 1-6 Global Settings Windows, page 1-13 Scopes Window, page 1-22 Topology Window, page 1-24 Users Window, page 1-25 Workflow Engine Windows, page 1-26

ANA Servers Window


Cisco ANA Manage maintains a list of all servers defined in the system. the ANA Servers functions are used to add and remove unit servers and AVMs that reside on the gateway (or unit). The ANA Servers windows contain the following:

ANA Gateway and Unit Windows, page 1-8 AVM Window, page 1-10

You can expand this branch to view a list of the gateways, units, and AVMs. Each gateway, unit, and AVM has its own sub-window. These windows used to manage information relating to the AVMs and VNEs contained in the units.

Note

AVMs and VNEs reside on a unit as a common configuration, but they can also reside on a gateway.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-6

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Figure 1-2 shows an example of the Cisco ANA Manage window with ANA Servers selected.
Figure 1-2 ANA Servers Window

The table lists all gateways and units, and their status. You can sort rows in ascending or descending order by clicking the column heading that you want to sort by. To change the sort order, click the column heading again.

Note

Any changes that are made to the ANA Servers windows are automatically saved and immediately registered in Cisco ANA. Table 1-2 describes the columns displayed in the ANA Servers table.
Table 1-2 ANA Servers Table

Column IP Address Status

Description The IP address of the unit or gateway as defined in Cisco ANA Manage. The status of the unit:

UpThe unit is up. DownThe unit is down. UnreachableThe unit cannot be reached.

Up Since Physical Memory Memory/Up AVMs

The date and time when the unit was last loaded. The physical memory of the unit. The total memory being used by the AVMs in the unit or gateway.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-7

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Table 1-2

ANA Servers Table (continued)

Column Memory/All AVMs Protection Group AVM HA

Description The total memory allocated to all of the AVMs in the unit or gateway (but not necessarily being used by the AVMs). The protection group to which the unit is allocated. The unit is enabled or disabled for high availability:

TrueThe unit is enabled for high availability. This is the default value. FalseThe unit is not enabled for high availability.

ANA Servers Toolbar

Table 1-3 shows the ANA Servers toolbar options.


Table 1-3 ANA Servers Tools

Icon

Description Adds a new unit to the Cisco ANA server. Searches for an AVM or VNE on the selected Cisco ANA server.

For more information about managing Cisco ANA servers, see Chapter 3, Managing the Cisco ANA Gateway and Units.

ANA Gateway and Unit Windows


The ANA Gateway and Unit windows list all gateways and units, enabling you to manage information relating to the AVMs and VNEs on a selected unit or gateway. This includes:

Adding, editing, and removing an AVM. Switching manually to the standby unit. Viewing AVM properties. Moving AVMs. Starting and stopping AVMs and VNEs. Adding VNEs.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-8

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Figure 1-3 shows an example of the Cisco ANA Manage window with an ANA Gateway (selected) and an ANA Unit window.
Figure 1-3 ANA Gateway and Unit Windows

Each row in the table displays the status of an AVM. The AVMs can be sorted in ascending or descending order by clicking the column heading in the table.

Note

Any changes that are made to the ANA Gateway or Unit windows are automatically saved and immediately registered in Cisco ANA. Table 1-4 describes the columns that are displayed in the AVMs table.
Table 1-4 AVMs Table

Column ID Status

Description The name of the AVM as defined in Cisco ANA. It is unique to the AVM; for example, AVM 18. The status of the AVM:

Starting UpThe AVM is starting. UpThe AVM is up. Shutting DownThe AVM is stopping. DownThe AVM is down. UnreachableThe AVM cannot be reached.

Up Since

The date and time that the unit was last started.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-9

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Table 1-4

AVMs Table (continued)

Column Max. Memory Key

Description The maximum allocated memory size as defined when the AVM was created in Cisco ANA Manage. The default value is 256 MB. The key of the AVM, which is unique to the system. By default, the key is displayed as AVM + ID + time stamp.

ANA Gateway and Unit Toolbar

Table 1-5 shows the toolbar options for the ANA Gateway and Unit windows.
Table 1-5 ANA Gateway and Unit Tools

Icon

Description Creates a new AVM in the selected unit or gateway. Displays the server properties and status. Deletes the selected unit. (AVMs only) Starts the selected AVM. (AVMs only) Stops the selected AVM. Searches for an AVM or VNE among the Cisco ANA units and gateway.
Note

The search tool searches only on the selected unit and its sub-windows. It does not search all units.

For more information managing the gateway and units, see Chapter 3, Managing the Cisco ANA Gateway and Units.

AVM Window
The AVM window enables you to manage information relating to the VNEs in a selected AVM, including:

Adding, editing, and removing a VNE. Viewing VNE or AVM properties. Deleting an AVM. Moving VNEs or AVMs. Starting and stopping VNEs or AVMs. Moving VNEs to maintenance mode.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-10

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Figure 1-4 shows an example of the Cisco ANA Manage window with an AVM selected.
Figure 1-4 AVM Window

When you choose an AVM, the content area displays the properties of the AVM and a table with the list of VNEs.

Note

No VNEs are displayed when a reserved AVM is selected. Reserved AVMs are AVMs 1-100. Table 1-6 describes the columns in the VNEs table.
Table 1-6 VNEs Table

Column Key IP Address Status

Description The unique key of the VNE. The IP address of the device as defined in Cisco ANA Manage. The status of the VNE:

Starting UpThe VNE is starting. UpThe VNE is up. Shutting DownThe VNE is stopping. DownThe VNE is down. UnreachableThe VNE cannot be reached.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-11

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Table 1-6

VNEs Table (continued)

Column Maintenance

Description Indicates whether or not the VNE is in maintenance mode:


TrueThe VNE is in maintenance mode. FalseThe VNE is not in maintenance mode.

Up Since SNMP

The date and time that the VNE was last started. Indicates whether SNMP is enabled or disabled on the VNE:

TrueSNMP is enabled. FalseSNMP is disabled. TrueTelnet is enabled. FalseTelnet is disabled.

Telnet

Indicates whether Telnet is enabled or disabled on the VNE:


Element Class Element Type Polling Group Adaptive Polling Settings

Detects the VNE category, such as Auto Detect, Generic SNMP, Cloud, or ICMP. The device type (manufacturer name), such as Cisco 7204. The name of the customized polling group. The entry in this column is blank if the polling group is an instance. Enables VNE adaptive polling that adjusts the VNE polling when CPU usage is very high or very low.

For more information, see Chapter 4, Managing AVMs, and Chapter 5, Managing VNEs.
AVM Toolbar

Table 1-7 shows the AVM toolbar options. Most of these tools apply to both AVMs and VNEs, depending on whether you have selected an AVM or a VNE.
Table 1-7 AVM (and VNE) Tools

Icon

Description Creates a new VNE in the selected AVM. Displays the properties of the selected AVM or VNE. Deletes the selected AVM or VNE. Starts the selected AVM or VNE. Stops the selected AVM or VNE. (VNEs only) Moves the selected VNE to maintenance mode. Searches for an AVM or VNE among all servers.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-12

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Global Settings Windows


The Global Settings windows control system-wide settings, such as polling and protection groups. Any changes that are made to the settings affect the configuration throughout the system. The Global Settings windows include the following:

DB Segments Window, page 1-13 Event Management Settings Window, page 1-14 Message of the Day Window, page 1-15 Polling Groups Window, page 1-16 Protection Groups Window, page 1-17 Report Settings Window, page 1-18 Security Settings Window, page 1-19

DB Segments Window
The DB Segments window displays a table describing the storage allocated for all database segments. Figure 1-5 shows an example of the Cisco ANA Manage window with DB Segments selected.
Figure 1-5 DB Segments Window

Table 1-8 describes the columns that are displayed in the DB Segments table.
Table 1-8 DB Segments Table

Column Name Type

Description The name of the segment. The type of segment, such as INDEX PARTITION, TABLE PARTITION, TABLE, CLUSTER, INDEX, ROLLBACK, DEFERRED ROLLBACK, TEMPORARY, CACHE, LOBINDEX, LOB PARTITION, or LOBSEGMENT. The name of the table space containing the segment.

Tablespace Name

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-13

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Table 1-8

DB Segments Table (continued)

Column Partition Count Extent Count Next Extent Size Bytes

Description The number of partitions. The number of extents allocated to the segment. The size, in bytes, of the next extent to be allocated to the segment. The size of the segment, in bytes.

For more information about DB segments, see Viewing Database Segments, page 6-1.

Event Management Settings Window


The Event Management Settings window enables you to specify when events are purged from the database. Figure 1-6 shows an example of the Cisco ANA Manage window with the Event Management Settings selected.
Figure 1-6 Event Management Settings Window

Table 1-9 describes the items in the Event Management Settings window content area.
Table 1-9 Event Management Settings Content Area

Item Remove events after ____ days Database partition size (in days)

Description Number of days after which events will be purged from each partition. The default is 14. Number of days after which each partition will be split. The default is 2. (For database sizing guidelines and other capacity planning information, contact your Cisco account representative.)

Cisco Active Network Abstraction 3.7 Administrator Guide

1-14

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

For more information about the Event Management Settings, see Customizing How Long Events Are Saved (Event Management), page 6-2.

Message of the Day Window


The Message of the Day window enables you to define a message (service disclaimer) that is displayed when a user logs into client applications. Figure 1-7 shows an example of the Cisco ANA Manage window with the Message of the Day selected.
Figure 1-7 Message of the Day Window

Table 1-10 describes the items in the Message of the Day content area.
Table 1-10 Message of the Day Content Area

Item Title Message Save

Description The title for the message. By default, the title Terms of Use is displayed. A free text message for the user. The message supports HTML format. Click Save to save the message so that it is displayed when users log into client applications.

Note

The Abort and Continue buttons are displayed in the message box by default, so the message must relate to these actions. The user must accept the service disclaimer (that is, click Continue) or the user cannot log in.

For more information about using the Message of the Day window, see Customizing a Message of the Day, page 6-2.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-15

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Polling Groups Window


The Polling Groups window enables you to manage polling groups by categorizing a group of devices to be polled according to preset intervals. Figure 1-8 shows an example of the Cisco ANA Manage window with Polling Groups selected.
Figure 1-8 Polling Groups Window

Table 1-11 describes the columns that are displayed in the Polling Groups table.
Table 1-11 Polling Groups Table

Column Polling Group Description

Description The polling group name defined by the user. A description of the polling group.

Note

Any changes that are made in the Polling Groups window are automatically saved and immediately registered in Cisco ANA.
Polling Groups Toolbar

Table 1-12 shows the Polling Groups toolbar options.


Table 1-12 Polling Groups Tools

Icon

Description Creates a new polling group.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-16

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Table 1-12

Polling Groups Tools (continued)

Icon

Description Displays the properties of the selected polling group. Deletes the selected polling group.
Note

The default polling group must not be deleted.

For more information, see Managing Polling Groups and Adaptive Polling, page 6-3.

Protection Groups Window


By default, all units in the Cisco ANA fabric belong to one cluster or protection group. The Protection Groups window enables you to change the default setup of the units by customizing protection groups and then assigning units to these protection groups. For more information, see Appendix D, Using High Availability. Figure 1-9 shows an example of the Cisco ANA Manage window with Protection Groups selected.
Figure 1-9 Protection Groups Window

Table 1-13 describes the columns that are displayed in the Protection Groups table.
Table 1-13 Protection Groups Table

Column Name Description

Description The protection group name defined by the administrator. A description of the protection group.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-17

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Protection Groups Toolbar

Table 1-14 shows the Protection Groups toolbar options.


Table 1-14 Protection Groups Tools

Icon

Description Creates a new protection group. Displays the properties of the selected protection group. Deletes the selected protection group.
Note

The default protection group must not be deleted.

For more information about protection groups, see:


Managing Protection Groups, page 6-9 Appendix D, Using High Availability

Report Settings Window


The Report Settings window enables you to specify how long Cisco ANA should save reports and whether users are allowed to create shared (public) reports. Figure 1-10 shows an example of the Cisco ANA Manage window with Report Settings selected.
Figure 1-10 Report Settings Window

Cisco Active Network Abstraction 3.7 Administrator Guide

1-18

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Table 1-15 describes the items in the Report Settings content area.
Table 1-15 Report Settings Content Area

Item Purge Settings Security Settings

Description Specifies how long to save reports and the maximum amount of disk space to allocate for reports. Specifies whether users can create public reports (which allows others to see reports created by that user).

For more information about Report Settings, see Managing Report Settings, page 6-11.

Security Settings Window


The global Security Settings windows maintains system-wide security settings, such as user authentication method, global password rules, and timeouts for disabling client accounts. Any changes that are made to the settings affect the configuration throughout the system. The global Security Settings windows include the following:

Authentication Method Window, page 1-19 Password Settings Window, page 1-21 User Account Settings Window, page 1-22

Authentication Method Window


The Authentication Method window enables control of the method used to validate passwords for Cisco ANA users. If you use Cisco ANA for authentication, all passwords are validated by Cisco ANA and stored in the Cisco ANA database. If you use LDAP for authentication, all passwords are validated by the LDAP server and stored on an external LDAP server.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-19

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Figure 1-11 shows an example of the Cisco ANA Manage window with Authentication Method selected.
Figure 1-11 Authentication Method Window

Table 1-16 describes the items in the Authentication Method content area.
:

Table 1-16

Authentication Method Content Area

Item LDAP URLs

Description LDAP server name and port number.

Distinguished Name First part of the LDAP DN, which is used to uniquely identify users. Prefix Distinguished Name Second part of the LDAP distinguished name, which specifies the location in the Suffix directory. ANA-LDAP Protocol Encryption protocol used for communication between the Cisco ANA gateway server and the LDAP server (simple or SSL).

For more information about external authentication, see Using an External LDAP Server for Password Authentication, page 6-12.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-20

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Password Settings Window


The Password Settings window enables you to set password rules that apply to all user accounts. Figure 1-12 shows an example of the Cisco ANA Manage window with Password Settings selected.
Figure 1-12 Password Settings Window

Table 1-17 describes the items in the Password Settings content area.
Table 1-17 Password Settings Content Area

Item Password Validity Period

Description Number of days after which users must reset their password.

Number of Attempts Before Number of attempts before a users account is disabled. (Administrators Lockout can reenable accounts as described in Changing User Information and Disabling Accounts (General Tab), page 9-10. Password Strength Password rules that are applied to all new passwords.

For more information about Password Settings, see Setting Global Password Rules, page 6-15.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-21

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

User Account Settings Window


The User Account Settings window enables you to specify when Cisco ANA should disable user accounts due to account inactivity. The inactivity timer is measured in days. You can reenable the account as described in Changing User Information and Disabling Accounts (General Tab), page 9-10. Figure 1-13 shows an example of the Cisco ANA Manage window with User Account Settings selected.
Figure 1-13 User Account Settings Window

Table 1-18 describes the items in the User Account Settings content area.
Table 1-18 User Account Settings Content Area

Item Disable account if inactive for ____ days

Description Number of days of inactivity, after which the user account is disabled. (Changing User Information and Disabling Accounts (General Tab), page 9-10.)

For more information about User Account Settings, see Automatically Disabling Accounts for Inactive Users, page 6-16.

Scopes Window
The Scopes window enables you to group a collection of managed network elements so that users can view and manage the network elements based on the role granted to their user account for the scope. For more information on the Scopes window, see Chapter 9, Managing User Security: Roles and Scopes. Figure 1-14 shows an example of the Cisco ANA Manage window with Scopes selected.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-22

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Figure 1-14

Scopes Window

Each row in the table displays the name of a scope as defined in Cisco ANA Manage.
Scopes Toolbar

Table 1-19 shows the Scopes toolbar options.


Table 1-19 Scopes Tools

Icon

Description Creates a new scope. See Creating and Managing Scopes, page 9-6. Displays the properties of the selected scope. Deletes the selected scope.

For more information about scopes, see Scopes, page 9-3.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-23

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Topology Window
The Topology window enables you to define static links between two network elements to supplement or override existing autodiscovered topology. Figure 1-15 shows an example of the Cisco ANA Manage window with Topology selected.
Figure 1-15 Topology Window

The Topology window displays all static links defined in the system, including the A side and Z side of the link.
Topology Toolbar

Table 1-20 shows the Topology toolbar options.


Table 1-20 Topology Tools

Icon

Description Opens the New Link dialog box, enabling you to create a link between two devices. See Creating a Static Link, page 7-1. Deletes the selected static link.

For more information about the Topology window and links, see Chapter 7, Managing Links.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-24

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Users Window
The Users window enables you to define and manage user accounts. For more information about the Users window, see Chapter 9, Managing User Security: Roles and Scopes. Figure 1-16 shows an example of the Cisco ANA Manage window with Users selected.
Figure 1-16 Users Window

Table 1-21 describes the columns that are displayed in the ANA Users table.
Table 1-21 ANA Users Table

Column User Name Description Default Permission

Description The unique username defined for the current client station. A description of the user. The default permission of the user, such as Viewer or Administrator. For example, a user with the default permission Viewer can view maps and the Device List.
Note

The default permission applies only at an application level; that is, it applies to all activities that are related to GUI functionality and not the activities related to devices. See Chapter 9, Managing User Security: Roles and Scopes.

Last Login External Emergency

The date and time that the user last logged in. Indicates whether an external authentication server is used for account and password verification. See External Authentication, page 9-2. Indicates that a user is designated as an emergency user for the external authentication server, in case the external server goes down. See External Authentication, page 9-2.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-25

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Users Toolbar

Table 1-22 shows the Users toolbar options.


Table 1-22 Users Tools

Icon

Description Opens the New User dialog box, enabling you to define a new user for the current client station. Displays the properties of the selected user. Deletes the selected username from the system.
Note

The user root cannot be deleted.

For information on managing users, see Chapter 9, Managing User Security: Roles and Scopes.

Workflow Engine Windows


The Workflow Engine windows enable you to view and delete workflow templates and perform administration tasks on workflows. The templates are used by the Workflow Editor (which is based on LiquidBPM by Autonomy, Inc.). The Workflow Engine windows include the following:

TemplatesDisplays a list of the deployed workflow templates and enables you to view the properties of the workflow template. For more information, see Templates Window, page 1-26. WorkflowsDisplays a list of the running or completed workflows and enables you to view their output and alter their current status. See Workflows Window, page 1-27.

Templates Window
The Templates window enables you to:

View a list of the deployed workflow templates. View the properties (attributes) of a workflow template. Delete a workflow template.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-26

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Cisco ANA Manage Windows and Toolbars

Figure 1-17 shows an example of the Cisco ANA Manage window with Templates selected.
Figure 1-17 Templates Window

The table displays the names of the workflow templates, as defined using the Cisco Workflow Editor. For more information, see Templates Toolbar, page 1-27.
Templates Toolbar

Table 1-23 shows the Templates toolbar option.


Table 1-23 Templates Tools

Icon

Description Deletes the selected workflow template.

For more information about workflows, see:


Chapter 8, Workflow Administration Tasks Cisco Active Network Abstraction 3.7 Customization User Guide

Workflows Window
The Workflows window enables you to:

View the list of running or completed workflows and the status of each. View the output of a workflow. Abort a workflow that is being processed or that has been completed, and initiate rollback.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-27

Chapter 1 Cisco ANA Manage Windows and Toolbars

Using the Cisco ANA Manage GUI Client

Delete a workflow. View the properties of a workflow.

Figure 1-18 shows an example of the Cisco ANA Manage window with Workflows selected.
Figure 1-18 Workflows Window

Table 1-24 describes the columns that are displayed in the Workflows table.
Table 1-24 Workflows Table

Column ID Name State Blocking Locks Locks


Workflows Toolbar

Description A unique sequential number given to the workflow. The name of the workflow, as defined using the Cisco Workflow Editor. The current status of the workflow, such as Ready, Running, Done, or Aborted. The locks that the selected workflow is waiting to release. The locks that the selected workflow currently holds.

Table 1-25 shows the Workflows toolbar option.


Table 1-25 Workflows Tools

Icon

Description Deletes the workflow from the database.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-28

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Using Cisco ANA Manage Tables

For more information about workflows, see:


Chapter 8, Workflow Administration Tasks Cisco Active Network Abstraction 3.7 Customization User Guide

Using Cisco ANA Manage Tables


Various tables are used throughout the application to display different types of information. These topics explain how you can manipulate or tailor data that is displayed in tables:

Using the Find Function in a Table, page 1-30 Filtering Table Information, page 1-30 Sorting a Table, page 1-32 Exporting Table Data to a File, page 1-33

You can also find specific Cisco ANA Manage information, such as VNEs that are in maintenance mode, or AVMs named with a certain key string, by using the Find feature and entering criteria into the Find dialog box. For more information, see Finding an AVM or VNE, page 4-7.
Table Toolbar

Table 1-26 lists the contents of the toolbar that appears above tables in the content area.
Table 1-26 Table Toolbar

Icon

Name Export to CSV Sort Table Values Filter

Description Saves the current working environment as a file in Cisco ANA. See Exporting Table Data to a File, page 1-33. Sorts the information displayed in the table; for example, according to status or IP address. Defines a filter on the information displayed in the table, using the Filter dialog box. See Filtering Table Information, page 1-30.
Note

The Set Selection Filter button and the Rewind All option under the Previous Selection Filter button become available only when a filter is applied.

Previous Selection Filter Set Selection Filter

Undoes the last applied filter selection. Applies filters to the selected line or lines.
Note

When you choose one or more lines in a table, the Previous Selection Filter button becomes available.

Rewind All

Undoes all previously applied filter selections, and returns the originally displayed data to the content area table.
Note

This option is available only when a filter is applied.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-29

Chapter 1 Using Cisco ANA Manage Tables

Using the Cisco ANA Manage GUI Client

Using the Find Function in a Table


Cisco ANA Manage enables you to search for information in the content area by entering search criteria, such as a partial username.
Step 1 Step 2

In the table toolbar, enter the search criteria in the Find field. Press Enter. The row matching the search criteria is highlighted in the table.

Tip

Press F3 to continue searching the table.

Filtering Table Information


Cisco ANA provides two types of filters for viewing table information:

General filters, which allow you to define rules that control what is displayed. See Using a General Filter, page 1-30. Selection filters, which allow you to manually select the lines you want to display. See Using Selection Filters, page 1-31

Using a General Filter


General filters allow you to enter rules that control the data that will be displayed. For example, you can list all data that matches a certain value, or alternatively list all data that does not match a certain value.
Defining a General Filter

To define a filter:
Step 1 Step 2

In the table toolbar, click Filter. Enter the information required to define a filter. Field Field Operator Description In the drop-down list, choose the attribute that you want to search on. The drop-down list contains all columns displayed in the current table. In the drop-down list, choose the criteria to apply to the attribute:

Contains Equal to Greater than Less than

Not

Check this check box to filter the negative value in the Operator field. For example, if you choose Contains in the Operator field and check the Not check box, the filter operator is the equivalent of does not contain. Enter the string to be matched.

Search for

Cisco Active Network Abstraction 3.7 Administrator Guide

1-30

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Using Cisco ANA Manage Tables

Step 3

Click OK. The information is displayed in the content area using the defined filter.

Note

The Filter button toggles to indicate that a filter has been applied.

Clearing a General Filter

To clear the filter and display all data in the table again:
Step 1 Step 2

In the toolbar, click Filter. Click Clear. The content area displays the data.

Note

The Clear filter option clears ALL filter settings. See Using Selection Filters, page 1-31.

Using Selection Filters


Selection filters allow you to sort though lines in a table and pinpoint the ones you want to view. You can select discrete sets of lines and display only those lines in a table, and then continue to choose more lines. You do this using selection filters. Once you have set several selection filters, you can:

Undo the last line selections (one step back), one at a time, by using Previous Selection Filter. Undo (rewind) all multiple line selections, by using Rewind All.

To select multiple lines and apply the set selection filter:


Step 1 Step 2

Select the lines in a Cisco ANA Manage table. The Set Selection Filter button is activated. Click Set Selection Filter. Only the selected lines remain in the table.

To undo the previous filter selection:


Step 1 Step 2

Select one or more lines and filter them by using the appropriate table toolbar buttons. To undo the last filtering selection, click Previous Selection Filter. The table refreshes with all lines that appeared before your last filter selection.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-31

Chapter 1 Using Cisco ANA Manage Tables

Using the Cisco ANA Manage GUI Client

To undo all previously selected filter options:


Step 1 Step 2 Step 3

Select, filter, and sort lines as required in a table by using the appropriate table toolbar buttons, such as Previous Selection Filter. Click Previous Selection. Click Rewind All. All lines in the table are displayed.

Tip

To clear all manually selected and defined filter options, click Clear in the Filter dialog box. See Filtering Table Information, page 1-30.

Sorting a Table
Tables in Cisco ANA Manage can be sorted by defining specific criteria. The sort can be performed continuously or on a one-time-only basis. To sort a table:
Step 1

In the toolbar, click Sort. The Sort dialog box is displayed (Figure 1-19).
Figure 1-19 Sort Dialog Box

Step 2

Enter the sort criteria: Field Sort By Description


1. 2.

In the drop-down list, choose the column you want to sort by. Choose the sort order, either ascending or descending.

Cisco Active Network Abstraction 3.7 Administrator Guide

1-32

OL-20016-01

Chapter 1

Using the Cisco ANA Manage GUI Client Using Cisco ANA Manage Tables

Field Then By

Description
1. 2.

In the drop-down lists, choose the next and then last column you want to sort by. Choose the sort order for your choices, either ascending or descending. Once OnlySorts the information displayed in the table according to the specified criteria once only. When this option is selected, a triangle is displayed in the table heading for the selected column. Continuously/RepeatedlySorts the information displayed in the table according to the specified criteria continuously. When this option is selected, the icon is displayed next to the selected column heading.

Sort Operation

Choose whether the information is to be sorted once or repeatedly:

Step 3

Click OK. The table information is sorted according to the filter defined.

Exporting Table Data to a File


Cisco ANA Manage enables you to export all currently displayed data from the content area to a comma-separated values (CSV) file. The selected rows are exported; when nothing is selected, the entire table is exported. The data can then be imported and viewed at a later time.

Note

This tool occurs with the same functionality throughout the application. To export the table to a file:

Step 1 Step 2 Step 3 Step 4

In the table toolbar, click Export to CSV. Browse to the directory where you want to save the table. In the File name field, enter a name for the table. Click Save. The selection is saved in the specified directory.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

1-33

Chapter 1 Using Cisco ANA Manage Tables

Using the Cisco ANA Manage GUI Client

Cisco Active Network Abstraction 3.7 Administrator Guide

1-34

OL-20016-01

CH A P T E R

Deploying Cisco ANA and Working with Licenses


The following topics provide an overview of the steps you must perform to deploy Cisco ANA:

Steps for Deploying Cisco ANA, page 2-1 Steps for Setting Up Users and Scopes, page 2-4 Managing Licenses, page 2-5

The first two topics include links to the procedures that will guide you through these steps. The deployment step includes installing Cisco ANA, creating AVMs and VNEs, setting up protection groups and polling groups, and so forth. The users and scopes overview details the procedures for creating users and controlling the functions and network elements they can access.

Steps for Deploying Cisco ANA


The workflow shown in Figure 2-1 and described in the text that follows explains how to deploy and set up a Cisco ANA system using Cisco ANA Manage.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

2-1

Chapter 2 Steps for Deploying Cisco ANA

Deploying Cisco ANA and Working with Licenses

Figure 2-1

Basic Steps to Set Up the Cisco ANA System

Step 1: Prepare a deployment plan

Step 2: Set up and manage ANA servers

Step 3: Customize protection groups

Step 2.a: Add Cisco ANA units

Step 2.b: Create and launch AVMs

Step 2.c: Create and assign VNEs

Note

For deployment information and recommendations, such as supported configurations and system sizing, contact your Cisco account representative.
1.

Prepare a deployment plan. You must decide:


The number of Cisco ANA unit servers to be deployed and the number of AVMs for each server. The number and types of VNEs to be managed by each AVM. The number of protection groups there are going to be and how Cisco ANA units are going to

be organized into protection groups (clusters), based on the following considerations: - Device type - Geographical location - Importance of device - Number of devices

Note

The planning of protection groups in the deployment plan is only applicable when high availability is enabled. For more information, see Appendix D, Using High Availability.

Cisco Active Network Abstraction 3.7 Administrator Guide

2-2

192664

Step 4: Customize polling groups

Step 5: Define static links (optional)

Step 6: Manage and run workflows (optional)

OL-20016-01

Chapter 2

Deploying Cisco ANA and Working with Licenses Steps for Deploying Cisco ANA

The number of standby Cisco ANA units that are going to be deployed. How Cisco ANA units, standby Cisco ANA units, and protection groups are going to be

deployed and allocated.


The number of network scopes that are required and the policies they will employ. The number of users to be defined. 2.

Set up and manage Cisco ANA servers:


a. Add Cisco ANA units.

Transport links are created automatically between the unit and its associated gateway in a star topology or between two units. See Adding New Cisco ANA Units, page 3-6. In addition, you can configure units for high availability and assign the units to protection groups. The standby units can also be configured and assigned to protection groups (optional). For more information, see Appendix D, Using High Availability.
b. Create and launch AVMs.

See Managing AVMs, page 4-1.


c. Create and assign VNEs.

See Creating VNEs: Prerequisites, page 5-9.

Note 3.

Additional units, AVMs, VNEs, scopes, and users can be added or edited at any time.

Concurrently with the previous step, change the default setup of Cisco ANA units by customizing protection groups (clusters) and then assigning units to these groups. For more information, see Appendix D, Using High Availability.

Note 4.

You must assign a Cisco ANA unit and redundant unit to a specific protection group.

Customize polling groups and rates. See Customizing a Polling Group, page 6-7.

Note 5. 6.

This step can be performed at any time after you have prepared the deployment plan.

(Optional) Define static links between two ports of two network elements in the network. See Creating a Static Link, page 7-1. (Optional) Manage and run workflows in runtime using the Workflow Engine windows. See Chapter 8, Workflow Administration Tasks.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

2-3

Chapter 2 Steps for Setting Up Users and Scopes

Deploying Cisco ANA and Working with Licenses

Steps for Setting Up Users and Scopes


The flow presented in Figure 2-2 and described in the text that follows identifies the steps required to set up users and to view them using Cisco ANA Manage.
Figure 2-2 Basic Steps to Set Up Cisco ANA and User Accounts

Step 1: Install licenses

Step 2: Define scopes

Step 3: Define Cisco ANA user accounts

1. 2. 3. 4.

Install your license. See Managing Licenses, page 2-5. Define and manage scopes. See Creating and Managing Scopes, page 9-6. Define and manage Cisco ANA user accounts. See Managing User Accounts and Controlling User Access, page 9-8. Customize a message of the day to define a message (service disclaimer) that is displayed when a user logs into the client applications. See Customizing a Message of the Day, page 6-2.

For detailed information about implementing a role-based security mechanism with scopes that are granted to users and managing users in the Cisco ANA platform, see Chapter 9, Managing User Security: Roles and Scopes.

Cisco Active Network Abstraction 3.7 Administrator Guide

2-4

196275

Step 4: Customize a message of the day (optional)

OL-20016-01

Chapter 2

Deploying Cisco ANA and Working with Licenses Managing Licenses

Managing Licenses
These topics describe how to manage licenses:

Checking the Status of the License Server, page 2-5 Installing Licenses, page 2-6 Viewing License Properties, page 2-6

The Cisco ANA gateway server acts as a license client that works with license server software that is installed on the gateway. Licenses can control the features a Cisco ANA user is allowed to utilize. Cisco ANA acquires licenses from the license server and releases licenses back to the license server. The Cisco ANA installation process includes a step for installing the initial license. For information on how to obtain license files, see Cisco Active Network Abstraction 3.7 Installation Guide. Cisco ANA supports two license types:

FloatingUsed when the use of Cisco ANA features are counted. For example, some applications may be limited to a certain number of user sessions. These numbers are recording using the license count feature (see Table 2-1 on page 2-6). FixedUsed when the only requirement to use Cisco ANA is that the license file be installed.

Checking the Status of the License Server


Use the anactl command to check the status of the license server which runs on the gateway server:
# anactl status

You will see output similar to the following:


+ Checking for services integrity: - Checking if license server is up and running [OK]

The license server status can be any of the following values: Status OK LOADED NO LICENSE ERROR Description The license server is up and running. The license server is starting. The license server is down because there is no license file. The license server encountered a problem starting the license file.

You can also check the license server status using the liccontrol command:
# liccontrol status

You will see output similar to the following:


Operation requested -> status License server is up ana37@aba890-1 [~]%

If the license server is not running, start it with the following command:
# liccontrol start

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

2-5

Chapter 2 Managing Licenses

Deploying Cisco ANA and Working with Licenses

Installing Licenses
To install a license, you must manually copy the license to the following directory, where all licenses are stored: $UTILS_DIR/FlexNet/licenses To install a license:
Step 1

Log in to the gateway server and copy the license into the following directory: $UTILS_DIR/FlexNet/licenses Load the license.

Step 2

If this is the first time you are installing a license file, load it using the following command:
# liccontrol status

If you are installing and additional or changed license file, load it using the following command:
# liccontrol reread

Viewing License Properties


You can view any licenses that are stored on the Cisco ANA gateway server. Licenses are located in the following directory: $UTILS_DIR/FlexNet/licenses The following is an example license file. All license files have a similar structure.
SERVER this_host ANY USE_SERVER VENDOR cisco INCREMENT ANA-37-K9 cisco 1.0 22-jan-2011 uncounted \ VENDOR_STRING=<LICENSE_TYPE>Purchase</LICENSE_TYPE> HOSTID=ANY \ NOTICE="<LicFileID>internal03.lic</LicFileID><LicLineID>0</LicLineID> \ <PAK>dummyPak</PAK>" SIGN="07C3 932E ABE0 3275 BD4B 08ED F4A6 \ A1CE A334 C5D1 16F4 DAC6 0C59 F527 475F 14BA 4C70 F95A 3F3C \ 6BC0 F6A1 ACEF F3F0 69C9 CD3A 976D 51C8 99D0 CAB1 68EC"

Table 2-1 describes the fields in the license file.


Table 2-1 License Properties

Field SERVER hostname hostid

Description Specifies the hostname and host ID of the machine on which the license server will run. this_machine means the current server, and ANY specifies that the host ID field will not be used. Indicates that the license server should always be used.

USE_SERVER

Cisco Active Network Abstraction 3.7 Administrator Guide

2-6

OL-20016-01

Chapter 2

Deploying Cisco ANA and Working with Licenses Managing Licenses

Table 2-1

License Properties (continued)

Field VENDOR cisco INCREMENT features...

Description Specifies the location of the vendor daemon in the $UTILS_DIR/FlexNet/bin directory. Supported license features:

NameFeature name used by application code VendorFeature vendor VersionFeature version ExpirationLicense expiration date CountCurrent license count, if applicable Vendor stringPurchaser information HOSTID(Not used) NOTICEPAK string information SIGNLicense signature

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

2-7

Chapter 2 Managing Licenses

Deploying Cisco ANA and Working with Licenses

Cisco Active Network Abstraction 3.7 Administrator Guide

2-8

OL-20016-01

CH A P T E R

Managing the Cisco ANA Gateway and Units


These topics describe how to manage the Cisco ANA gateway and units:

Managing the Cisco ANA Gateway, page 3-1 Managing Cisco ANA Units, page 3-4

Managing the Cisco ANA Gateway


The following topics provide detailed information about Cisco ANA gateways and how to manage them:

Overview of the Cisco ANA Gateway, page 3-1 Viewing Gateway Properties in Cisco ANA Manage, page 3-2 Managing the Gateway Processes Using the anactl Command, page 3-2 Obtaining Diagnostic Information About the Gateway, page 3-3 Gateway Open Sessions Registry Settings, page 3-4

Overview of the Cisco ANA Gateway


The Cisco ANA gateway enforces access control and security for all connections and manages client sessions. It maintains a repository of system settings, topological data, and snapshots of active alarms and events. The gateway also maps network resources to the business context, which enables Cisco ANA to contain information that is not directly contained in the network (such as information on VPNs and subscribers) and display it to northbound applications. To connect to a gateway, download and install the client software on your client machine. Installing the gateway and client software is described in Cisco Active Network Abstraction 3.7 Installation Guide, along with other basic setup information.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

3-1

Chapter 3 Managing the Cisco ANA Gateway

Managing the Cisco ANA Gateway and Units

Viewing Gateway Properties in Cisco ANA Manage


When you right-click ANA Servers in the navigation tree and choose Properties, Cisco ANA displays the following information about all gateways on the system.

Note

If you do not have any separate units, and instead all of your AVMs are on the gateway, the gateway acts as both a gateway and a unit and may display additional information. See Viewing and Editing Cisco ANA Unit Properties, page 3-8.

Field IP Address Status

Description The IP address of the gateway. The administrative status of the gateway (Up or Down, similar to the status for units, AVMs, and VNEs). The gateway can be stopped and started using the anactl command (see Managing the Cisco ANA Gateway, page 3-1). The physical memory of the gateway. The maximum memory used by the gateway. Used memory is the total amount of memory used by all AVMs that are up. The amount of memory allocated to the gateway. Allocated memory is the sum of all memory settings for all AVMs.

Physical Memory Memory/Up AVMs Memory/All AVMs

The table below the content area provides information about the units or AVMs installed on the gateway. These are described in Viewing and Editing Cisco ANA Unit Properties, page 3-8, and Viewing and Editing AVM Properties, page 4-5. To stop or restart the gateway, use the anactl command. The log for the gateway process is stored in ANAHOME/Main/logs/11.log.

Managing the Gateway Processes Using the anactl Command


You can use the anactl command to check the Cisco ANA version that is running on the gateway, start and stop the gateway and all component processes (including AVMs you created), or just perform a general check of the system status. The anactl command is located in ANAHOME/Main (ANAHOME is the installation directory, normally /export/home/ana37). It takes the following options: anactl [-avm avm-id,avm-id,...] [ start | stop | status | restart ] Options/Arguments -avm avm-id,avm-id,... start stop status restart Description Performs the action on the AVM specified by avm-id. Starts the gateway process. With no options, this command starts the gateway and all component processes. Stops the gateway process. With no options, this command stops the gateway and all component processes. Displays the status of the gateway processes. Stops and starts the gateway processes. With no options, this command stops and restarts the gateway and all component processes.

Cisco Active Network Abstraction 3.7 Administrator Guide

3-2

OL-20016-01

Chapter 3

Managing the Cisco ANA Gateway and Units Managing the Cisco ANA Gateway

If you do not specify any options, anactl performs the command on the entire gateway server or unit. When you run the anactl command, the first few lines will display the Cisco ANA version you are running, as in the following example:
----------------------------------------------------------------------------------.-= Welcome to sirius880, running Cisco ANA gateway (v3.7) =-. -----------------------------------------------------------------------------------

You must be logged in as ana37 to use this command. In the following example, the user has created AVM 201 and AVM 301.
# cd /export/home/ana37/Main # ./anactl status Sun Microsystems Inc. SunOS 5.10 Generic January 2005 please take a minute to do so by typing the command 'passwd'

***

----------------------------------------------------------------------------------.-= Welcome to sirius880, running Cisco ANA gateway (v3.7) =-. ----------------------------------------------------------------------------------+ Checking for services integrity: - Checking if host's time server is up and running - Checking if webserver daemon is up and running - Checking if secured connectivity daemon is up and running - Checking if license server is up and running + Detected AVM99 is up, checking AVMs - Checking for AVM0's status - Checking for AVM100's status - Checking for AVM201's status - Checking for AVM25's status - Checking for AVM11's status - Checking for AVM301's status

[OK] [OK] [OK] [OK] [OK [OK [OK [OK [OK [OK 0/144] 0/2643] 249/4960] 0/235] 0/205] 466/15667]

anactl could display any of the following status indictors: Status OK DOWN LOADED EVAL Description Service or AVM is up and running. Service or AVM is down. Service is down, but the system is trying to start (load) it. License service is running with an evaluation license.

DISABLED AVM has been stopped. If you would like to configure gateway high availability, contact your Cisco account representative.

Obtaining Diagnostic Information About the Gateway


In addition to the basic information provided by the anactl command (described in Managing the Gateway Processes Using the anactl Command, page 3-2), Cisco ANA provides a diagnostics tool that provides information about the gateways system health so you can be sure the gateway is functioning correctly. The information the diagnostics tool provides includes system resource utilization data (physical, allocated, and used), Java heap size, and dropped messages. The diagnostics tool is described in System Health and Diagnostics, page 11-1.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

3-3

Chapter 3 Managing Cisco ANA Units

Managing the Cisco ANA Gateway and Units

Gateway Open Sessions Registry Settings


The maximum number of gateway open sessions is controlled by a setting in the registry. The registry entry and default value are provided in Table 3-1.

Note

We recommend that you do not exceed the value of 150 maximum open sessions. All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.
Table 3-1 Registry Setting for Gateway Open Sessions

Registry Entry maxOpenSessions

Description

Default Value

Maximum number of sessions that may be open with 150 the gateway (includes both GUI client and BQL sessions)

Managing Cisco ANA Units


The following topics provide detailed information about Cisco ANA units and how to manage them:

Overview of Cisco ANA Units, page 3-4 Obtaining Diagnostic Information About the Unit, page 3-5 Disabling MAC-Based Topology Before Adding Units, page 3-5 Adding New Cisco ANA Units, page 3-6 Viewing and Editing Cisco ANA Unit Properties, page 3-8 Restarting a Cisco ANA Unit, page 3-8 Deleting a Cisco ANA Unit, page 3-9

Overview of Cisco ANA Units


The interconnected fabric of units comprises the lowest level of the Cisco ANA architecture. Each unit manages a group of network elements. Units host the autonomous VNEs. This creates a fabric of interconnected VNEs which can intercommunicate with other VNEs (regardless of which unit they are running on). Cisco ANA also provides a high availability mechanism to protect the system in case a unit malfunctions. Unit availability is established in the gateway as the gateway runs a protection manager process which continuously monitors all units in the network. If the protection manager detects a unit that is malfunctioning, it automatically signals one of the standby servers in its cluster to load the configuration of the faulty unit (from the system registry), and to take over all of its managed network elements. The switchover to the redundant standby unit does not result in any loss of information in the system because all information is autodiscovered from the network, and no persistent storage synchronization is required. You can designate a unit to act as an active or standby unit when you configure it.

Cisco Active Network Abstraction 3.7 Administrator Guide

3-4

OL-20016-01

Chapter 3

Managing the Cisco ANA Gateway and Units Managing Cisco ANA Units

For more information on high availability, see Using High Availability, page D-1.

Note

The Cisco ANA system is usually configured with the high availability mechanism enabled.

Managing the Unit Processes Using the anactl Command


You can use the anactl command to check the status of all component processes (including AVMs you created). The anactl command is located in ANAHOME/Main (ANAHOME is the installation directory, normally /export/home/ana37). It takes the following options: anactl [-avm avm-id,avm-id,...] [ start | stop | status | restart ] Options/Arguments -avm avm-id,avm-id,... start stop status restart Description Performs the action on the AVM specified by avm-id. Starts the gateway process. With no options, this command starts the gateway and all component processes. Stops the gateway process. With no options, this command stops the gateway and all component processes. Displays the status of the gateway processes. Stops and starts the gateway processes. With no options, this command stops and restarts the gateway and all component processes.

Obtaining Diagnostic Information About the Unit


In addition to the basic information provided by the anactl command (described in Managing the Unit Processes Using the anactl Command, page 3-5), Cisco ANA provides a diagnostics tool that provides information about a units system health so you can be sure the unit is functioning correctly. The information the diagnostics tool provides includes system resource utilization data (physical, allocated, and used), Java heap size, and dropped messages. The diagnostics tool is described in System Health and Diagnostics, page 11-1.

Disabling MAC-Based Topology Before Adding Units


Both Cisco Discovery Protocol (CDP) and MAC-based topology discovery are enabled by default. However, if the device is a Cisco 6500 or Cisco 7600 series device with at least one Layer 3 interface, one of the following can occur:

No links appear. Link information is incorrect.

To ensure that links on Cisco 6500 and Cisco 7600 series devices with Layer 3 interfaces are discovered and displayed properly, disable MAC-based topology discovery.

Note

Dynamic links are discovered and appear in Cisco ANA after a minimum of 15 minutes.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

3-5

Chapter 3 Managing Cisco ANA Units

Managing the Cisco ANA Gateway and Units

To disable MAC-based topology discovery, perform the following procedure.


Step 1 Step 2

Using an SSH session, log into the gateway as user ana37. Change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 3

To remove all existing incorrect links, delete the topology persistency files:
# rm rf topology/persistency/*

Note

Because the persistency files were removed, Cisco ANA will require up to one hour to rediscover the topology.

Step 4

Enter the following runRegTool command, substituting the appropriate files for ciscorouter2/76xx. This command changes the settings for the ipcore and product schemes used by the VNEs.
# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 "site/ciscorouter2/76xx/ipcore/software versions/default version/amsi/topology/ethernet/MacTestEnable" false # ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 "site/ciscorouter2/76xx/product/software versions/default version/amsi/topology/ethernet/MacTestEnable" false

Step 5

Restart the A-side and B-side VNEs (see Changing VNE Status (Start, Stop, Maintenance), page 5-39).

When you add more units, they will access the Golden Source and retrieve the updated information. For more information about the Golden Source, see Appendix C, Working with the Registry. For more information about restarting gateways and units, see:

Restarting the Cisco ANA Gateway Using anactl, page B-1 Restarting a Cisco ANA Unit Using anactl, page B-2 Running a Command on All Cisco ANA Units, page B-8

Adding New Cisco ANA Units


Cisco ANA Manage enables you to add a unit to the Cisco ANA fabric. Cisco ANA Manage automatically registers the unit in the registry and creates a transport uplink between the unit and the gateway. The units are linked to the gateway in a star topology. In addition, you can enable or disable high availability for a unit. These settings enable you to define to which protection group a unit is assigned, and whether it is enabled for high availability. For more information on high availability, see Appendix D, Using High Availability.

Note

By default, all units in the Cisco ANA fabric belong to one cluster identified as the default-pg protection group.

Cisco Active Network Abstraction 3.7 Administrator Guide

3-6

OL-20016-01

Chapter 3

Managing the Cisco ANA Gateway and Units Managing Cisco ANA Units

Before You Begin

Make sure you have performed the following prerequisites:


Before adding a unit, you must install the Cisco ANA software on the unit as described in the Cisco Active Network Abstraction 3.7 Installation Guide. Make sure you have performed all prerequisite tasks for adding units, such as making sure the unit is connected to the database, as described in the Cisco Active Network Abstraction 3.7 Installation Guide. To manage Cisco 6500 and Cisco 7600 series devices with Layer 3 interfaces, perform the procedure described in Disabling MAC-Based Topology Before Adding Units, page 3-5. To configure unit high availability, verify that the units protection group has been configured. See Using High Availability, page D-1.

To add a new unit:


Step 1 Step 2 Step 3

Select ANA Servers in the Cisco ANA Manage navigation tree. Open the New ANA Unit dialog box by right-clicking ANA Servers, then choosing New ANA Unit. Enter the information for the new unit: Field IP Address Description Enter the IP address of the unit. The IP address must be unique.
Note

An error message is displayed if a unit is already configured with the same IP address.

Enable Unit Protection

Check this check box to enable the unit for high availability. This option is enabled by default.
Note

We strongly recommended that you do not disable this option. When you define the unit as a new standby unit, this option is automatically disabled. For more information about configuring standby units, see Appendix D, Using High Availability.

Standby Unit Protection Group Gateway IP


Step 4

Check this check box to indicate that this unit is defined as a standby unit. Uncheck this check box to indicate that this unit is not a standby unit. In the drop-down list, choose the protection group for this unit. Confirm that the IP address of the gateway appears.

Click OK. The new unit is displayed in the Cisco ANA Manage navigation tree and content area.

Note

Because the system is asynchronous, changes may not appear in the GUI immediately. It may be a few minutes until the GUI client receives a notification from the server and is updated.

If the new unit is reachable, it starts automatically. The unit is registered with the gateway. Specifically, the command creates the configuration registry for the new unit in the Golden Source. For more information, see Appendix C, Working with the Registry.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

3-7

Chapter 3 Managing Cisco ANA Units

Managing the Cisco ANA Gateway and Units

In addition, Cisco ANA Manage automatically creates the transport uplinks between the unit and the gateway. Dynamic links are discovered and displayed in Cisco ANA after a minimum of 15 minutes.

Viewing and Editing Cisco ANA Unit Properties


Users can view the properties of a Cisco ANA server, such as physical and allocated memory. You can only edit the units protection group settings. To view or edit unit properties:
Step 1 Step 2 Step 3 Step 4

Select ANA Servers in the Cisco ANA Manage window. Select the unit or gateway in the content area or expand the ANA Servers branch and select the required unit or gateway in the navigation tree. Open the Properties dialog box by right-clicking, then choose Properties. Review the unit properties. You can only edit the protection group properties: Field IP Address Status Up Since Physical Memory Memory/Up AVMs Memory/All AVMs Protection Group Enable Unit Protection Description The IP address of the unit or gateway. The status of the unit or gateway, either Up or Down. The date and time that the unit or gateway was started. The physical memory of the unit or gateway. The amount of memory allocated to the unit or gateway. Allocated memory is the sum of all memory settings for all AVMs. The maximum memory used by the unit or gateway. Used memory is the total amount of memory used by all AVMs that are up. The protection group to which the unit is assigned. To change this setting, select another group from the drop-down list. If the check box is checked, high availability is enabled. You can check or uncheck the check box to change the setting.
Note

When you change (either disable or enable) the Enable Unit Protection option for high availability, changes become effective after approximately 15 minutes.

Step 5

Click OK. The ANA Unit Properties dialog box closes.

Restarting a Cisco ANA Unit


Restarting a unit stops all AVM processes on that unit and restarts them. Given that the system saves part of its information within the process memory, restarting a unit causes some of the information to disappear. Therefore, it takes as long as the longest full polling cycle for the system to recover all information that was stored in the process memory prior to the restart. Data that was saved in persistent storage before restarting is available immediately.

Cisco Active Network Abstraction 3.7 Administrator Guide

3-8

OL-20016-01

Chapter 3

Managing the Cisco ANA Gateway and Units Managing Cisco ANA Units

Restarting a machine can cause some of the VNEs running on the machine to be reported as unreachable. This is due to handshake protocols with the unit that fail due to the unavailability of the VNEs. Restarting a machine stops all active queries, flows, and transactions that are currently being run within the VNEs that run on the restarted Cisco ANA unit. If a unit is running, you cannot restart it by restarting the gateway. The anactl script restarts Cisco ANA only on the server (gateway or unit) on which you run anactl. For more information, see Restarting the Cisco ANA Gateway Using anactl, page B-1. To restart a unit:
Step 1 Step 2

Open an SSH session to the Cisco ANA unit and log into the machine. Run the following script:
# ANAHOME/Main/anactl restart

Deleting a Cisco ANA Unit


Before You Begin

Delete all the VNEs and unreserved AVMs before deleting a unit; see Deleting AVMs, page 4-7. The reserved AVMs cannot be deleted. Use this procedure to remove a unit:
Step 1 Step 2 Step 3 Step 4 Step 5

In the Cisco ANA Manage window, select ANA Servers. Expand the ANA Servers branch, then select the unit you want to remove in the navigation tree or content area. Right-click the unit that you want to remove, then choose Delete. A warning message is displayed. Click Yes to proceed or No to cancel the operation. A confirmation message is displayed. Click OK. The unit is deleted and is no longer displayed in the navigation pane and content area.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

3-9

Chapter 3 Managing Cisco ANA Units

Managing the Cisco ANA Gateway and Units

Cisco Active Network Abstraction 3.7 Administrator Guide

3-10

OL-20016-01

CH A P T E R

Managing AVMs
These topics explain how Cisco ANA uses AVMs to create a model of the network. These topics also explain how to manage AVMs:

Overview of AVMs, page 4-1 Understanding AVM Status, page 4-2 Creating AVMs, page 4-3 Viewing and Editing AVM Properties, page 4-5 Changing AVM Status (Start or Stop), page 4-5 Moving AVMs, page 4-6 Deleting AVMs, page 4-7 Finding an AVM or VNE, page 4-7

Overview of AVMs
AVMs are Java processes (independent JVMs) with their own dedicated memory. AVMs are mostly used to provide the necessary distribution support platform for executing and monitoring multiple VNEs. The following AVMs are always created on the gateway; some are also created on units. (A complete list of all Cisco ANA AVMs is provided in the Cisco Active Network Abstraction 3.7 Installation Guide.)
Reserved AVMs

The following Cisco ANA AVMs are reserved and cannot be edited or deleted. Only AVM 66 and AVM 100 are displayed by the GUI client.
Table 4-1 Reserved AVMs

AVM # AVM 0

Purpose

Is installed on...

Can be checked using... anactl status

Gateway and High Availability/Switch AVMEnables communication between the unit and other units, units as well as the gateway. Gateway AVMManages the gateway server and Gateway and other processes running on it.

AVM 11

anactl status

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

4-1

Chapter 4 Understanding AVM Status

Managing AVMs

Table 4-1

Reserved AVMs (continued)

AVM # AVM 25

Purpose

Is installed on...

Can be checked using... anactl status

Gateway and Event persistence AVMProcesses event information (in each unit), including updates and units new correlation information, and generates new tickets when required. Gateway Mediator debugger AVMMonitors the commands sent by the application to the gateway, the result (raw data), notifications, and current state of the result. (Used by programmers.) Workflow engine AVMDefines rules and dependencies to activate business and network processes. Reserved for use by the Cisco Video Assurance Management Solution (when installed). Management AVMManages the unit and the other AVMs running on the unit (or gateway, if there are no separate units). Trap management AVMReceives trap and syslogs notifications and forwards them to corresponding VNEs.
Note

AVM 44

anactl status

AVM 66

Gateway

GUI client and anactl status anactl status anactl status

AVM 80 AVM 99

Gateway Gateway and units Gateway and units

AVM 100

GUI client and anactl status

Only one AVM 100 should be running, and all traps and syslogs should be forwarded to the gateway or unit containing the running AVM (and the standby unit, if the unit is configured for high availability).

You can add AVMs to units or directly to a gateway. Each of these AVMs has its own log in ANAHOME/ana37/Main/logs. The Cisco ANA Watchdog Protocol monitors the AVM processes to make sure any AVMs that have stopped are restarted. For information on the Watchdog Protocol, see Managing the Watchdog Protocol, page D-12. To check the basic system health of AVMs, see System Health and Diagnostics, page 11-1.

Understanding AVM Status


AVM status describes the condition of the AVM process on the unit or gateway. AVM status is determined by a combination of the AVMs administrative and operational modes:

AVM administrative mode indicates whether or not Cisco ANA should recognize or ignore administration instructions sent to the AVM. This mode is entirely user-directed. You can control this mode from the ANA Servers branch. See Changing AVM Status (Start or Stop), page 4-5. AVM operational mode describes the health and condition of the AVM process on the gateway (for example, whether the gateway can reach the AVM).

Cisco Active Network Abstraction 3.7 Administrator Guide

4-2

OL-20016-01

Chapter 4

Managing AVMs Creating AVMs

Note

The AVM Admin and Oper modes are not displayed in Cisco ANA Manage; they are implicit in the overall status. Only the overall AVM status is displayed in the GUI. Table 4-2 describes how the combination of AVM administrative and operational modes determine the overall AVM status.
Table 4-2 AVM Status

Overall AVM Status Starting Up

Admin Mode Up

Oper Mode Down

Description of AVM Status When a Start (command) option is issued and, for example, the server cannot run it because it is busy or overloaded, the status of the AVM is Starting Up. The AVM process is reachable, was loaded, and has started. This is the status when the AVM is created (and you selected Activate Upon Creation), and no problems are encountered. When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the AVM is Shutting Down. The AVM process is reachable, but was stopped. This is the status when a Stop (command) is issued. The AVM process did not load properly and is not operational.

Up

Up

Up

Shutting Down Down

Up

Down Unreachable

Down Up

Down Unreachable

When moving an AVM, its status has a bearing on whether the process is automatically reloaded. If its status is Up, it is reloaded; if its status is down, it is not reloaded. For more information about moving AVMs, see Moving AVMs, page 4-6.

Creating AVMs
Cisco ANA lets you define AVMs for Cisco ANA units. By default, every AVM in the Cisco ANA fabric is managed by the watchdog protocol. Cisco ANA enables the administrator to define AVMs for units, and allows the administrator to enable or disable the watchdog protocol on the AVM.
Before You Begin

If you need deployment information and recommendations, such as AVM memory requirements, contact your Cisco account representative. Decide which unit you want to use to install the AVM. The unit must be installed and connected to the transport network. Confirm that AVM 0, AVM 99, and AVM 100 are running. For more information on the status of AVMs, see Understanding AVM Status, page 4-2.

Note

AVM numbers 0-100 are reserved, and cannot be used. In addition, there might be other reserved AVM numbers.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

4-3

Chapter 4 Creating AVMs

Managing AVMs

To create an AVM:
Step 1 Step 2 Step 3

Expand the ANA Servers branch and select the required entity. Open the New AVM dialog box by right-clicking the required unit (or gateway), then choose New AVM. Enter the following information. The ANA Unit field is prepopulated with the parent units IP address. The unit does not have to be up to create the AVM. Field ID Key Description The name of the AVM as defined in Cisco ANA. It must be a unique number. AVMs 0-100 are reserved and cannot be used. A string that uniquely identifies an AVM in the system, across all units, thus enabling a transparent failover scenario in the system. If you do not enter a key, the default key, ID+time_stamp, is used. The maximum memory allocated to the AVM, in megabytes. The default is 256. If you need deployment information and recommendations, such as AVM memory requirements, contact your Cisco account representative. Loads the AVM into the bootstrap of the unit. This changes the administrative status of the AVM to Up and ensures that the AVM is loaded on subsequent restarts of the unit. By default this option is unchecked, and the newly created AVM has an administrative status of Down. By default this check box is checked, enabling the watchdog protocol on the AVM when high availability is enabled (you have a standby unit). For more information, see Managing the Watchdog Protocol, page D-12.
Note

Allocated Memory

Activate on Creation

Enable AVM Protection

It is highly recommended that you do not disable this option if high availability is enabled. If you change the option when the AVM is up, you must disable and re-enable the AVM for the change to take effect.

Step 4 Step 5

Enter the information for the new AVM. Click OK. The new AVM is added to the selected unit, is displayed in the content area, and is activated.

Creating a new AVM results in Cisco ANA providing the registry information of the new AVM in the specified unit. The AVM can now host VNEs. For more information, see Creating VNEs: Prerequisites, page 5-9.

Cisco Active Network Abstraction 3.7 Administrator Guide

4-4

OL-20016-01

Chapter 4

Managing AVMs Viewing and Editing AVM Properties

Viewing and Editing AVM Properties


Cisco ANA Manage enables you to view and edit certain properties of an AVM, such as the key or allocated memory. To view or edit AVM properties:
Step 1

Open the Properties dialog box by right-clicking the desired AVM, then choose Properties. The AVM Properties dialog box is displayed with the details of the selected AVM, including the IP address or key of the unit.

Step 2

View or edit the AVM properties as required: Field Key Description A string that uniquely identifies an AVM in the system, across all units, thus enabling a transparent failover scenario in the system. The default key, ID+time_stamp, is used. The condition of the AVM on the unit or gateway: Starting Up, Up, Shutting Down, or Down (see Understanding AVM Status, page 4-2). The IP address of the selected gateway or unit. The maximum amount of memory allocated to the AVM. The default value is 256 MB. If you need deployment information and recommendations, such as AVM memory requirements, contact your Cisco account representative.

Status Location Max. Memory

Enable AVM Protection If checked, the watchdog protocol is enabled on the AVM. For more information, see Appendix D, Using High Availability.
Note

We strongly recommended that you do not disable this option if high availability is enabled. If you check or uncheck this option when the AVM is up, you need to restart the AVM for the change to take effect.

Step 3

Click OK. The new properties for the AVM are displayed in the content area.

Changing AVM Status (Start or Stop)


Cisco ANA Manage enables you to start or stop an AVM.
Note

Stopping an AVM stops all the VNEs in the AVM. You should be aware that any change in status of the AVMs may take some time to be applied. For example, when running the Stop command, it may take several minutes before the status changes from Shutting Down to Down.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

4-5

Chapter 4 Moving AVMs

Managing AVMs

To start or stop an AVM:


Step 1 Step 2

Expand the ANA Servers branch, then select the required AVM. Start or stop the AVM in one of the following ways:

Right-click the AVM, then choose Actions > Start or Actions > Stop. In the toolbar, click Start or Stop.

The AVM is started or stopped, and the appropriate status is displayed in the content area as follows:

Starting UpThe AVM is starting. UpThe AVM has started. Shutting DownThe AVM is stopping. DownThe AVM has stopped.

Note

When the AVM status is displayed as Down, the status remains Down and no reload occurs.

Moving AVMs
You can move an entire AVM between units. You can also move groups of AVMs to the same unit in one operation. AVMs 0-100 are reserved and cannot be moved. If the AVM is up, it is stopped, and then it is moved to the target unit. After the move is completed, the AVM is reloaded, maintaining the status it was in before the move.

Note

Alarm persistency information is saved when you move an AVM to another unit. For more information, see Persistency Overview, page E-1. To move an AVM:

Step 1

.Right-click the selected AVM, then choose Move AVM. The Move To dialog box appears, displaying a tree-and-branch representation of the selected Cisco ANA server and its units, excluding the unit in which the AVM is currently located. The highest level of the navigation tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 2 Step 3

Browse to and select the unit (branch) where you want to move the AVMs. Click OK. The AVM is moved and now appears beneath the selected unit.

Note

Because the system is asynchronous, changes may not appear in the GUI immediately. It may be a few minutes until the GUI client receives a notification from the server and is updated.

For information about moving VNEs, see Moving VNEs to a Different AVM, page 5-40.

Cisco Active Network Abstraction 3.7 Administrator Guide

4-6

OL-20016-01

Chapter 4

Managing AVMs Deleting AVMs

Deleting AVMs
If an AVM that you want to delete is running, it is stopped before being removed. This procedure deletes the registry information of the AVM in the specified unit. If there are VNEs running in the AVM, then an error message is displayed, and you cannot delete the AVM. For more information, see Deleting a VNE, page 5-41.

Note

AVMs 0-100 are reserved and cannot be deleted.


Before You Begin

Remove all VNEs from the AVM, or the deletion will fail. See Deleting a VNE, page 5-41. To delete an AVM:
Step 1 Step 2 Step 3 Step 4

Select the required AVM in the navigation tree. You may select multiple rows. Right-click to display the menu, then choose Delete. A warning message is displayed. Click Yes. A confirmation message is displayed. Click OK. The selected AVM is deleted from the selected unit.

Note

Because the system is asynchronous, changes may not appear in the GUI immediately. It may be a few minutes until the GUI client receives a notification from the server and is updated.

Finding an AVM or VNE


A single search in Cisco ANA Manage can locate AVMs and VNEs among all Cisco ANA servers according to specifically defined search criteria. To find an AVM or VNE:
Step 1 Step 2

In the Cisco ANA Manage window, select a gateway, a unit, or an AVM. Click Find.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

4-7

Chapter 4 Finding an AVM or VNE

Managing AVMs

Step 3

Enter the criteria for the item to find: Field Find Description Enter the specific search criteria to find the required AVM or VNE. For example, you can search for an AVM using the ID number, or search for a VNE using an IP address. In the drop-down list, choose the type of item you are looking for:

Types

AnySearches for an AVM or VNE that matches the search criteria. AVMSearches for an AVM that matches the search criteria. VNESearches for a VNE that matches the search criteria.

Property

Choose the property containing the search criteria or choose Any to search all properties for the search criteria. The properties that appear depend on your choice in the Types field:

If you choose Any in the Types field, the Property field is disabled. If you choose AVM in the Types field, you can search by ED, Status, Key or Loaded Patches. If you choose VNE in the Types field, you can search by Key, IP Address, Status, Maintenance, Element Group, or Polling Group.

Direction

Choose the direction of the search, either Down or Up. The direction is relative to the item currently selected the Cisco ANA navigation tree.

Step 4

Click Find. The AVM or VNE matching the search criteria is highlighted in Cisco ANA Manage.

Note

Press F3 to view the next AVM or VNE matching the search criteria.

Cisco Active Network Abstraction 3.7 Administrator Guide

4-8

OL-20016-01

CH A P T E R

Managing VNEs
These topics explain how Cisco ANA uses VNEs to create a model of the network. These topics also explain how to manage VNEs:

Overview of VNEs, page 5-1 Cloud VNEs, page 5-2 Understanding VNE Status and VNE States, page 5-4 Creating VNEs: Prerequisites, page 5-9 Adding a VNE, page 5-17 VNEs and Device Software Updates, page 5-19 Viewing VNE Properties, page 5-20 Populating a Cloud VNE with Technology and Topology Information, page 5-35 Editing VNE Properties, page 5-39 Changing VNE Status (Start, Stop, Maintenance), page 5-39 Moving VNEs to a Different AVM, page 5-40 Deleting a VNE, page 5-41

Overview of VNEs
Virtual Network Elements (VNEs) are simulations of managed devices. Each VNE is assigned to manage a single network element instance. To maintain a live model of each network element and of the entire network, VNEs are dependent on device reachability. When a VNE is created and started, Cisco ANA begins investigating the network element and automatically builds a live model of it, including its physical and logical inventory, its configuration, and its status. Cisco ANA also creates the registry information of the new VNE in the unit. The newly created VNE uses the default community strings and polling rates. The VNE inherits these properties from the configuration record that corresponds to the network element type.

Note

Cisco ANA will properly model the network element only if you have performed the necessary prerequisites before adding the VNE. See Creating VNEs: Prerequisites, page 5-9, for more information.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-1

Chapter 5 Cloud VNEs

Managing VNEs

A VNE is designated by its leading IP address and corresponds to a single NE. Typically, an NE has only one IP address that is used for management (the device management IP address). For such devices, the leading IP address is the single IP address configured for this device. If an NE has multiple IP addresses, you must choose one of them to be used as the leading IP address. The leading IP address serves as an identifier of the VNE that corresponds to the NE and is displayed wherever the IP address of the NE is required. Two VNEs cannot monitor the same NE. Each VNE should be added to the system only once. The information collected by a VNE depends on the VNE type and scheme. The VNE uses whatever southbound management interfaces the network element implements (for example, SNMP or Telnet).

Note

By default, when a VNE opens a Telnet session with a network element in order to model and monitor the element, the Telnet session remains open for 5 minutes, even if the VNE is idle (did not query the device during the session). After 5 minutes, the VNE closes the session and reopens it when it needs to query the device. If you would like to change this configuration, contact your Cisco account representative. A VNE must be loaded into the bootstrap of the unit before it starts monitoring its underlying network element. This changes the administrative status of the VNE to Up, and ensures that the VNE is loaded on subsequent restarts of the unit. Loading the VNE also starts it immediately. For more information about the status of VNEs, see Understanding VNE Status and VNE States, page 5-4.

Cloud VNEs
Cloud VNEs represent unmanaged network segments that are connected to two or more managed segments. This prevents interruptions to alarm correlations and affected subscribers for the managed segments. Three types of technology simulations are supported for Cloud VNEs: Frame Relay, ATM, and Ethernet. If you want to work with Ethernet Cloud VNEs, see Ethernet Cloud VNEs, page 5-3. Administrators can create Cloud VNEs that represent:

A single device to which two or more managed segments of the network can be connected. In this case, the Cloud VNE builds a model with port type and technology that is identical to its adjacent VNEs and virtual forwarding components. Each physical port in a VNE can connect to only one Cloud VNE. Multiple unmanaged segments and multiple technologies, as long as each technology is in a different network segment. Multiple Cloud VNEs, each one representing a portion of an unmanaged network. (For more information, see Modeling Multiple Access Networks with Cloud VNEs, page 4-3.

All VNEs can be configured to connect to a Cloud VNE. When loading, the VNE gathers whatever data is relevant to the Cloud VNE, and sends the data to it. Upon receiving this information, the Cloud VNE builds the corresponding model to allow the topology to connect the two VNEs. For a longer discussion of the concept of Cloud VNEs, see the TOO.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-2

OL-20016-01

Chapter 5

Managing VNEs Cloud VNEs

To create a Cloud VNE, you must do the following:


1.

Create the VNE using Cisco ANA Manage. You only have to provide a name and IP address for the VNE. Because the Cloud VNE does not access any device in the network, the IP address is not used for communication but as the ANA internal address of the VNE, and no additional protocols need to be configured for the Cloud VNE. See Adding a VNE, page 5-17. Populate the Cloud VNE with technology and topology information. See Populating a Cloud VNE with Technology and Topology Information, page 5-35.

2.

Note

Unmanaged segments must be pure switches; no routing can be involved with the segment.

Ethernet Cloud VNEs


When using an Ethernet LAN cloud to represent unmanaged network segments, be aware of the following:

For Ethernet interfaces with duplicate IPs, see Configuring Duplicate IP Addresses on Ethernet Interfaces, page 5-4. Devices on both sides of the cloud must communicate so that a Cloud VNE can build the forwarding information properly; otherwise, their MAC addresses do not appear in each others ARP or bridging tables. The logic that builds the bridging table assumes that each port in the network has a unique MAC address, and no multiple VLANs with the same IDs exist in the network. If multiple VLANs with the same ID, or multiple ports with the same MAC address, do exist in the network, the Cloud VNE will not function properly. A router with an interface that is an ingress point of a Martini tunnel (with no IP address configuration) cannot be connected to a cloud. A Layer 2 tunnel represents a point-to-point pseudowire in the network, also known as AToM. The size of the Ethernet Cloud VNE depends on the number of devices, their configurations and the number of VLANs that are connected to it. The Layer 2 devices in the unmanaged cloud segment cannot contain VLAN rewrite configurations that are not supported by the Cloud VNE. The Cloud VNE does not support the Q-in-Q technology. If VLAN stacking is configured on an unmanaged segment, or if ports with Q-in-Q configuration are connected to the cloud, the cloud might not be able to simulate the workings of the unmanaged segment. Cisco ANA does not support multiple VLANs with the same IDs when both are connected to the same cloud. The Cloud VNE does not have Spanning Tree Protocol (STP) awareness, so any link from a device to the unmanaged network is assumed to be in a nonblocking state. This might cause the forwarding information calculated by the Cloud VNE to be inaccurate. By default, Cisco ANA does not display VLANs that are present on the device and that cannot be deleted, such as restricted Fiber Distributed Data Interface (FDDI), Token Ring, and other nonEthernet VLANs.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-3

Chapter 5 Understanding VNE Status and VNE States

Managing VNEs

Configuring Duplicate IP Addresses on Ethernet Interfaces


Figure 5-1 provides an example of a configuration of duplicate IP addresses on Ethernet interfaces that are connected to the same Cloud VNE.
Figure 5-1 Duplicate IP Addresses on Ethernet Interfaces

CE Router A MAC2 on Port2 Interface1 10.0.0.2 Cloud VNE VLAN 3 VLAN 5 CE Router B MAC3 on Port3 Interface1 10.0.0.2

PE Router Interface 1 VRF A 10.0.0.1 VLAN ID-3 MAC1 on Port1 Interface 2 VRF B 10.0.0.1 VLAN ID-5
186207

In Figure 5-1, a PE router and two CEs are connected to an unmanaged Ethernet access network, represented by a Cloud VNE. The PE router is connected to the Cloud VNE through Port1. Two interfaces configured on Port1 are connected to different VRFs (VRF A and VRF B). Both VRF interfaces are configured with the same IP address (10.0.0.1). Each interface is configured with a different VLAN encapsulation (VLAN-ID 3 and VLAN-ID 5), and is connected to a different VLAN in the unmanaged network (VLAN 3 and VLAN 5). The two CEs are connected to different VLANs in the unmanaged network: CE A is connected to VLAN 3 through Port2, and CE B is connected to VLAN 5 through Port3. Both Port2 and Port3 are access ports (that is, untagged ports with no VLAN encapsulation) and are configured with identical IP addresses (10.0.0.2). The Cloud VNE creates a similar port for each port connected to it, and two bridges, one per VLAN (that is, a bridge for VLAN 3 and a bridge for VLAN 5). Each bridge contains a forwarding table with the MAC addresses of the ports connected to that VLAN. In this example, the bridge representing VLAN 3 contains MAC1 and MAC2, and the bridge representing VLAN 5 contains MAC1 and MAC3.

Understanding VNE Status and VNE States


VNE status is displayed in the Servers drawer when you select an AVM. Normally this status indicates the administrative condition of the VNE (whether the VNE process is running or not). If the gateway server cannot communicate with the VNE, the status will be Unreachable. Starting and stopping VNEs is entirely user-directed, as explained in Changing VNE Status (Start, Stop, Maintenance), page 5-39. VNE states, which describe to what degree the VNE has discovered and modeled a device, are displayed in Cisco ANA NetworkVision when you click the VNE button from the device properties page (see Cisco Active Network Abstraction 3.7 User Guide).

Cisco Active Network Abstraction 3.7 Administrator Guide

5-4

186209

OL-20016-01

Chapter 5

Managing VNEs Understanding VNE Status and VNE States

Table 5-1 lists the possible VNE Status values that you may see in a table of VNEs.
Table 5-1 VNE Status

VNE Status Starting Up

Description When a Start (command) option is issued and, for example, when the server cannot run it because it is busy or overloaded, the status of the VNE is Starting Up. The VNE process is reachable, was loaded, and has started. This is the status when a Start command is issued (or when you create a VNE and choose Start as its initial status), and no problems are encountered (such as an overloaded server). When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the VNE is Shutting Down. The VNE process is reachable, but was stopped. This is the status when a Stop command is issued. The VNE cannot be reached by the gateway, so the VNE cannot be managed. (See VNE States and the VNE Lifecycle, page 5-5.)

Up

Shutting Down Down Unreachable

VNE States and the VNE Lifecycle


VNE states describe to what degree the VNE has discovered and modeled a device. While most GUI information represents the device (such as the device IP address and type), VNE states describe the status of the VNE, which models the device. There are two types of VNE states:

VNE communication state conveys the status of two connections, both of which are needed for Cisco ANA to successfully manage a device:
The VNE can connect with the device it is monitoring, and The gateway server can connect with the VNE.

VNE investigation state represents the different degrees to which the VNE has successfully discovered and modeled a network element. In other words, it gives you an idea of the quality of the inventory.

Both the communication and investigation states are displayed in Cisco ANA NetworkVision when you click the VNE button from the device properties page (see Cisco Active Network Abstraction 3.7 User Guide). Table 5-2 describes the possible states you may see in the GUI client. You can restart the VNE discovery process by restarting the VNE (see Changing VNE Status (Start, Stop, Maintenance), page 5-39).

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-5

Chapter 5 Understanding VNE Status and VNE States

Managing VNEs

Table 5-2

VNE Investigation and Communication States

State Name
Investigation States

Description This is the initial state of the VNE, as soon as it is created. The VNE was created but not started, or an existing VNE was stopped. A VNE remains in this state until it is started by a user. In this state, the VNE is managed but does not yet have any device information because the VNE has not yet connected to the device. The VNE was started and is looking for its driver type. The device is not supported by Cisco ANA, specifically because no VNE driver was found for the device. A VNE remains in this state until a driver is found (for example, an upgrade or new driver delivery). To find out how to get information on why a VNE is in this state, see VNE Discovery and Investigation State Registry Settings, page 5-8.

GUI Decorator (No badge)

Defined Not Started

Initializing Unsupported

Discovering Operational

The VNE is building the model of the device. A VNE remains in this state until all device commands are successfully executed. The VNE is fully modeled and is fully monitoring the device. All device commands have been (No badge) successfully completed. A VNE remains in this state unless it is stopped or moved to the maintenance state, or there are device errors. To find out how to get information about which device commands were run and how long it took to load the VNE, see VNE Discovery and Investigation State Registry Settings, page 5-8.

Currently The VNE model is inconsistent with the device because of one of the following: Unsynchronized A device command failed (but the VNE may recover from the failure on subsequent polling cycles).

The device did not respond in a timely fashion. The VNE was in the maintenance state but was restarted (and is resynchronizing with the network element). The VNE was in the Device Unreachable state and is now resynchronizing with the network element.

If a VNE is in this state due to a device command failure, it will remain in this state and keep retrying the command (unless it is moved to the maintenance state). To find out how to get information on why a VNE is in this state, see VNE Discovery and Investigation State Registry Settings, page 5-8.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-6

OL-20016-01

Chapter 5

Managing VNEs Understanding VNE Status and VNE States

Table 5-2

VNE Investigation and Communication States (continued)

State Name Maintenance

Description The VNE is no longer polling the device; therefore, the VNE does not know the devices status. This can occur when a user moves the VNE to maintenance state, or the VNE is using adaptive polling and CPU usage is too high (see Smooth Polling and Adaptive Polling, page 6-5).
Note

GUI Decorator

For information on factors that can affect device CPU usage, see Appendix F, CPU Utilization and Cisco ANA.

A VNE in the maintenance state has the following characteristics:


It handles syslogs and traps. It handles events for correlation flow issues, but does not poll the device. It maintains the status of any existing links. It does not fail on VNE reachability requests. It does not initiate new service alarms, but does receive events from adjacent VNEs, such as in the case of a Link Down alarm. You can manually move a VNE to the maintenance state if you need to perform an activity such as changing a module, so that Cisco ANA will ignore alarms during the activity. Cisco ANA will automatically move a VNE to the maintenance state if you have enabled adaptive polling and the device's CPU usage exceeds its configured upper threshold. This prevents the VNE from using too much of the network element's CPU resources. See Appendix F, CPU Utilization and Cisco ANA. When the network element is ready to be changed back to its previous state, Cisco ANA reinitiates the discovery process.

There are two ways a VNE can be moved to the maintenance state:

Partially Discovered

The VNE model is inconsistent with the device because a device command failed and is not recovering. A common cause of this state is that the device contains an unsupported module. To find out how to get information on why a VNE is in this state, see VNE Discovery and Investigation State Registry Settings, page 5-8. The VNE has been stopped or deleted by the user, and the VNE is terminating its connection to the device. The VNE process has terminated (it will immediately move to Defined Not Started). (No badge)

Shutting Down Stopped

Communication States

Device Unreachable

The VNE cannot communicate with the device. This can happen if the device is shut down, network connectivity is lost, or the VNE has credential problems.
Note

The Device Unreachable communication state means that the device is not responding to commands from Cisco ANA. This can be for many reasons; perhaps the device is busy or is responding to other commands. This communication state does not mean the device is not processing network traffic.

VNE/Agent Unreachable

The VNE is not responding to the gateway server. This can happen if the unit or AVM is overutilized, or the connection between the gateway and unit or AVM was lost.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-7

Chapter 5 Understanding VNE Status and VNE States

Managing VNEs

VNE Lifecycle: Discovery and Device Command Timeouts


Cisco ANA discovers and models a network element using device commands (sometimes called registrations). Because some commands may take longer than others, each command has its own device command timeout. The timeout and the retries determine how many times Cisco ANA should retry the command before considering it to have failed. How Cisco ANA responds to device command failures depends on the type of device command:

Repetitive commands poll the device for status and configuration changes. If a repetitive command fails, Cisco ANA moves the VNE investigation state to Currently Unsynchronized or Partially Modeled. Repetitive commands are usually (but not always) recoverable. If the failed command is classified as recoverable, Cisco ANA retries the command at the next polling interval. One-time commands need to run only once to gather static information, such as the device type. If a one-time command fails, Cisco ANA moves the VNE investigation state to Partially Discovered and retries the command when the VNE is restarted. One-time commands are always classified as unrecoverable. These commands will only impact the investigation state if the command is also considered to be required. By default, no commands are classified as required for model evaluation.

Cisco ANA also has a discovery process timeout for the VNE (which is different from device command timeouts). This ensures that the discovery process does not run endlessly, which can happen in the case of a very slow device or network. By default, VNE discovery timeouts are defined according to device type and only occur when the VNE has completed a full pass of all commands (both repetitive and one-time). However, even if the VNE discovery process times out, the VNE is completely usable and is moved to the Operational state. This allows applications to make use of whatever VNE information has been discovered to that point.

VNE Discovery and Investigation State Registry Settings


When a VNEs investigation state changes, Cisco ANA can generate a System event that you can view in Cisco ANA EventVision. The events Long Description field can provide details about the investigation state change. However, these settings are disabled by default because they can affect performance and can cause unnecessary concern to operators. They should be used for troubleshooting purposes only. The registry entries and default values are provided in Table 5-3.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.

Table 5-3

Registry Settings for VNE Discovery and Investigation

Registry Entry investigation-state-update-event investigation-state-summary-event

Description

Default Value

Generate a System event (in Cisco ANA EventVision) false when investigation state changes Include an elaborated report about the state change in the Long Description field of the System event false 1800000 (30 minutes)

max-delay-before-managed-state-in-milliseconds VNE discovery timeout (in milliseconds)

Cisco Active Network Abstraction 3.7 Administrator Guide

5-8

OL-20016-01

Chapter 5

Managing VNEs Creating VNEs: Prerequisites

Table 5-3

Registry Settings for VNE Discovery and Investigation (continued)

Registry Entry error update tolerance required

Description Allowable number of device command failures, after which an error is generated Designate the device command as required for evaluating an investigation state (insert this after the device command key name)

Default Value 3 false

Creating VNEs: Prerequisites


When you add and define a new VNE, it corresponds to an NE and should only be added to the system once. As the VNE loads, Cisco ANA starts investigating the NE and automatically builds a live model of it, including its physical and logical inventory, its configuration, and its status. When adding a new VNE, Cisco ANA creates the registry information of the new VNE in the unit. By default, the newly created VNE has an administrative status of Down and uses the default community strings and polling rates. The VNE inherits these properties from the configuration record that corresponds to the device type. A VNE must be loaded into the bootstrap of the unit before it starts monitoring its underlying NE. This changes the administrative status of the VNE to Up, and ensures that the VNE is loaded on subsequent restarts of the unit. Loading the VNE also starts the VNE immediately. For more information about the status of VNEs, see Understanding VNE Status and VNE States, page 5-4.
Table 5-4 Steps to Add VNEs to AVMs

To Perform This Task...


Step 1

See... Device Information Required Before Adding VNEs, page 5-10

Gather all prerequisite information (such as IP addresses, credentials, and protocol details) about the network elements you want to add.

Step 2

Perform all mandatory configurations on the network element Device Configuration Required Before Adding so Cisco ANA can properly manage the element. VNEs, page 5-11

Cisco IOS, Cisco IOS XE, and CatOS devices: Cisco IOS XR devices: Devices you will add using SSH:

Cisco IOS, Cisco IOS XE, and CatOS DevicesRequired Settings, page 5-11 Cisco IOS XR DevicesRequired and Recommended Settings, page 5-11 All Cisco Devices Added Using SSHRequired, Recommended, and Rollback Device Settings, page 5-12 SNMP TrapsRequired Device Settings, page 5-12 SyslogsRequired Device Settings, page 5-13 IP Address Configuration for Traps, Syslogs, and VNEs, page 5-14

SNMP traps setup: Syslogs setup: For configurations where the traps and syslogs source IP address is different from the VNE IP address:

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-9

Chapter 5 Creating VNEs: Prerequisites

Managing VNEs

Table 5-4

Steps to Add VNEs to AVMs (continued)

To Perform This Task...


Step 3

See...

Decide which scheme to specify when you add the VNE. The Choosing a VNE Scheme, page 5-14 scheme determines what information is collected by a VNE and populated in its model. It depends on the device type and the device technologies you want to manage. (Optional) Get deployment information and recommendations, such as best practices for assigning VNEs to AVMs. Contact your Cisco account representative.

Step 4

Device Information Required Before Adding VNEs


Table 5-5 identifies the device information that you need to add a VNE to Cisco ANA.
Table 5-5 Required Information for New VNEs

Information Required IP address Name


Protocols and Credentials

Verify the following: The device management IP address. The device name.

SNMP

SNMP is running on the device. Supported version (v1, v2, or v3). For SNMPv1 or v2: The SNMP read and write community strings. For SNMPv3: The username and, optionally, the authentication or privacy configuration. Telnet is supported on the device. Port number. Telnet login sequence: Username, password, and prompt. The Telnet login sequence is required for Cisco IOS, Cisco IOS XE, and Cisco IOS XR devices. SSH is supported on the device. Supported version (v1 or v2). SSH username and password and any other configuration information (cipher, authentication, key exchange [v2], MAC [v2]). Cisco recommends that you first use any SSH client application (such as UNIX SSH or OpenSSH) to determine the device SSH login sequence. Also be sure to perform the required device configuration described in All Cisco Devices Added Using SSHRequired, Recommended, and Rollback Device Settings, page 5-12.

Telnet

Note

SSH

Note

Cisco Active Network Abstraction 3.7 Administrator Guide

5-10

OL-20016-01

Chapter 5

Managing VNEs Creating VNEs: Prerequisites

Device Configuration Required Before Adding VNEs


Perform the required configuration on the devices so that Cisco ANA can model the devices accurately and perform management tasks, such as processing syslogs, traps, logging, and so forth. See the following topics for more information:

Cisco IOS, Cisco IOS XE, and CatOS DevicesRequired Settings, page 5-11 Cisco IOS XR DevicesRequired and Recommended Settings, page 5-11 All Cisco Devices Added Using SSHRequired, Recommended, and Rollback Device Settings, page 5-12 SNMP TrapsRequired Device Settings, page 5-12 SyslogsRequired Device Settings, page 5-13

Cisco IOS, Cisco IOS XE, and CatOS DevicesRequired Settings


The following settings are required for Cisco IOS, Cisco IOS XE, and CatOS network elements:
snmp-server community public RO snmp-server community private RW

Cisco IOS XR DevicesRequired and Recommended Settings


The following settings are required for Cisco IOS XR network elements:

Note

If applicable, be sure to commit snmp-server community before snmp-server host.


domain ipv4 host gateway_name gateway_IP telnet ipv4 server max-servers no-limit snmp-server community community_name SystemOwner snmp-server community community_name RO snmp-server community public RO snmp-server community private RW vty-pool default 0 99 xml agent tty

In addition to the required settings, you must follow these guidelines:


Install the Cisco IOS XR Manageability Package on top of the Cisco IOS XR version. You can get information on this package from the release notes for your Cisco IOS XR version. Cisco ANA should use the device login user that is a member of group root-system and cisco-support. To correctly model logical routers, the Cisco ANA user should use the unique login user@admin (and also be a member of groups root-system and cisco-support). Cisco IOS XR VNEs should be added to the SystemOwner community.

The following settings are recommended for Cisco IOS XR network elements:
hostname gateway_name snmp-server location location snmp-server contact contact line default exec-timeout 0 0

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-11

Chapter 5 Creating VNEs: Prerequisites

Managing VNEs

All Cisco Devices Added Using SSHRequired, Recommended, and Rollback Device Settings
This SSH information applies to all device types and operating systems. (For information on how to set up a device to run SSH, see your device documentation.) The following is an example of how to enable SSH on Cisco devices when they need to be added to Cisco ANA using SSH:
(config) ip domain-name DOMAIN (config) crypto key generate rsa

Note

When you are requested to enter the modulus length, leave the default value. Although a longer modulus length may be more secure, it takes longer to be generated and used. Configure vty to accept local password checking:
line vty 0 4 login local

The following are recommended SSH configuration settings:


(config)ip ssh time-out 120 (config)ip ssh authentication-retries 2 (config)ip ssh version 1(2)

To roll back to the original device configuration, use the following settings:
no ip ssh {timeout | authentication-retries} crypto key zeroize rsa

SNMP TrapsRequired Device Settings


The following table lists the settings you must configure in order to properly receive SNMP traps. SNMP Type All Required Setting
snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart enable traps chassis enable traps module enable traps bgp enable traps ospf state-change enable traps ospf errors enable traps ospf retransmit enable traps ospf lsa enable traps ospf cisco-specific state-change enable traps ospf cisco-specific errors enable traps ospf cisco-specific retransmit enable traps ospf cisco-specific lsa enable traps config enable traps ipmulticast enable traps entity enable traps flash insertion removal enable traps envmon fan shutdown supply temperature status enable traps rtr enable traps mpls ldp trap-source interface_name1

Note

interface_name

is the active management IP address.

SNMPv1

snmp-server host gateway_IP traps version 1 community

Cisco Active Network Abstraction 3.7 Administrator Guide

5-12

OL-20016-01

Chapter 5

Managing VNEs Creating VNEs: Prerequisites

SNMP Type SNMPv2 SNMPv3 With Authentication

Required Setting
snmp-server host gateway_IP traps version 2c community

Note

MyUsr, MyGrp, MyPswd, and MyView must match the information you enter when you create the VNEs in Cisco ANA. For all devices:
snmp-server view MyView internet included snmp-server group MyGrp v3 auth [notify MyView]

For Cisco IOS, Cisco IOS XE, and CatOS devices:


snmp-server user MyUsr MyGrp v3 auth {md5|sha} MyPswd

For Cisco IOS XR devices:


snmp-server user MyUsr MyGrp v3 auth {md5|sha} {WORD,CLEAR,encrypted} MyPswd SystemOwner

For all devices, after configuring SNMPv3 on the device, configure the following setting:
snmp-server host gateway_IP traps version 3 auth MyUser

SNMPv3 No Authentication

Note

MyNoAuthUsr and MyNoAuthGrp must match the information you enter when you create the VNEs in Cisco ANA. For Cisco IOS, Cisco IOS XE, and CatOS devices:
snmp-server group MyNoAuthGrp v3 noauth snmp-server user MyNoAuthUsr MyNoAuthGrp v3

For Cisco IOS XR devices:


snmp-server user MyNoAuthUsr MyNoAuthGrp v3 SystemOwner

For all devices, after configuring SNMPv3 on the device, configure the following setting:
snmp-server host gateway_IP traps version 3 noauth MyNoAuthUr

1. Required if the device has a management IP address.

SyslogsRequired Device Settings


The following table lists the settings you must configure for syslogs. Required Settings All
logging source-interface interface_name1

Cisco CatOS, Cisco IOS, and logging on logging buffered 64000 informational Cisco IOS XE
logging trap informational logging gateway_IP logging event link-status default logging logging logging logging logging

Cisco IOS XR

on events level informational buffered 10000 trap informational events link-status software-interfaces

1. Required if the device has a management IP address. interface_name is the active management IP address.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-13

Chapter 5 Creating VNEs: Prerequisites

Managing VNEs

IP Address Configuration for Traps, Syslogs, and VNEs


Traps and syslogs maybe dropped if any of the VNEs managed by Cisco ANA are configured in such a way that the following addresses are different:

The traps and syslogs source IP address The VNE IP address (entered when the VNE was created and displayed in the VNE properties) Change the device configuration so that traps and syslogs are sent using the VNEs IP address. In addition, make sure that the source IP address matches the startup-config. Configure the VNE to receive traps and syslogs using a different IP address by changing the VNE Event Settings, page 5-34.

To avoid missing any traps or syslogs, do one of the following:


Choosing a VNE Scheme


The VNE scheme determines the network element information that is collected by a VNE and populated in its model; that is, it defines the VNE modeling components investigated during the discovery process. When creating a VNE, choose a scheme that is based on the device family and on the technologies you want Cisco ANA to manage. This enables you to define different behavior for different devices. For example, some devices poll only with SNMP, while other devices poll with Telnet. Soft properties and activation scripts are also attached to a specific scheme.

Note

When you create a VNE, Cisco ANA provides a drop-down list of available schemes. The list includes a default choice. If you choose default, Cisco ANA sets the scheme to Product. Cisco ANA uses the following schemes:

ProductThis scheme is used for all device types in this release, except for Cisco CRS-1 and Cisco 3750ME devices. ipcoreThis scheme is used only for routers serving as Provider (P) or Provider Edge (PE) devices.

The difference between the two schemes is that ipcore assumes that the device is used as part of an MPLS VPN network containing P and PE devices. Cisco ANA therefore models these VNEs slightly differently. Use Product for all other instances, including customer edge (CE) devices. The Product scheme assumes that no MPLS or VRF configuration exists and thus does not retrieve it. These schemes provide users with the flexibility to specify the registrations (device commands, or methods the VNE uses to query the device for information) that the VNEs modeling their routers are to use. You can designate a VNE as a core router by setting it to work with the ipcore scheme, or as an edge router by setting it to work with the Product scheme. Table 5-6 identifies the technologies supported by each scheme.
Table 5-6 Technology Support Based on Schemes

Technology ATM ATM PW BGP

Product Scheme Yes No Yes

Ipcore Scheme Yes Yes Yes

Cisco Active Network Abstraction 3.7 Administrator Guide

5-14

OL-20016-01

Chapter 5

Managing VNEs Creating VNEs: Prerequisites

Table 5-6

Technology Support Based on Schemes (continued)

Technology CEM Group CFM DSx EFP Ethernet Ethernet Channel Ethernet IEEE 802.3 Dot1Q/VLAN Ethernet OAM CFM Frame Relay GRE HDLC Hierarchical VPLS IMA IP Routing IP and ARP IPoDWDM IPv6 L3 VPN and VRF LAG (IEEE 802.3ad) MLPPP MP-BGP MPLS MPLS TE-Tunnel OSPF POS PPP PTP 1588 PWE3, L2 VPN (Martini) Q-in-Q (IEEE 802.1ad) SBC SONET/SDH STP/MSTP/PVST SVI SynCE TDM

Product Scheme No No Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes No Yes No Yes Yes No No No Yes Yes Yes Yes No Yes No Yes Yes No Yes Yes

Ipcore Scheme Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-15

Chapter 5 Creating VNEs: Prerequisites

Managing VNEs

Table 5-6

Technology Support Based on Schemes (continued)

Technology TDM PW VLAN Bridging VPLS VTP (VLAN Trunk and Tunneling)

Product Scheme No Yes No Yes

Ipcore Scheme Yes Yes Yes Yes

Table 5-7 identifies the schemes used, by device type.


Table 5-7 Schemes Used by Device Type

Device Types
Supported Alcatel-Lucent Devices

Product Scheme X X X X X X X X X X X X X X X X X X X X X X

ipcore Scheme X X X X X X X X

Alcatel-Lucent 7450 Ethernet Service Switch Alcatel-Lucent Intelligent Services Access Manager Alcatel-Lucent Riverstone Alcatel-Lucent CBX, GX, B-STDX Switches
Supported Cisco Security Appliances

Cisco Adaptive Security Appliance 5550 Series


Supported Cisco Gateways

Cisco AS5300 Series Universal Gateways


Supported Cisco Routers

Cisco 800 Series Routers Cisco 1000 Series Routers Cisco 1600 Series Routers Cisco 1700 Series Modular Access Routers Cisco 1800 Series Integrated Services Routers Cisco 2500 Series Routers Cisco 2600 Series Multiservice Platform Routers Cisco 2800 Series Integrated Services Routers Cisco 3600 Series Multiservice Platform Routers Cisco 3700 Series Multiservice Access Routers Cisco 3800 Series Integrated Services Routers Cisco 7200 Series Routers Cisco 7400 Series Routers Cisco 7600 Series Routers Cisco 10000 Series Routers Cisco 12000 Series Routers

Cisco Active Network Abstraction 3.7 Administrator Guide

5-16

OL-20016-01

Chapter 5

Managing VNEs Adding a VNE

Table 5-7

Schemes Used by Device Type (continued)

Device Types Cisco XR 12000 Series Routers Cisco CRS-1 Carrier Routing System Cisco ASR 1000 Series Routers Cisco ASR 9000 Series Aggregation Services Routers Cisco MWR 2900 Series Mobile Wireless Routers
Supported Cisco Switches

Product Scheme X X X X X X X X X X X X X X

ipcore Scheme X X X X X X X

Cisco Catalyst 2900 Series Switches Cisco ME 3400 Series Ethernet Access Switches Cisco Catalyst 3500 XL Series Switches Cisco Catalyst 3550 Series Switches Cisco Catalyst 3560 Series Switches Cisco Catalyst 3750 Series Switches Cisco Catalyst 3750 Metro Series Switches Cisco Catalyst 4000 Series Switches Cisco Catalyst 4500 Series Switches Cisco Catalyst 4900 Series Switches Cisco ME 4900 Series Ethernet Switch Cisco Catalyst 6500 Series (CatOS) Switches Cisco Catalyst 6500 Series (Cisco IOS) Switches Cisco ME 6500 Series Ethernet Switches (6524)
Supported Generic Devices

Generic devices

Adding a VNE
After verifying the information in Required Information for New VNEs, determine the unit and AVM the new VNE is to be added to.

Note

For deployment information and recommendations, such as best practices for assigning VNEs to AVMs, contact your Cisco account representative. To add VNEs in bulk, see Adding Multiple VNEs in Bulk, page B-2. You can define and manage SNMP, Telnet, SSH, ICMP, and polling information for the appropriate VNEs in the New VNE dialog box. For information on defining VNE properties in the respective VNE tabs, see:

VNE General Settings, page 5-20 VNE SNMP Settings, page 5-22

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-17

Chapter 5 Adding a VNE

Managing VNEs

VNE Telnet/SSH Settings, page 5-23 VNE ICMP Settings, page 5-32 VNE Polling Settings, page 5-32 VNE Event Settings, page 5-34

You can create VNEs that perform reachability testing only through ICMP. This can be done by creating a VNE, selecting the type ICMP, and then defining the details in the ICMP tab. See VNE ICMP Settings, page 5-32.

Note

By default, when a VNE opens a Telnet session with a network element in order to model and monitor the element, the Telnet session remains open for 5 minutes, even if the VNE is idle (did not query the device during the session). After 5 minutes, the VNE closes the session and reopens it when it needs to query the device. If you would like to change this configuration, contact your Cisco account representative.
Before You Begin

Make sure you have gathered the required information as described in Creating VNEs: Prerequisites, page 5-9.
Step 1 Step 2 Step 3

Select the required gateway or unit and AVM in the navigation tree. Right-click the AVM, then choose New VNE. The New VNE dialog box is displayed, opened to the General tab. Enter the VNE general information; the fields are described in Table 5-9 on page 5-20. At a minimum, you must enter the VNE name and IP address.

Note

If you are creating a Cloud VNE, only the VNE name and IP address are mandatory. Because the Cloud VNE does not access any device in the network, the IP address is not used for communication but as the ANA internal address of the VNE, and no additional protocols need to be configured for the Cloud VNE. Click OK, and the Cloud VNE is created. To populate the cloud VNE with technology and topology information, see the procedure in Populating a Cloud VNE with Technology and Topology Information, page 5-35.

Step 4 Step 5

Click the SNMP tab and enter the polling and network element access settings. The fields are described in Table 5-10 on page 5-22. The fields displayed in the dialog box depend on the protocol you select. Click the Telnet/SSH tab and enter the VNE Telnet/SSH information to define the Telnet sequence and to enable SSH for network element access (reachability) and modeling. The fields are described in Table 5-11 on page 5-23. The fields displayed in the dialog box depend on the protocol you select. If you enter the wrong credential information when adding the VNE, the VNE will not be successfully added and managed. In this case, you will have to correct the credentials and restart the VNE (see Changing VNE Status (Start, Stop, Maintenance), page 5-39). However, Telnet credentials can be changed in runtime, without having to restart the VNE.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-18

OL-20016-01

Chapter 5

Managing VNEs VNEs and Device Software Updates

Note

If a device does not have a unique SNMP Engine ID, Cisco ANA generates Device unreachable events with corresponding SNMP timeout messages in the AVM log file. These IDs are normally derived from the unique MAC address for the device and assigned automatically, but they can be specified by the user. We recommend that you avoid custom SNMP Engine IDs. If you do use them, make sure they are unique.

Step 6

Click the ICMP tab and enter the ICMP polling rate you want Cisco ANA to use to verify reachability. The fields are described in Table 5-8. You can define the polling rate in seconds for the VNE.
Table 5-8 New VNE ICMP Tab

Field Enable

Description Check this check box to instruct Cisco ANA to use the ICMP communication protocol to verify that the network element is reachable. You can enable or disable ICMP polling at any time. Enter the polling rate in seconds. If ICMP is enabled, this is a required field.

Polling Rate
Step 7

Click the Polling tab and enter the VNE Polling Information to associate a VNE with a previously created polling group, or customize different polling settings according to the type of VNE information you want (status, configuration, and so forth). The fields are described in Table 5-13 on page 5-33. For information on the settings in the default and slow polling groups, see Table 6-2 on page 6-4. If you want to configure the VNE to listen to additional IP addresses, click the Events tab. (This is useful when devices have components using IP addresses that are different from the management IP address, especially if the device driver cannot automatically detect these additional addresses.) The fields are described in Table 5-14 on page 5-34. Click OK to create the VNE.

Step 8

Step 9

The VNE is loaded into the bootstrap of its unit, and Cisco ANA starts investigating the network element. Cisco ANA builds a live model of the network element, including its physical and logical inventory, its configuration, and its status. Cisco ANA also creates the registry information of the new VNE in the unit. After a few minutes, verify that the VNE status is Up.

VNEs and Device Software Updates


You do not need to manually restart a VNE after a upgrading the software on a device. When the VNE polls for configuration information, it will detect these kinds of changes and will restart itself. When the VNE reloads, it will update any required registry information, such as the VNE registry path. For information on configuration polling cycles, see VNE Polling Settings, page 5-32.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-19

Chapter 5 Viewing VNE Properties

Managing VNEs

Viewing VNE Properties


Cisco ANA Manage enables you to view and edit the properties of a VNE in a unit, such as the status or Telnet settings. To view the properties of a VNE:
Step 1 Step 2 Step 3

Expand the ANA Servers branch, then select the required AVM in the navigation tree. Open the VNE Properties dialog box by right-clicking the required VNE in the VNE Properties table, then choose Properties. Edit or view the properties as required. Information that is dimmed cannot be edited. Details about the fields in the VNE properties tabs are described in these topics:

VNE General Settings, page 5-20Contains general information such as VNE name, IP address, and scheme. VNE SNMP Settings, page 5-22Specifies SNMP settings to support polling and network element access. VNE Telnet/SSH Settings, page 5-23Defines the Telnet sequence and enables SSH for network element access (reachability) and investigation. VNE ICMP Settings, page 5-32Specifies the ICMP polling rate you want Cisco ANA to use to verify reachability. VNE Polling Settings, page 5-32Associates a VNE with a previously created polling group or allows you to customize different polling settings according to the type of VNE information you want (status, configuration, and so forth); and lets you specify VNE adaptive polling. VNE Event Settings, page 5-34Specifies other IP addresses on which the VNE should listen for syslogs and traps.

To edit VNE properties, see Editing VNE Properties, page 5-39.

VNE General Settings


The following table describes the fields displayed in the VNE General tab. For information on Generic SNMP VNEs, see Notes on Generic SNMP VNEs, page 5-22
Table 5-9 Fields in the VNE General Tab

Field Name IP Address

Description The name of the VNE, which will be used as a unique key in Cisco ANA. It is also used for commands that manipulate the VNE. The device management IP address of the network element.

Identification Area

Cisco Active Network Abstraction 3.7 Administrator Guide

5-20

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

Table 5-9

Fields in the VNE General Tab (continued)

Field Type

Description Defines the protocol Cisco ANA will use to model the element, and the extent to which you want the element to be modeled. In the drop-down list, choose the VNE device type:

Auto DetectUse this type if SNMP is enabled on the element. Cisco ANA will use SNMP to gather all available inventory information. Generic SNMPUse this type if SNMP is enabled on the element, and either Cisco ANA does not support the element, or Cisco ANA does support the element but you only want basic information to be modeled. Cisco ANA will use SNMP to gather the most basic inventory information that is normally provided by all network elements. See Notes on Generic SNMP VNEs, page 5-22. CloudUse this type for an unmanaged network segment. Specific cloud configuration is provided on a per-project basis. All other tabs will be disabled. ICMPUse this type if ICMP is enabled on the element, and either Cisco ANA does not support the element, or Cisco ANA does support the element but you only want basic information to be modeled. Cisco ANA will use ICMP to gather the most basic inventory information that is normally provided by all network elements, and will perform reachability testing only. The Polling tab (which controls polling group settings) will be disabled.

Scheme

Defines the VNE modeling components investigated during the discovery process and then populated in the VNE model. This enables the administrator to define different behavior for some network elements; for example, some network elements poll only with SNMP, and other network elements poll with Telnet. Soft properties and activation scripts are also attached to a specific scheme. By default, the VNE inherits the VNE scheme from the default scheme. Where more than one scheme exists in the network, the VNE loads the selected scheme.

DefaultSets the scheme to Product. ProductThis scheme is used for all device types in this release except Cisco CRS-1, Cisco XR 12000 series, Cisco 3750ME, and Juniper M-Series devices. ipcoreThis scheme is used only for routers serving as Provider (P) or Provider Edge (PE) devices.

For more information, see Choosing a VNE Scheme, page 5-14.


Initial State Area

State

Sets the initial disposition of the VNE. Normally you should set it to Stop, especially if you want to verify the VNE configuration, or if you know the VNE is very complex and might need extra processing to complete the loading procedure.

StopThe VNE is not loaded. This is the default state. StartThe VNE is loaded and starts collecting data.

To move an existing VNE to the maintenance state, see Changing VNE Status (Start, Stop, Maintenance), page 5-39.
Location Area

ANA Unit AVM

Displays the IP address of the unit that hosts the AVM for the VNE. Displays the AVM ID associated with this VNE.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-21

Chapter 5 Viewing VNE Properties

Managing VNEs

Notes on Generic SNMP VNEs

The generic SNMP VNE is a VNE that is not related to any vendor, can represent any vendor (with certain limitations), and provides lightweight management support for network devices. A generic SNMP VNE does the following:

Provides basic management capabilities for a device with the following technologies:
IP (restricted to basic IP only; does not include modeling of IPsec, MPLS, or routing protocols) Ethernet switching 802.q

Supports these inventory items:


Physical inventory (specific port types only) Routing table ARP table Default bridge IP interfaces

If a VNE is identified as unsupported (because its type was not recognized), Cisco ANA gives the VNE a status of Unsupported. You can either leave the VNE as Unsupported or load it as a Generic SNMP VNE. Every VNE in agentdefaults/da has the entry load generic agent for unsupported device type, where you can set the value as true or false (the default). If the value is true, it sets 1.3.999.3 as the property. It looks for this property in agentdefaults/da/deviceTypes and finds sheer/genericda. It then skips the investigation of the device software versions and builds the VNE (generic SNMP) from the default version.

VNE SNMP Settings


The following table describes the fields displayed in the VNE SNMP tab.
Table 5-10 Fields in the VNE SNMP Tab

Field Enable SNMP

Description If checked, enables the SNMP communication protocol so that the user can work with it. A VNE can have SNMP enabled or disabled at any time; however, when the Auto Detect check box is checked (in the General tab), it cannot be disabled.

SNMP Version Area

SNMP V1/V2 Settings (activated using SNMP V1 or SNMP V2)

SNMP V1 and V2 fields are available only when SNMP is enabled. Read Write SNMP read community status, public (default) or private, as defined by the user. SNMP write community status, public or private (default), as defined by the user.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-22

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

Table 5-10

Fields in the VNE SNMP Tab (continued)

Field

Description

SNMP V3 Settings (activated if using SNMP V3)

SNMP V3 fields are available only when SNMP V3 is chosen. Make sure you have performed the required SNMPv3 device configuration tasks listed in SNMP TrapsRequired Device Settings, page 5-12. Authentication Type of authentication to be used:

NoAuthentication is not required (default). md5Uses Message Digest 5 (MD5) for the authentication mechanism. shaUses Secure Hash Algorithm (SHA) for the authentication mechanism. Authentication username. This field is enabled if you choose any method other than No authentication. Authentication password. This field is enabled if you choose any method other than No authentication.

User Password Encryption

Type of encryption method to be used:


NoEncryption is not required (default). desUses Data Encryption Standard (DES) for encryption. aes128Uses 128-bit Advanced Encryption Standard (AES) for authentication. aes192Uses 192-bit AES for authentication. aes256Uses 256-bit AES for authentication. This field is enabled if you choose any method other than No encryption. Enter the encryption password.

Password

VNE Telnet/SSH Settings


The following table describes the fields in the VNE SSH/Telnet tab. For examples of how to enter Telnet or SSH prompt information, see Telnet and SSH Login Sequences: Notes and Examples, page 5-26. For more information on SSHv2 host key algorithms, also see Notes on SSHv2 Public Key and Private Key File Formats, page 5-31.
Table 5-11 Fields in the SSH/Telnet Tab

Field Enable

Description Enables the communication protocol so Cisco ANA will investigate the network element. Checking this check box activates the Login Sequence area. You can enable or disable the communication protocol at any time. Type of protocol to be used: Telnet (default), SSHv1, or SSHv2.
Note

Protocol

By default, when a VNE opens a Telnet session with a network element in order to model and monitor the element, the Telnet session remains open for 5 minutes, even if the VNE is idle (did not query the device during the session). After 5 minutes, the VNE closes the session and reopens it when it needs to query the device. If you would like to change this configuration, contact your Cisco account representative.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-23

Chapter 5 Viewing VNE Properties

Managing VNEs

Table 5-11

Fields in the SSH/Telnet Tab (continued)

Field Port

Description Port the protocol will use. This field is prepopulated depending on your protocol choice. If you are not using the default port, enter the appropriate port number.

23Default port for Telnet. 22Default port for SSHv1 or SSHv2.

Login Sequence Area

Prompt and Run

The network elements expected prompt, and the string Cisco ANA should send to the network element (when the expected prompt is detected). The table shows the current settings; you can change the settings using the controls below the table. Entering a string in the Prompt field activates the Run field. After making your entries in the Prompt and Run fields, click Mask if you do not want the password entered as clear text. Finally, click Add to add them to the login sequence. Click Remove to remove any lines. Use the up and down controls to the right of the table to change the order.
Note

After an SSH session is established between the VNE and the device, the VNE starts the login sequence. This sequence is usually shorter than the corresponding Telnet login sequence, as the username or password might have been sent as a step in establishing the SSH session (see the example in Telnet and SSH Login Sequences: Notes and Examples, page 5-26). Telnet prompt information. The sequence (the order of the commands) must end with a line that includes only the prompt field. Cisco ANA VNEs can handle partial device prompts as well. For examples, see Telnet and SSH Login Sequences: Notes and Examples, page 5-26. The Prompt field should contain the prompt expected from the device; the Run field should contain the response to the expected prompt. When entering the Run information, you must confirm the entry in the Confirm field. The values in Run and Confirm are displayed as clear text if you have not checked the Hide the Run value while typing check box.

If you selected Telnet:

If you SSH prompt information. This sequence is usually shorter than the corresponding Telnet selected SSH login sequence, because the username or password may already be sent during the process V1 or V2: of establishing the SSH session. Cisco recommends that you first use any SSH client application (such as UNIX SSH or OpenSSH) to determine the device SSH login sequence, and then enter that information. Mask Add and Remove Username Password Cipher Masks the password so it is not displayed as clear text (after completing the Prompt and Run fields). You will be prompted to enter and reenter your password. When you click OK, the information is added. Used to manipulate the order of the prompt and run strings.

SSHv1 Area (activated if using SSHv1)

Device name. Device password. Encryption algorithm to be used. By default, all methods are used.

DESUse the Data Encryption Standard algorithms. 3DESUse the Triple Data Encryption Standard algorithm. BlowfishUse the blowfish algorithms.

Authentication

Authentication method; currently password is the only supported method.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-24

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

Table 5-11

Fields in the SSH/Telnet Tab (continued)

Field Username Client Authentication

Description SSHv2 username. Client-driven authentication method to be used. Password Public Key Use a password to authenticate the client. Enter the password in the Password field. Optionally, use public key authentication, which uses a key pair system in which the client application is configured with the secret private key, and the device is configured with the public nonsecret key (of this pair).

SSHv2 Area (activated if using SSHv2)

Private KeyThe private key. Click Import to import the private key, or click Generate to generate the key. Public KeyThe public key. Click Import to import the public key. The application will verify that the public and private keys are part of a pair.

Server Authentication

Server authentication method to be used. none save-firstauth No server authentication. (This method does not do any authentication and is not recommended, because it poses a security risk for man-in-the-middle attacks.) Uses the public key that was used for the first connection attempt with the server. This method assumes the first connection was legitimate. (A security risk exists if the connection was compromised.) After the first connection, the server authentication method is changed to preconfigured, and the public key data is inserted as the preconfigured data. Uses the server public key or fingerprint that was configured in the application event before the first connection was attempted. This is the default and is the recommended method. Selecting this method activates the Finger Print or Public Key field. Select one of the following (and be sure to read the description, provided later in this table, of the Host Key Algorithm field):

preconfigured

Finger PrintUses a short checksum of the server public key (this serves the same purpose, but is much shorter). Public KeyUses the public key in one of the permitted formats (see Notes on SSHv2 Public Key and Private Key File Formats, page 5-31). Enter the public key or click Generate to generate the matching public key using the private key information.

Key Exchange1 Key exchange algorithm to be used. The default is none.


DH-group1-sha1Uses the Diffie Hellman Group 1 with Secure Hash Algorithm (SHA) 1 for the key exchange algorithm. DH-group1-exchange-sha1Uses the Diffie Hellman Group and Key Exchange with SHA 1 for the key exchange algorithm. SHA1Uses HMAC-SHA-1 for message authentication. MD5Uses Message Digest algorithm 5 (HMAC-MD5) for message authentication. SHA1-96Uses 96-bit HMAC-SHA1-96 for message authentication. MD5-96Uses 96-bit MDS (HMAC-MD5-96) for message authentication.

MAC1

MAC algorithm to be used for key generation. The default is none.


Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-25

Chapter 5 Viewing VNE Properties

Managing VNEs

Table 5-11

Fields in the SSH/Telnet Tab (continued)

Field Cipher
1

Description Cipher to be used.


3DESUses the 3DES block algorithm (3DES-CBC). AES-128Uses the 128-bit AES algorithm (AES128-CBC). AES-192Uses the 196-bit AES algorithm (AES192-CBC). AES-256Uses the 256-bit AES algorithm (AES256-CBC).

Host Key Algorithm1,2

Host key algorithm (up to 2048-bit keys are officially supported). See Notes on SSHv2 Public Key and Private Key File Formats, page 5-31 for valid file formats.

DSAUses the Digital Signature Authority (DSA) public-key algorithm. RSAUses the Rivest-Shamir-Adleman (RSA) public-key algorithm.

1. You can select multiple algorithms by pressing Ctrl while choosing a method. If more than one is selected, the application will try to use all of the algorithms until one is accepted by the server. There is no priority in the way the algorithms are tried. Also, encryption algorithms may have multiple known versions (for example, 3DES has 3des-cbc, 3des-ecb, 3des-cfb, 3des-ofb, 3des-ctr). 2. There are several file formats for public and private RSA and DSA keys. Cisco ANA officially supports the OpenSSH format (see http://www.openssh.com/manual.html).

Telnet and SSH Login Sequences: Notes and Examples


When you add a VNE, Cisco ANA uses the specified communication protocol to connect to the network element and gather modeling and status information. You must provide the information Cisco ANA will need: the characters and order of the network elements expected prompts, and the string Cisco ANA should send to the network element in response (so that you can get to enable mode for Cisco IOS and Cisco IOS XE devices, and XML mode for Cisco IOS XR devices).

Note

VNEs can understand partial and complete device prompts. After an SSH session is established between the VNE and the device, the VNE starts the SSH login sequence. This sequence is usually shorter than the corresponding Telnet login sequence, as shown in Figure 5-2.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-26

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

Figure 5-2

SSH Login Sequence: Example

This topic provides two examples (with complete procedures) that show how to enter Telnet sequences:

Telnet Login Sequence for a Cisco IOS Device: Example, page 5-28 Telnet Sequence for a Cisco IOS XR Device: Example, page 5-30

A Telnet sequence (the order of the commands) must end with a line that includes only the enable prompt (for Cisco IOS and Cisco IOS XE devices) or the router CLI prompt (for Cisco IOS XR devices). Not all device families will have the same Telnet sequence; this is especially true for Cisco IOS devices. For RAD ACE-2300 devices, because SNMP is used for device modeling, we recommend disabling Telnet to avoid unnecessary queries.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-27

Chapter 5 Viewing VNE Properties

Managing VNEs

Telnet Login Sequence for a Cisco IOS Device: Example

Figure 5-3 provides an example of a Telnet sequence for a Cisco IOS device (the example also applies to Cisco IOS XE devices). The procedure that follows the figure explains how this sequence is entered when you create the VNE for the device.
Figure 5-3 Example: Cisco IOS Telnet Sequence

Cisco Active Network Abstraction 3.7 Administrator Guide

5-28

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

The following procedure describes how to enter the sample Telnet sequence for a Cisco IOS device as shown in Figure 5-3.
Step 1 Step 2

Check the Enable check box to activate the Telnet prompt fields. Enter the expected device prompt and response:

Note

To verify a devices Telnet sequence, open a Telnet session to the device and copy the information. The following is an example.

a.

Enter Password: in the Prompt field.

Note b. c. Step 3

If you do not want the password displayed in clear text, click Mask.

Enter Rivers39* in the Run and Confirm fields. Click Add. Enter R3745> in the Prompt field. Enter enable in the Run and Confirm fields. Click Add. Enter Password: in the Prompt field.

Enter the device prompt and the command required to place the device in enable mode:
a. b. c.

Step 4

Enter the enable mode password information:


a.

Note b. c. Step 5

If you do not want the password displayed in clear text, click Mask.

Enter !Tribal41_ in the Run and Confirm fields. Click Add. Enter R3745# in the Prompt field.

Enter the enable prompt information:


a.

Note

VNEs can also understand partial prompts. For example, if you enter the string # instead of R3745#, the VNE will still be able to recognize the expected prompt.

b. c.

Verify that the Run field is blank. Click Add.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-29

Chapter 5 Viewing VNE Properties

Managing VNEs

Telnet Sequence for a Cisco IOS XR Device: Example

Figure 5-4 provides an example of a Telnet sequence for a Cisco IOS XR device. The procedure that follows the figure explains how this sequence is entered when you create the VNE for the device.
Figure 5-4 Example: Cisco IOS XR Telnet Login Sequence

Cisco Active Network Abstraction 3.7 Administrator Guide

5-30

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

The following procedure describes how to enter the sample Telnet sequence for a Cisco IOS XR device as shown in Figure 5-4.
Step 1 Step 2

Check the Enable check box to activate the Telnet prompt fields. Enter the expected device prompt and response:

Note

To verify a devices Telnet sequence, open a Telnet session to the device and copy the information. The following is an example.

a. b. c. Step 3

Enter Username: in the Prompt field. Enter crs1-oak in the Run and Confirm fields. Click Add.

Enter the device password information:

Note

Enter Password: in the Prompt field.

Note d. e. Step 4

If you do not want the password displayed in clear text, click Mask. Enter sunFlower108! in the Run and Confirm fields. Click Add. Enter EC-A# in the Prompt field.

Enter the device prompt:


a.

Note

For devices with multiple processors (such as the Cisco CRS-1), the prompt comprises the active CPU plus the device name (for example, RP/0/RSP0/CPU0:EC-A#). A CPU failover could change the prompt and report a different CPU. In these cases, you should insert a prompt that specifies only the device name (for example, EC-A#).

b. c.

Verify that the Run field is blank. Click Add.

Notes on SSHv2 Public Key and Private Key File Formats


There are several file formats for public and private RSA and DSA keys. The same key can be written differently according to the format that is used. This application officially supports the openSSH format. For more details, see http://www.openssh.com/manual.html. Make sure that the keys you provide as input parameters are in this format. If they are not, you need to convert them to the open SSH format before applying them.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-31

Chapter 5 Viewing VNE Properties

Managing VNEs

Use Case Example: When working with Cisco IOS, the public key is retrieved using the show crypto key

mypubkey command. This format is not compatible with the OpenSSH format, and is not supported. There are several ways to convert the format. The easiest solution is to use public key scan by the (free) openSSH application to retrieve the public key in the supported format. For more details, see http://www.openssh.com/manual.html. Another option is to convert the files to the required format either manually or by using a script. The following are examples of valid file formats.
RSA- private key -----BEGIN RSA PRIVATE KEY----MIICWwIBAAKBgQDvdpW8ItfbSp/hTbWZJqCPmjRyh9S+EpTJ0Aq3fnGpFPTR+ .. TiOfhiuX5+M1cTaE/if8sScj6jE9A0MpShBrnDU/0A== -----END RSA PRIVATE KEY----DSA private key -----BEGIN DSA PRIVATE KEY----MIIBuwIBAAKBgQDNGO+l2XW+W+YtVnWSYbKXr6qkrH9nOl+ 7wO4+FR9afoRjDusrQrL -----END DSA PRIVATE KEY----DSA public key ssh-dss AAAAB3HfuNYu+ DdGY7njEYrN++iWs= aslehr@aslehr-wxp01 RSA - public key ssh-rsa AAAAB3lot moreqc8Hc= aslehr@aslehr-wxp01

VNE ICMP Settings


The following table describes the fields in the VNE ICMP tab.
Table 5-12 Fields in the VNE ICMP Tab

Field Enable

Description Instructs Cisco ANA to use the ICMP communication protocol to verify that the network element is reachable. You can enable or disable ICMP polling at any time by checking or unchecking the check box (except for ICMP type VNEs, which require this setting to be enabled). Polling rate in seconds. If ICMP is enabled, this is a required field.

Polling Rate

VNE Polling Settings


The following table describes the fields in the VNE Polling tab. This tab is disabled if you chose ICMP as the VNE type (in the General tab). These Polling settings control:

The intervals at which a network element is polled. A VNEs behavior if the CPU usage exceeds a certain threshold, by configuring adaptive polling settings.

For information on factors that can affect CPU usage, refer to Appendix F, CPU Utilization and Cisco ANA.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-32

OL-20016-01

Chapter 5

Managing VNEs Viewing VNE Properties

Note

For deployment information and recommendations, such as supported configurations and system sizing, contact your Cisco account representative.

Table 5-13

Fields in the VNE Polling Tab

Field Group

Description Use polling rates from one of the polling groups listed in the drop-down list. If you do not select a group in the list, Cisco ANA will use the default polling group. See Managing Polling Groups and Adaptive Polling, page 6-3. Uses a user-specified polling rate created by changing the polling rates of any one of the built-in polling intervals displayed in the dialog box. When you select Instance, the Polling Intervals and Topology areas are activated.
Note

Polling Group Area

Instance

A polling rate that is not changed inherits its settings from the group specified in the drop-down list.

Polling Intervals Area (activated if using Instance) Note

We recommend that you use the default values for polling intervals. Setting the fields below the default values can result in an overload of the Cisco ANA unit or polled device. Polling rate for status-related information, such as network element status (up or down), port status, administrative status, and so on. This is typically the most frequently polled information, reflecting the current operational and administrative state of the element and its components. The default setting is 180 seconds.

Status

Configuration Polling rate for configuration-related information, such as VC tables, scrambling, and so on. These reflect more dynamic element configuration such as forwarding, routing, and switching tables. The default setting is 900 seconds. System Polling rate for system-related information, such as network element name, network element location, and so on. These reflect element configurations that are less dynamic in nature. The default setting is 86400 seconds. Polling rate of the topology process as an interval for the Layer 1 counter. This is an ongoing process. The default setting is 30 seconds. Polling rate of the topology process as an interval for the Layer 2 counter. This process is available on demand. The default setting is 30 seconds.

Topology Area (activated if using Instance)

Layer 1 Layer 2

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-33

Chapter 5 Viewing VNE Properties

Managing VNEs

Table 5-13

Fields in the VNE Polling Tab (continued)

Field

Description

Adaptive Polling Area

ANA Settings Uses the default settings for controlling VNE adaptive polling (see Smooth Polling and Adaptive Polling, page 6-5). Device Type Settings Local Settings (Default) Uses the VNE adaptive polling settings specified for this device type (as delivered with Cisco ANA). If no setting exists for the device type, the ANA Settings are used. Overrides the default settings and uses the values specified in the Upper and Lower Threshold fields. Any values you specify here are used only for this VNE instance.

To enter your own adaptive polling settings, click Local Settings and enter the thresholds. The changes are not applied until you check the Enable check box. To turn off adaptive polling for the VNE, click Local Settings and uncheck the Enable check box. When CPU usage exceeds this value, the VNE switches to maintenance mode. When CPU usage drops below this value, the VNE moves to slow polling.

You must click Apply and restart the VNE for your changes to take effect. Upper Threshold Lower Threshold

VNE Event Settings


The following table describes the fields in the VNE Events tab. These settings allow you to configure the VNE to listen to additional IP addresses. This is useful when devices have components using IP addresses that are different from the management IP address, especially if the device driver cannot automatically detect these additional addresses. For example, traps and syslogs maybe dropped if any of the VNEs managed by Cisco ANA are configured in such a way that the following addresses are different:

The traps and syslogs source IP address The VNE IP address (entered when the VNE was created and displayed in the VNE properties)

To avoid missing any traps or syslogs, configure the VNE to receive traps and syslogs using the different IP address.
Table 5-14 Fields in the VNE Events Tab

Field Enter IP Address Event-Generating IP Addresses

Description Field in which you can enter a new IP address, so the VNE will listen to this address for syslogs and traps. IP addresses the VNE will listen to for syslog and trap information.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-34

OL-20016-01

Chapter 5

Managing VNEs Populating a Cloud VNE with Technology and Topology Information

Populating a Cloud VNE with Technology and Topology Information


Each Cloud VNE must have a unique IP address (to be used as the Cloud VNEs internal address) that cannot be used to access any network element. To connect a regular VNE to a Cloud VNE, the VNE must be configured with the physical port that should be connected, and the IP address of the Cloud VNE. When configuring a Cloud VNE for dynamic operation, the cloud model and the topology (that is, the link between the cloud VNE and the adjacent VNE) are discovered and managed automatically by Cisco ANA. To configure the Cloud VNE to operate dynamically, after creating a new VNE with a unique IP address, you must:
1. 2. 3.

Identify the physical port layer of the OID of the port that will connect to the Cloud VNE. Connect the ports on the adjacent VNEs to the Cloud VNE. For Ethernet Cloud VNEs, configure an Ethernet Cloud VNEs permissible subnets.

Before You Begin If you are creating an Ethernet Cloud VNE, read Ethernet Cloud VNEs, page 5-3.
Step 1

Identify the physical port layer OID of the ports that will connect to the Cloud VNE.
a.

Perform a GET on the PhysicalRoot to retrieve all the physical models of the VNE up to the physical layer. The GET command can be optimized to retrieve only necessary information using a specific retrieval specification. The following is an example of an optimized GET command for VNE PE_South:
<command name="Get"> <param name="oid"> <value>{[ManagedElement(Key=PE_South)][PhysicalRoot]}</value> </param> <param name="rs"> <value> <key name="imo-view-controller"> <entry name="depth">10</entry> <entry name="register">true</entry> <entry name="cachedResultAcceptable">false</entry> <key name="requiredProperties"> <key name="com.sheer.imo.IPhysicalRoot"> <entry name="EquipmentHolders"/> </key> <key name="com.sheer.imo.IEquipmentHolder"> <entry name="ContainedEquipmentHolder"/> <entry name="ContainedEquipment"/> </key> <key name="com.sheer.imo.IEquipment"> <entry name="SupportedPTPs"/> </key> <key name="com.sheer.imo.IPhysicalTerminationPoint"> <entry name="ContainedCurrentCTPs"/> </key> </key> <key name="requiredAspects"> </key> </key>

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-35

Chapter 5 Populating a Cloud VNE with Technology and Topology Information

Managing VNEs

</value> </param> </command>

b.

Identify the physical layer (port) OID according to port name or location. You will need For example, from the result of the previous steps GET command, this would be the physical layer OID of port FastEthernet1/0 in PE_South.
<?xml version="1.0" encoding="UTF-8"?> <IPhysicalRoot> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot]}</ID> <EquipmentHolders type="IMObjects_Array"> <IChassis> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis]}</ID> <ContainedEquipmentHolder type="IMObjects_Array"> .... <IEquipmentHolder> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)]}</I D> <ContainedEquipment type="IModule"> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Mod ule]}</ID> <SupportedPTPs type="IMObjects_Array"> <IPortConnector> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Mod ule][Port(PortNumber=FastEthernet1/1)]}</ID> <ContainedCurrentCTPs type="IMObjects_Array"> <IPhysicalLayer> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Mod ule][Port(PortNumber=FastEthernet1/1)][PhysicalLayer]}</ID> </IPhysicalLayer> </ContainedCurrentCTPs> </IPortConnector> <IPortConnector> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Mod ule][Port(PortNumber=FastEthernet1/0)]}</ID> <ContainedCurrentCTPs type="IMObjects_Array"> <IPhysicalLayer> <ID type="Oid">{[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Mod ule][Port(PortNumber=FastEthernet1/0)][PhysicalLayer]}</ID> </IPhysicalLayer> </ContainedCurrentCTPs> </IPortConnector> </SupportedPTPs> </ContainedEquipment> </IEquipmentHolder> .... </ContainedEquipmentHolder> </IChassis> </EquipmentHolders> </IPhysicalRoot>

Cisco Active Network Abstraction 3.7 Administrator Guide

5-36

OL-20016-01

Chapter 5

Managing VNEs Populating a Cloud VNE with Technology and Topology Information

The OID is {[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Module][Port(Po rtNumber=FastEthernet1/0)][PhysicalLayer]}


c.

Replace / (the slash) in the port name with \!slash\! when specifying the OID in the CLI command. For example, the OID from the preceding step should be changed to: {[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Module][Port(Po rtNumber=FastEthernet1\!slash\!0)][PhysicalLayer]}

Step 2

Connect the ports to the Cloud VNE. For each VNE that represents a device that is connected to the unmanaged network represented by the Cloud VNE, do the following:
a. b.

Log into the gateway as user ana37. Change to the Main directory (where NMSROOT is the Cisco ANA installation directory):
# cd NMSROOT/Main/

c.

From the gateway, run the following CLI commands:


# ./runRegTool.sh -gs 127.0.0.1 add server-ip "avmavm-id/agents/da/vne-name/dcs/instance/physical-layer-oid/cloud topology" # ./runRegTool.sh -gs 127.0.0.1 set server-ip "avmavm-id/agents/da/vne-name/dcs/instance/physical-layer-oid/cloud topology/address" cloud-address

The following lists the parameters you must define: Parameter


server-ip

Meaning The IP address of the Solaris machine on which the parent AVM resides (for the VNE that will connect to the Cloud VNE). The ID of the parent AVM (for the VNE that will connect to the Cloud VNE). The name of the VNE which will connect to the Cloud VNE. The OID of the VNE port which will connect to the Cloud VNE. This is the OID you identified in Step 1 of this procedure. The IP address of the Cloud VNE. (This is the Cloud VNE you created in Step 3 of Adding a VNE, page 5-17.

avm-id

vne-name physical-layer-oid

cloud-address

Example:
./runRegTool.sh -gs 127.0.0.1 add 192.168.100.1 "avm900/agents/da/PE_South/dcs/instance/{[ManagedElement(Key=PE_South)][PhysicalRoo t][Chassis][Slot(SlotNum=1)][Module][Port(PortNumber=FastEthernet1\!slash\!0)][Phys icalLayer]}/cloud topology" ./runRegTool.sh -gs 127.0.0.1 set 192.168.100.1 "avm900/agents/da/PE_South/dcs/instance/{[ManagedElement(Key=PE_South)][PhysicalRoo t][Chassis][Slot(SlotNum=1)][Module][Port(PortNumber=FastEthernet1\!slash\!0)][Phys icalLayer]}/cloud topology/address" 1.2.3.4

The previous example connects a VNE named PE_South (which resides in avm900 on unit 192.168.100.1) with a Cloud VNE that has the IP address 1.2.3.4. The connection with the Cloud VNE is made using the physical layer of PE_South that has the OID : {[ManagedElement(Key=PE_South)][PhysicalRoot][Chassis][Slot(SlotNum=1)][Module][Port(Po rtNumber=FastEthernet1/0)][PhysicalLayer]} is connected to the Cloud VNE with address 1.2.3.4.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-37

Chapter 5 Populating a Cloud VNE with Technology and Topology Information

Managing VNEs

d. Step 3

Restart the VNEs.

If the cloud represents an Ethernet access network, configure the permissible subnets on the Cloud VNE. This will permit IP interfaces to connect to other entities only if the interfaces are on the specified subnets. This minimizes the number of connections the Cloud VNE handles.

Note

This configuration applies to the Cloud VNE, not to the adjacent VNEs. The most common use case is to configure permissible subnets to allow the connection through all subnets that are connected to the cloud (by configuring 0.0.0.0/0).

For each Cloud VNE, do the following:


a. b.

Log into the gateway as user ana37. Change to the Main directory (where NMSROOT is the Cisco ANA installation directory):
# cd NMSROOT/Main/

c.

From the gateway, run the following CLI commands:


# ./runRegTool.sh -gs 127.0.0.1 add server-ip "avmavm-id/agents/da/cloud-vne-name/amsi/topology/dynamic/permissible-subnet" # ./runRegTool.sh -gs 127.0.0.1 set server-ip "avmavm-id/agents/da/cloud-vne-name/amsi/topology/dynamic/permissible-subnet/subnet" permissible-subnet

The following lists the parameters you must define: Parameter


server-ip

Meaning The IP address of the Solaris machine on which the parent AVM resides (for the VNE that will connect to the Cloud VNE). The ID of the parent AVM (for the VNE that will connect to the Cloud VNE). The name of the Cloud VNE (not the adjacent VNE). The permissible subnet in the address/mask (such as 192.168.1.0/24).

avm-id

cloud-vne-name permissible-subnet

Note

You can add multiple subnets by running the second CLI command multiple times. Each entry has a different name (e.g., subnet-2, subnet-3, and so on).

Example:
# ./runRegTool.sh -gs 127.0.0.1 add 192.168.100.1 avm900/agents/da/EthernetCloud/amsi/topology/dynamic/permissible-subnet ./runRegTool.sh -gs 127.0.0.1 set 192.168.100.1 avm900/agents/da/EthernetCloud/amsi/topology/dynamic/permissible-subnet/subnet 0.0.0.0/0

The previous example configures the permissible subnet 0.0.0.0/0 (meaning all subnet connections are allowed), on a Cloud VNE named EthernetCloud (which resides in avm900 on unit 192.168.100.1).
d.

Restart the VNEs.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-38

OL-20016-01

Chapter 5

Managing VNEs Editing VNE Properties

Editing VNE Properties


You can edit all VNE settings except for the scheme. When you change the settings, you must restart the VNE for your changes to take effect.

Note

For deployment information and recommendations, such as best practices for assigning VNEs to AVMs, contact your Cisco account representative. To edit a VNE:

Step 1 Step 2 Step 3

Expand the ANA Servers branch, then select the required AVM in the navigation tree. Open the VNE Properties dialog box by right-clicking the required VNE in the VNE Properties table, then choose Properties. Edit or view the properties as required. Information that is dimmed cannot be edited. The settings that are available for editing depend on the VNE type. (For example, for Cloud type VNEs, you can only edit General settings; for ICMP type VNEs, you cannot edit Polling settings.) Details about the fields in the VNE properties tabs are described in these topics:

VNE General Settings, page 5-20 VNE SNMP Settings, page 5-22 VNE Telnet/SSH Settings, page 5-23 VNE ICMP Settings, page 5-32 VNE Polling Settings, page 5-32 VNE Event Settings, page 5-34

Step 4 Step 5

After making your required changes, click Apply and OK. The VNE properties are updated with your entries. Stop and restart the VNE as described in Changing VNE Status (Start, Stop, Maintenance), page 5-39.

Changing VNE Status (Start, Stop, Maintenance)


Cisco ANA Manage enables you to start or stop a VNE, or move a VNE to maintenance mode. Whenever you restart a VNE, Cisco ANA triggers a new discovery process for the VNE. You do not have to manually restart a VNE when you upgrade the device software. The VNE will automatically restart itself and update any required information. For more details, see VNEs and Device Software Updates, page 5-19.

Note

When you change the status of a VNE, the VNE persistency information is retained. Persistency information is data that is stored for later use. For information on the VNE persistency mechanism, see Persistency Overview, page E-1.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-39

Chapter 5 Moving VNEs to a Different AVM

Managing VNEs

During normal operation, NEs often undergo maintenance operations and planned outages such as software upgrades, hardware modifications, or cold reboots. The Cisco ANA platform supports such maintenance operations without affecting the overall functionality of the active network. Neighboring VNEs do not generate alarms that are related to links to or from the maintained VNE. For information on what a VNE in the maintenance state does or does not do, see Table 5-2 on page 5-6. Table 5-15 shows the badge used to indicate that a VNE is in maintenance mode.
Table 5-15 VNE Maintenance GUI Badge

Icon

Description Indicates that a VNE is in maintenance mode in Cisco ANA NetworkVision.

To change the state of a VNE or move it to maintenance mode:


Step 1 Step 2 Step 3

Expand the ANA Servers branch, and select the required AVM in the navigation tree. Select the required VNE in the VNEs Properties table. Perform one of the following actions:

To start the VNE, right-click Actions > Start, or click Start in the toolbar. A confirmation message is displayed. Click OK. An Up status is eventually displayed in the VNEs Properties table. You might see a Starting Up status if the gateway is overloaded or if the VNE is still being loaded. If the AVM hosting the VNE is in a Down status, the VNE status remains Starting Up until the AVM is brought up. To stop the VNE, right-click Actions > Stop, or click Stop in the toolbar. A confirmation message is displayed. Click OK. A Down status is eventually displayed in the VNEs Properties table. You might see a Shutting Down status while processes are shutting down. To place the VNE in maintenance mode, right-click Actions > Maintenance, or click Maintenance in the toolbar. A confirmation message is displayed. Click OK. A Maintenance status is displayed in the VNEs Properties table.

Moving VNEs to a Different AVM


Cisco ANA Manage enables you to move single and multiple VNEs between AVMs. The VNEs that are moved are unloaded. The status of the VNEs is maintained after they are reloaded.

Note

When you move a VNE to another AVM, the VNE alarm persistency information is saved. Persistency information is data that is stored for later use. For information on the VNE persistency mechanism, see Persistency Overview, page E-1.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-40

OL-20016-01

Chapter 5

Managing VNEs Deleting a VNE

To move one or more VNEs:


Step 1 Step 2 Step 3

Expand the ANA Servers branch, and select the required AVM in the navigation tree. The VNEs are displayed in the content area. Select one or more VNEs using the mouse or keyboard, then right-click one of the selected VNEs. Choose Move VNEs from the shortcut menu. The Move To dialog box is displayed. The Move To dialog box displays a tree-and-branch representation of the selected Cisco ANA server, its units, and AVMs, excluding the AVM in which the VNE is currently located. The highest level of the navigation tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 4 Step 5

In the Move To dialog box, browse to and select the AVM where you want to move the VNEs. Click OK. The VNE is moved to its new location, and now appears beneath the selected AVM in the VNEs Properties table.

Note

You can verify that the VNE has been moved by selecting the appropriate AVM in the navigation tree and viewing the moved VNE in the VNEs Properties table.

Note

The VNE that is moved is automatically unloaded and reloaded if its status was Up before the move (because its status is maintained).

Deleting a VNE
Cisco ANA Manage enables you to delete a VNE from a unit and AVM. This process stops the VNE if it is running and deletes all VNE references from the system and Golden Source. This includes the registry information of the VNE in the specified unit. A VNE that has been removed no longer appears in any future system reports. When you delete a VNE, you also delete all Layer 3 VPN site and virtual router business element data associated with the VNE. You can delete business elements separately by using Cisco ANA NetworkVision. For more information about deleting business elements using Cisco ANA NetworkVision, see the Cisco Active Network Abstraction 3.7 User Guide. Since all VNE information is deleted, adding the VNE again requires you to reenter all VNE information.

Note

A VNE that has static links configured cannot be deleted without first removing all static links configured for the VNE. Dynamic links are automatically removed. To delete a VNE:

Step 1 Step 2

Expand the ANA Servers branch, then select the required AVM. Right-click the required VNE in the VNEs Properties table, then choose Delete. A confirmation prompt is displayed.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

5-41

Chapter 5 Deleting a VNE

Managing VNEs

Step 3 Step 4

Click Yes to delete the VNE or No to retain the VNE. If you click Yes, a dialog box appears, asking if you want to delete all Layer 3 VPN business element data for the VNE from Cisco ANA. Do one of the following:

Click Yes to remove all Layer 3 VPN site and virtual router business element data from Cisco ANA. This option removes all VPN business elements associated with the selected VNE from Cisco ANA. Cisco ANA updates the VPN topology views in Cisco ANA NetworkVision accordingly by removing the deleted business elements. Click No to retain the Layer 3 VPN site and virtual router business element data in Cisco ANA. This option retains the VPN business element associated with the selected VNE in Cisco ANA. Cisco ANA updates the VPN topology views in Cisco ANA NetworkVision; the orphaned business elements are identified by a white X on a red background ( ). To remove these orphaned business elements, delete them manually in Cisco ANA NetworkVision. Click Cancel to exit the procedure without deleting the VNE and its Layer 3 VPN site and virtual router business element data.

For more information about Layer 3 VPNs and Cisco ANA NetworkVision, see the Cisco Active Network Abstraction 3.7 Theory of Operations.

Cisco Active Network Abstraction 3.7 Administrator Guide

5-42

OL-20016-01

CH A P T E R

Managing Global Settings


These topics describe how to define and manage the Cisco ANA Manage global settings, including polling groups and protection groups, and how to customize a message of the day.

Viewing Database Segments, page 6-1 Customizing How Long Events Are Saved (Event Management), page 6-2 Customizing a Message of the Day, page 6-2 Managing Polling Groups and Adaptive Polling, page 6-3 Managing Protection Groups, page 6-9 Managing Report Settings, page 6-11 Managing Global Security Settings, page 6-12

For more information about the Global Settings window elements, see Global Settings Windows, page 1-13.

Viewing Database Segments


Cisco ANA Manage enables you to view and monitor:

Database segment storage allocation information Database disk usage Database growth

The information is automatically checked by the system. To view database segments, choose Global Settings > DB Segments. The database segments are displayed in the content area. For more information about the columns displayed in the DB Segments table, see DB Segments Window, page 1-13.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-1

Chapter 6 Customizing How Long Events Are Saved (Event Management)

Managing Global Settings

Customizing How Long Events Are Saved (Event Management)


The Event Management Settings page lets you specify how long Cisco ANA should save events, alarms, and tickets that it displays in any of the GUI clients. This feature is enabled by default and removes events when they are 14 days old. To change how long these items are saved in the database:
Step 1 Step 2

Choose Global Settings > Event Management Settings. The Title and Message fields appear in the content area. Adjust the settings as needed: Field Remove events after Database partition size Description Number of days after which events will be purged from each partition. The default is 14. Number of days after which each partition will be split. The default is 2. (For database sizing guidelines and other capacity planning information, contact your Cisco account representative.)

Step 3

Click Apply. You can revert to the default settings by clicking Restore.

For information about the main menu that is displayed in the Cisco ANA window, see Event Management Settings Window, page 1-14.

Customizing a Message of the Day


Cisco ANA Manage enables you to define a Message of the Day, or banner, that is displayed when a user logs into any client application. The user must accept the message before logging in. If the user does not accept the message, the user cannot log in. The message supports HTML format. The message can be changed as required. However, only one message is applied at a time.
Adding or Changing a Message

To add or change a message of the day:


Step 1 Step 2 Step 3

Choose Global Settings > Message of the Day. The Title and Message fields appear in the content area. In the Title field, enter a title for the message. In the Message field, enter the text that is to appear when users log in.

Note

Abort and Continue buttons are displayed in the message dialog box by default, so the message must be related to these actions. For example, Do you accept the terms of use in the Product License Agreement? Click Continue to proceed or click Abort to cancel.

Cisco Active Network Abstraction 3.7 Administrator Guide

6-2

OL-20016-01

Chapter 6

Managing Global Settings Managing Polling Groups and Adaptive Polling

Step 4 Step 5

Click Save. A confirmation message is displayed. Click OK. The message is displayed when a user logs into any client application.

Removing a Message

To remove a message of the day:


Step 1 Step 2 Step 3 Step 4

Choose Global Settings > Message of the Day. Delete the text in the Message field. Click Save. A confirmation message is displayed. Click OK. The message no longer appears when a user logs into a client application.

For information about the main menu that is displayed in the Cisco ANA window, see Message of the Day Window, page 1-15.

Managing Polling Groups and Adaptive Polling


These topics describe how to manage polling groups and also explain how adaptive polling works in Cisco ANA:

Polling Groups Overview, page 6-3 Smooth Polling and Adaptive Polling, page 6-5 Customizing a Polling Group, page 6-7 Editing a Polling Group, page 6-8 Deleting a Polling Group, page 6-9

Polling Groups Overview


Unit servers poll NEs to discover and display accurate and up-to-date information of the network. The system periodically triggers polling at set intervals. Polling rates can be customized or optimized by the administrator. Cisco ANA provides the ability to fine-tune the frequency at which information is retrieved from the managed elements, thereby enabling a high degree of control and flexibility over the amount of network traffic used by the various VNEs. Table 6-1 describes the different polling intervals that you can set.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-3

Chapter 6 Managing Polling Groups and Adaptive Polling

Managing Global Settings

Table 6-1

Types of Polling Intervals

Type Status

Description The polling rate for status-related information, such as device status (up or down), port status, or admin status. The information is related to the operational and administrative status of the NE. The polling rate for configuration-related information, such as VC tables or scrambling. The polling rate for system-related information, such as device name or device location. The polling rate of the topology process as an interval for the Layer 1 counter. This is an ongoing process. The polling rate of the topology process as an interval for the Layer 2 counter. This process is available on demand.

Configuration System Topology Layer 1 Counters Topology Layer 2 Counters

Note

All polling rates are expressed in seconds. In addition to the defined polling intervals, VNEs implement adaptive polling to ensure that the element is not overloaded. Checking the device CPU might defer specific polls to avoid an additional load on the managed element. See Smooth Polling and Adaptive Polling, page 6-5. Users can define polling profiles by setting customized polling intervals that can be applied to managed elements. The VNE then polls the network element according to the preset values. This ensures polling of devices for different information consistently and in accordance with technical and business requirements. Core devices can be assigned to a polling group (all devices use the same polling profile) that specifies a higher frequency for status but a lower frequency for configuration-related information while edge or access devices can be polled more frequently for system and configuration-related information. For example, managed network service operators can use polling groups to reflect their agreement with customers so that premium customer devices are polled more frequently than normal devices. For your convenience, Cisco ANA includes the preconfigured polling groups default and slow. These polling groups cannot be deleted. Table 6-2 identifies the settings for the default and slow polling groups.
Table 6-2 Polling Rates for default and slow Polling Groups

Attribute Status polling rate Configuration polling rate System polling rate Layer 1 polling rate Layer 2 polling rate

default Polling Group Setting 180 seconds (3 minutes) 900 seconds (15 minutes) 86400 seconds (24 hours) 30 seconds 30 seconds

slow Polling Group Setting 360 seconds (6 minutes) 1800 seconds (30 minutes) 172800 seconds (48 hours) 30 seconds 30 seconds

Cisco Active Network Abstraction 3.7 Administrator Guide

6-4

OL-20016-01

Chapter 6

Managing Global Settings Managing Polling Groups and Adaptive Polling

Smooth Polling and Adaptive Polling


In addition to defined polling intervals, VNEs implement other types of polling to ensure that the element is not overloaded: smooth polling and adaptive polling.

Smooth Polling
Smooth polling is a mechanism that takes commands in the same polling cycle, and spreads out their execution over the polling cycle. Rather than using a timer-based approach (where a large number of commands will be potentially scheduled for execution at the same time), the smooth polling method generates a random number (within the polling interval) for the next execution. This ensures that the commands get executed at least once within the required period, while also reducing the probability that two or more commands will run at the same time. Note that smooth polling augments regular polling only after the completion of the first poll. Smooth polling is enabled in Cisco ANA by default.

Adaptive Polling
Adaptive polling is a polling mechanism that ensures that a network element does not become overloaded. If device CPU usage becomes a problem, the mechanism defers some polling to avoid an additional load on the managed element. When a VNE exceeds the maximum CPU usage threshold value, an alarm is sent, the VNE is polled less regularly, and a delay is added between sending the commands to the NE:

In SNMP, the delay is between SNMP packets sent to the device. In Telnet or SSH, the delay is between CLI commands sent to the device.

When the CPU usage threshold values for the VNE fall below the minimum (clear) CPU usage threshold value, an alarm is sent and the VNE returns to normal polling. You can set the maximum and minimum threshold values for a VNEs CPU usage from the GUI client. To change these tolerance settings, choose the Polling tab from the VNE properties dialog box. You can choose from three types of adaptive polling:

ANA SettingsUses the tolerance settings specified for Cisco ANA (upper threshold of 90% CPU usage and lower threshold of 60% CPU usage). Device Type SettingsUses the tolerance specified for the device type. Only Cisco IOS XR devices use these settings in Cisco ANA 3.7. These settings are described in VNE Adaptive Polling Settings for Cisco IOS XR Devices, page F-4. Local SettingsUses the tolerance specified in the VNE Properties dialog box. You can also use this setting to turn off adaptive polling for a VNE.

For more information on the Polling tab, see VNE Polling Settings, page 5-32. When a VNE is using normal polling and CPU usage exceeds the maximum threshold for five consecutive polls, the VNE moves to slow polling, as shown in Figure 6-1.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-5

Chapter 6 Managing Polling Groups and Adaptive Polling

Managing Global Settings

Figure 6-1

How Adaptive Polling Works

5 times above the maximum threshold level

5 times above the maximum threshold level

Normal polling

Slow polling

Maintenance

When a VNE is using slow polling, two scenarios can occur:

If CPU usage continues to exceed the upper threshold for five more consecutive polls, the VNE moves to maintenance mode. Once the VNE is in maintenance mode, you must manually return the VNE to normal polling. When the VNE is in maintenance mode, the NE is not polled. If CPU usage falls below the minimum threshold for two more consecutive polls, the VNE moves back to normal polling.

Figure 6-2 illustrates a VNE that is moved from normal polling to slow polling, then to maintenance mode.
1. 2. 3. 4.

CPU usage is polled five times and is running above the maximum threshold value. The VNE moves to slow polling. The CPU usage is polled an additional five times. CPU usage remains above the maximum value, so the VNE moves to maintenance mode. It will stay in maintenance mode until it is manually restarted.
Adaptive Polling Example 1
1. CPU usage is polled 5 times (and above the max. value) 3. CPU usage is polled a further 5 times (and above the max. value)

Figure 6-2

Maximum threshold value

Normal polling

2. VNE moves to slow polling

4. VNE moves to maintenance

Minimum threshold value

196255

2 times below the minimum threshold level

Cisco Active Network Abstraction 3.7 Administrator Guide

6-6

196256

OL-20016-01

Chapter 6

Managing Global Settings Managing Polling Groups and Adaptive Polling

Figure 6-3 illustrates a VNE that is moved from normal polling to slow polling, then back to normal polling:
1. 2. 3. 4.

CPU usage is polled five times and is running above the maximum threshold value. The VNE moves to slow polling. CPU usage drops to a regular level and then below the minimum threshold value. The CPU usage is polled an additional two times. CPU usage remains below the maximum value, so the VNE returns to normal polling.
Adaptive Polling Example 2

Figure 6-3

1. CPU usage is polled 5 times (and above the max. value)

Maximum threshold value

Normal polling

2. VNE moves to slow polling

4. VNE returns to normal polling

Minimum threshold value

If a parent AVM is stopped during this process, the AVM retains its previous polling data. When the AVM is restarted, it continues from the point at which its polling was interrupted. To customize adaptive polling, see VNE Polling Settings, page 5-32. If your network is experiencing excessive high CPU usage problems, refer to Appendix F, CPU Utilization and Cisco ANA.

Customizing a Polling Group


Cisco ANA Manage enables you to create and customize new polling groups. These new polling groups can then be used when defining a VNE. For more information, see Creating VNEs: Prerequisites, page 5-9.

Caution

Changing the polling rates can result in excess traffic and network element crashes. For deployment information and recommendations, contact your Cisco account representative.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

154950

3. CPU usage is polled twice (and below the max. value)

6-7

Chapter 6 Managing Polling Groups and Adaptive Polling

Managing Global Settings

To create and customize a polling group:


Step 1 Step 2 Step 3

Choose Global Settings > Polling Groups. Open the New Polling Group dialog box by right-clicking Polling Groups, then choose New Polling Group. Enter the required information for the new polling group: Field Name Description Status Configuration System Layer 1 Layer 2 Description Enter a name for the polling group. Enter a description for the polling group. Enter the number of seconds for the polling interval for status-related information. Enter the number of seconds for the polling interval for configuration-related information. Enter the number of seconds for the polling interval for system-related information. Enter the number of seconds for the polling interval for the topology process for the Layer 1 counter. This is an ongoing process. Enter the number of seconds for the polling interval for the topology process for the Layer 2 counter. This process is available on demand.

Step 4

Click OK. The new polling group is displayed in the content area.

The new polling group can be used when defining a new VNE. See Creating VNEs: Prerequisites, page 5-9. For information about all of the elements displayed in the Cisco ANA window, see Polling Groups Window, page 1-16.

Editing a Polling Group


Cisco ANA Manage enables you to edit or view polling group properties.

Note

When you edit a polling group that is currently being used by other VNEs, Cisco ANA will not apply the polling group changes until the VNEs are restarted. To view and optionally edit polling group properties:

Step 1 Step 2

Choose Global Settings > Polling Groups. Open the polling group Properties dialog box by right-clicking the polling group you want to view or edit, then choose Properties. For more information on the fields displayed in the Update Polling Group dialog box, see Customizing a Polling Group, page 6-7.

Cisco Active Network Abstraction 3.7 Administrator Guide

6-8

OL-20016-01

Chapter 6

Managing Global Settings Managing Protection Groups

Step 3 Step 4

Edit the properties of the polling group as required. Click Apply and OK. The polling group settings are modified accordingly.

Deleting a Polling Group


Cisco ANA Manage enables you to delete polling groups.

Note

You cannot delete a polling group being used by a VNE.

To delete a polling group:


Step 1 Step 2 Step 3 Step 4

Choose Global Settings > Polling Groups. In the content area, right-click the polling group you want to delete, then choose Delete. A warning message is displayed. Click Yes. A confirmation message is displayed. Click OK. The polling group is deleted from the Polling Group table.

Managing Protection Groups


By default, all units in the Cisco ANA fabric belong to one group (or cluster), the default-pg protection group. You can change the default setup of the units by customizing protection groups and then assigning units to these groups. The procedures for setting up and managing unit high availability are described in Appendix D, Using High Availability. Cisco ANA Manage enables you to create new protection groups. These new protection groups can be used when defining a unit. For more information, see Adding New Cisco ANA Units, page 3-6. To create a protection group:
Step 1 Step 2

Choose Global Settings > Protection Groups. Open the New Protection Group dialog box by right-clicking Protection Groups, then choose New Protection Group.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-9

Chapter 6 Managing Protection Groups

Managing Global Settings

Step 3

Enter the required information for the new protection group: Field Name Description Description Enter a unique name for the protection group. Enter a description of the protection group.

Step 4

Click OK. The content area displays details of the new protection group and all currently defined protection groups in the Protection Groups table.

Note

The default-pg protection group displayed in the content area is the default protection group. All units in the Cisco ANA fabric belong to this protection group by default.

Viewing and Editing Protection Group Properties


You can view and optionally edit the properties of a protection group, such as its description. To view or edit the properties of a protection group:
Step 1 Step 2 Step 3 Step 4

Choose Global Settings > Protection Groups. Open the Properties dialog box for the protection group by right-clicking the protection group, then choose Properties. View the properties of the protection group and edit the description as required. Click OK.

Deleting a Protection Group


Cisco ANA Manage enables you to delete protection groups.

Note

Confirm that no units are using the protection group you plan to delete. To delete a protection group:

Step 1 Step 2 Step 3

Choose Global Settings > Protection Groups. In the content area, select the protection group you want to delete. Delete the protection group by right-clicking it, then choose Delete. The protection group is deleted.

Cisco Active Network Abstraction 3.7 Administrator Guide

6-10

OL-20016-01

Chapter 6

Managing Global Settings Managing Report Settings

Managing Report Settings


You can run different types of reports from the Cisco ANA window using the Reports main menu. This feature is described in the Cisco Active Network Abstraction 3.7 User Guide. The Report Settings page in the Global Settings drawer controls when reports should be purged and whether users can share reports. Reports are saved in a gateway file system (in an intermediate format that is rendered to HTML or PDF when viewed). This page also shows you how much space reports are currently consuming. This feature is enabled by default and removes reports when they are 90 days old. Only users with the administrator role can configure report settings. To set up or change global report settings:
Step 1 Step 2

Choose Global Settings > Report Settings. Configure the settings that control when reports will be purged from Cisco ANA, using dates, size, or both.

Note

We recommend that you use these default settings in order to reduce system clutter. Allowing report data to accumulate could affect system performance. Purge Report AfterSpecifies how long to save a report. The time is measured from when the report is created. If you do not check this box, Cisco ANA defaults to 90 days. The Cisco ANA integrity service runs a job every 12 hours to purge all reports that exceed this age. Maximum Allowed SpaceSpecifies the maximum disk size, in MB, at which reports should be purged. If you do not check this box, Cisco ANA defaults to 50 MB. When this space setting is exceeded, Cisco ANA deletes the oldest reports (first in, first out). Cisco ANA runs a purge by size check every time a new report is created or a user changes the settings on this page.

If these settings are changed to lower values, after the changes are applied, Cisco ANA immediately deletes all reports that exceed the thresholds.
Step 3

Check or uncheck the Enable Shared Reports check box to specify whether users can create public reports:

If not selected, no users will be able to create public reports. Users will only be able to view their own reports. If selected, users have the option to create public reports and share them with other users.

Note

If a report is marked as public, other users will be able to view the contents of the entire report. The contents of public reports are not filtered according to scopes or security privileges.

Changes to this setting are applied to all new reports.


Step 4

Click Apply to immediately apply your settings.

After you click Apply, the report settings are applied to all existing and new reports. You can restore the Cisco ANA default settings at any time by clicking Restore and Apply. For information about the main menu that is displayed in the Cisco ANA window, see Report Settings Window, page 1-18.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-11

Chapter 6 Managing Global Security Settings

Managing Global Settings

Managing Global Security Settings


The global Security Settings control the following global security settings:

Using an External LDAP Server for Password Authentication, page 6-12 Setting Global Password Rules, page 6-15 Automatically Disabling Accounts for Inactive Users, page 6-16

Using an External LDAP Server for Password Authentication


User authentication can be managed locally by Cisco ANA or externally by a Lightweight Directory Access Protocol (LDAP) application. If you use an external authentication, user information is checked against what is stored in the external LDAP server (instead of the Cisco ANA database). The external authentication server only stores login and password information; information pertaining to user roles and scopes is stored in the Cisco ANA database. As illustrated in Figure 6-4, when a user logs in to the GUI client, the gateway server contacts the LDAP server to authenticate the user. If the user is successfully authenticated, the LDAP server sends a confirmation to the gateway server, and the gateway server allows the user to log in to Cisco ANA. From that point on, the user can perform functions and access network elements as specified by their roles and scopes (see Overview of User Authentication and Authorization, page 9-1).
Figure 6-4 User Authentication Process with External LDAP Server

Cisco AN A GUI Clie nt

1 - User attempts to log in to Cisco ANA GUI client. 2 - Cisco ANA gateway verifies that user account exists and is enabled, and connects to LDAP server. (If the user account does not exist or is disabled, Cisco ANA denies the login.)

4 - Cisco ANA gateway server allows user to log in to GUI client.

LDAP Authentication Server

Cisco AN A Gateway Server


195122

3 - LDAP server validates the user and sends confirmation to Cisco ANA gateway server.

The root user is the LDAP emergency user. The LDAP emergency user is validated only by Cisco ANA. Consequently, if the LDAP server goes down, root can log back into Cisco ANA. These topics explain how to work with an external authentication server:

Configuring Cisco ANA to Communicate with the External LDAP Server, page 6-13 Changing from External to Local Authentication, page 6-15

Cisco Active Network Abstraction 3.7 Administrator Guide

6-12

OL-20016-01

Chapter 6

Managing Global Settings Managing Global Security Settings

Configuring Cisco ANA to Communicate with the External LDAP Server


Use this procedure to configure the Cisco ANA gateway server to communicate with the LDAP server. You can configure a primary and secondary LDAP server. This procedure uses LDAP terminology, such as distinguished name (DN), common name (CN), and domain component (DC). An LDAP distinguished name uniquely identifies a user in the LDAP database, similar to a full filename but in reverse order. CNs and DCs are attributes of the domain name.
Before You Begin

Make sure you have performed the required prerequisites that are described in Cisco Active Network Abstraction 3.7 Installation Guide:

The LDAP server is correctly configured. You know the port number needed for the SSL or simple encryption protocol. These are normally 636 for SSL and 389 for simple. If you select SSL for the ANA-LDAP Protocol, the SSL certificate must be installed on the Cisco ANA gateway.

To configure the Cisco ANA gateway server to communicate with the LDAP server:
Step 1 Step 2 Step 3 Table 6-3

Choose Global Settings > Security > Authentication Method. Click LDAP Authentication to activate the LDAP Settings area. Complete the LDAP settings. The settings include specifying LDAP schema attributes, such as CN (common name) and DC (domain component).

LDAP Authentication Method Settings

Field LDAP URL

Description LDAP server name and port number, in the following format: ldap://host.company.com:port where:

host.company.comFully qualified domain name or IP address of the LDAP server, followed by the final two fields of the Distinguished Name Suffix (company.com, described below portNetwork port of the LDAP server. The LDAP server port number is normally 389 for simple encryption and 636 for SSL encryption.

To specify a primary and secondary LDAP server, use the following format: ldap://host1.company.com:port1 ldap://host2.company.com:port2 For example: ldap://ldapsj.acme.com:636 ldap://ldapsfo.acme.com:636 Distinguished Name First part of the LDAP DN, which is used to uniquely identify users. Enter the information exactly as Prefix shown: CN (The actual format is CN=Value, which specifies the common name for specific users. =Value will be automatically populated with Cisco ANA usernames.)

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-13

Chapter 6 Managing Global Security Settings

Managing Global Settings

Table 6-3

LDAP Authentication Method Settings (continued)

Field

Description

Distinguished Name Second part of the LDAP distinguished name, which specifies the location in the directory: Suffix ,CN=Users,DC=LDAP_server,DC=company,DC=com where:

,CN=UsersCommon name for the type of user; enter Users. For example: ,DC=Users ,DC=LDAP_serverDomain component that specifies the fully qualified domain name or IP address of the Cisco ANA server. For example: ,DC=ldapsj ,DC=companyBeginning of the domain name. For example: ,DC=acme ,DC=comEnd of the domain name; enter com. For example: ,DC=com

The form should:


Begin with a comma. End without any ending symbols or punctuation.

For example: ,CN=Users,DC=ldapsj,DC=cisco,DC=com ANA-LDAP Protocol Encryption protocol used for communication between the Cisco ANA gateway server and the LDAP server.
Note

The encryption protocol used must be configured on both the Cisco ANA gateway server and the LDAP server.

The supported protocols are:


SIMPLEEncrypt using LDAP. Uses port 389 by default. SSLEncrypt using SSL. Uses port 636 by default. The SSL certificate must be installed on the Cisco ANA gateway (see Cisco Active Network Abstraction 3.7 Installation Guide).

Step 4 Step 5

Click Apply. Restart the gateway for your changes to take effect. See Restarting the Cisco ANA Gateway Using anactl, page B-1.

You can now manage user passwords using the external LDAP server.

Cisco Active Network Abstraction 3.7 Administrator Guide

6-14

OL-20016-01

Chapter 6

Managing Global Settings Managing Global Security Settings

Changing from External to Local Authentication


If Cisco ANA is using external authentication and cannot communicate with the LDAP server, the only user permitted to log back into Cisco ANA is root. This is because root is the LDAP emergency user, and is validated only by Cisco ANA. The root user can then log in to Cisco ANA, change the authentication method to local, and edit user accounts so that those users can subsequently log in. For information on editing user accounts, see Changing User Information and Disabling Accounts (General Tab), page 9-10. To change from external to local authentication, follow this procedure:
Step 1 Step 2 Step 3 Step 4 Step 5

Choose Global Settings > Security > Authentication Method. Click ANA Authentication to activate local authentication. Click Apply. Restart the gateway for your changes to take effect. See Restarting the Cisco ANA Gateway Using anactl, page B-1. Reconfigure user accounts accordingly (see Changing User Information and Disabling Accounts (General Tab), page 9-10).

Setting Global Password Rules


You can set password rules that will apply to all new user accounts and to existing accounts when users change their passwords. To set up or change global password rules:
Step 1 Step 2

Choose Global Settings > Security > Password Settings. The Title and Message fields appear in the content area. Configure the general settings in the General area:

Password Validity PeriodNumber of days after which users must change their password. Number of Attempts Before LockoutChoose a value from 3 to 7, or Unlimited. If a user is locked out, they cannot log back in until an administrator reenables their account (see Changing User Information and Disabling Accounts (General Tab), page 9-10). Number of previous passwords that cannot be repeated (1 to 15) Number of character types required in password (0 or 3) Whether repeated characters can be used consecutively Whether usernames can appear in passwords Words that cannot appear in any passwords (comma-separated list)

Step 3

Check the checkboxes for the password strength settings you want to apply to all users by default:

Step 4

Click Apply to immediately apply your settings.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

6-15

Chapter 6 Managing Global Security Settings

Managing Global Settings

After you click Apply, the password settings are applied to all new user accounts. You can restore the Cisco ANA default settings at any time by clicking Restore and Apply. For information about the main menu that is displayed in the Cisco ANA window, see Password Settings Window, page 1-21.

Automatically Disabling Accounts for Inactive Users


You can configure Cisco ANA to disable a user account when a user has not logged in for a specified period of days. By default, this period is 30 days. To change this setting:
Step 1 Step 2 Step 3

Choose Global Settings > Security > User Account Settings. Enter the number of days after which the accounts will be disabled. Click Apply to immediately apply your settings.

After you click Apply, the password settings are applied to all new user accounts. You can restore the Cisco ANA default settings at any time by clicking Restore and Apply. You can reenable a user account as described in Changing User Information and Disabling Accounts (General Tab), page 9-10. For information about the main menu that is displayed in the Cisco ANA window, see User Account Settings Window, page 1-22.

Cisco Active Network Abstraction 3.7 Administrator Guide

6-16

OL-20016-01

CH A P T E R

Managing Links
These topics describe how to add and remove static links between two ports of two NEs in the network. Static links override any existing autodiscovered topology in the system. A static link is identical in all respects to a link that is autodiscovered. Static links can be viewed using the Topology window and in the device topology static key in the relevant Golden Source AVM .xml file. See these topics for more information:

Creating a Static Link, page 7-1 Removing a Static Link, page 7-3

Creating a Static Link


You can create a static link between devices by selecting the two end ports from the device physical inventory in Cisco ANA Manage. To create a static topological link, you need to supply the exact location of the two end ports (at both ends of the link). The physical hierarchy in which the port is located defines the location of a port, as follows: Device > [shelf] > module > [submodule] > port
Note

The link is bidirectional, and needs to be added only once. The new link is validated after the two ports are selected, but before the link is added. Validation checks:

The similarity of the connector port types (for example, RJ45 on both sides). Layer 2 technology type (for example, ATM OC-3 on both sides). The physical layer. The operation status of both ports. One of the ports is part of another link.

If validation reveals that one of the ends is part of a static link, you are asked to delete the previous link manually. If validation reveals that one of the ends is part of a dynamic link, the previous link is overridden.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

7-1

Chapter 7 Creating a Static Link

Managing Links

To create a new static link:


Step 1

Select Topology in the Cisco ANA Manage window.

Note

Any changes made in the Topology window are saved automatically and are registered immediately in Cisco ANA.

Step 2

Open the New Static Link dialog box in one of the following ways:

Right-click Topology, then choose New Static Link. Choose File > New Static Link. Click New Static Link in the toolbar.

The A Side and Z Side lists enable you to choose the devices and the ports for the static link. When you select a device from the list, the physical inventory of the device is displayed in the related area of the dialog box.
Step 3 Step 4

From the A Side and Z Side lists choose a device. The physical inventory of each device is displayed in the related area of the dialog box. Expand the navigation tree and choose the A Side and Z Side port of each device. For more information about the icons and severity displayed in this dialog box, see the Cisco Active Network Abstraction 3.7 User Guide.

Step 5

Click Create. The link is validated and a confirmation message is displayed.

Note

The Create button is enabled only when A Side and Z Side ports are selected.

Note

A warning message is displayed if: - One of the validation checks fails. - The operation status of one port is up and the other port is down. - The ports selected are not of the same type. - The Layer 2 technology type is not the same. - One of the ports is part of another link. Click No to cancel the connection.

Step 6

Click Close. The New Static Link dialog box closes, and the newly created link between the two devices appears in the content area.

Note

The new link is created with the rule A Side < Z Side lexicographically. For example, if you select A Side = PE-West and Z Side = PE-East, the link that is created and displayed in the table is A Side = PE-East and Z Side = PE-West.

Cisco Active Network Abstraction 3.7 Administrator Guide

7-2

OL-20016-01

Chapter 7

Managing Links Removing a Static Link

Removing a Static Link


A static link between the devices can be deleted. A static link is one that is manually entered by the user. To remove a link:
Step 1 Step 2 Step 3

Select Topology in the Cisco ANA Manage window. In the content area, select one or more links to delete. Delete the link in one of the following ways:

Right-click the link, then choose Delete. Click Delete in the toolbar.

The selected link is deleted and is no longer displayed in the content area.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

7-3

Chapter 7 Removing a Static Link

Managing Links

Cisco Active Network Abstraction 3.7 Administrator Guide

7-4

OL-20016-01

CH A P T E R

Workflow Administration Tasks


These topics briefly describe workflows and how to administer the workflows and templates that are stored in the Workflow Engine branch in Cisco ANA Manage:

Workflows and the Workflow Engine Windows, page 8-1 Viewing and Deleting Templates, page 8-2 Viewing Output, Aborting, and Deleting Workflows, page 8-4 Adding Workflow Users (Using runRegTool), page 8-6

For more information about the Workflow Engine window elements, see Workflow Engine Windows, page 1-26.

Workflows and the Workflow Engine Windows


Workflows are logical flows of atomic tasks (activation commands), including complex rollback scenarios. The logic enables you to define relationships between tasks, the sequence of tasks, when to branch to other tasks, and what to do if a task fails. You can create workflows using the Cisco ANAWorkflow Editor, which is launchable from Cisco ANA NetworkVision. (For information on the Cisco ANAWorkflow Editor, see Cisco Active Network Abstraction 3.7 Customization User Guide.) Once they are created, all workflows are stored on the Cisco ANA gateway and are displayed in the Workflow Engine windows in Cisco ANA Manage. The Workflow Editor engine resides on the Cisco ANA gateway using AVM 66. By default, workflows are saved for seven days and are then purged from Cisco ANA by the integrity service. The Workflow Engine windows include the following:

TemplatesDisplays a list of the deployed workflow templates and enables you to view the properties of a workflow template. WorkflowsDisplays a list of the running or completed workflows and enables you to view and alter their current status.

Figure 8-1 presents the process required when working with and managing workflows. The tasks are described in the order in which they must be performed.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

8-1

Chapter 8 Viewing and Deleting Templates

Workflow Administration Tasks

Figure 8-1

Flow For Creating, Testing, Deploying, Running, and Viewing a Workflow

Step 1: Create a command using Command Builder and preview it

Step 2: Define tasks and workflows using the Workflow Editor

Step 3a: Copy the command descriptor scripts Step 3b: Edit the command descriptor scripts Step 3c: Add workflow and task attributes

Step 4: Test the workflow locally

Step 5: Deploy the workflow on the gateway

Step 6: Run the workflow

Step 7: View the workflow in ANA Manage

Step 8: View the workflow results in EventVision

Viewing and Deleting Templates


You can perform the following template management tasks from Cisco ANA Manage:

Viewing Available Templates and Their Properties, page 8-2 Deleting a Workflow Template, page 8-3

Viewing Available Templates and Their Properties

To view the list of templates and template properties:


Step 1 Step 2

Choose Workflow Engine > Templates. The list of workflow templates is displayed in the table. Choose the required workflow template in the table.

Cisco Active Network Abstraction 3.7 Administrator Guide

8-2

180213

OL-20016-01

Chapter 8

Workflow Administration Tasks Viewing and Deleting Templates

Step 3

Right-click the template, then choose Properties. The Workflow Template Properties dialog box is displayed with the properties and attributes of the selected workflow template (Figure 8-2).
Figure 8-2 Workflow Template Properties Dialog Box

The name of the template is displayed in the header and at the top of the dialog box. The following properties are displayed in the table of the Workflow Template Properties dialog box:
Step 4

NameThe attribute names defined for the tasks included in the workflow, as defined in the Task Properties dialog box using the Workflow Editor. ValueThe values defined for the tasks included in the workflow, as defined in the Task Properties dialog box using the Workflow Editor.

Click in the top right-hand corner to close the Template Properties dialog box.

Deleting a Workflow Template

To delete a workflow template:


Step 1 Step 2 Step 3

Choose Workflow Engine > Templates. The list of workflow templates is displayed in the table. Choose the workflow template that you want to delete in the table. Delete the template in one of the following ways:

Right-click the workflow template, then choose Delete. Click Delete in the toolbar.

A warning message is displayed.


Step 4

Click Yes. The selected workflow template is deleted and no longer appears in the table.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

8-3

Chapter 8 Viewing Output, Aborting, and Deleting Workflows

Workflow Administration Tasks

Viewing Output, Aborting, and Deleting Workflows


You can perform the following template management tasks from Cisco ANA Manage:

Viewing the Output of a Workflow, page 8-4 Aborting a Workflow, page 8-5 Deleting a Workflow, page 8-5

Viewing the Output of a Workflow

You can view the output of a workflow whether it is running, done, or aborted. To view the output of a workflow:
Step 1 Step 2 Step 3

Choose Workflow Engine > Workflows. The list of workflows is displayed in the table. Choose the required workflow in the table. Right-click the workflow, then choose Show Output. The Output window is displayed (Figure 8-3).
Figure 8-3 Output Window

The Output window displays the output and details of the workflow.
Step 4

Click Close.

Cisco Active Network Abstraction 3.7 Administrator Guide

8-4

OL-20016-01

Chapter 8

Workflow Administration Tasks Viewing Output, Aborting, and Deleting Workflows

Aborting a Workflow

You can manually abort a complete workflow using the procedure in this topic. (A workflow is also aborted automatically if any of its tasks are aborted.) When a workflow aborts, a workflow rollback occurs. All activation scripts that have already been run (by Execute BQL tasks) are rolled back. A workflow rollback has the following characteristics:

The commands that are executed are those that are defined in the rollback section of the script (defined in Command Builder). Scripts are rolled back in the reverse order of their execution.

Note

Gateway commands do not support rollback. Rollback can be disabled for specific BQL tasks by setting the RollbackEnabled value task attribute to false in the respective BQL task. This is useful for a BQL task executing a script that does not have an appropriate rollback, or a BQL task executing a gateway command. To abort a running workflow:

Step 1 Step 2 Step 3

Choose Workflow Engine > Workflows. The list of workflows is displayed in the table. Right-click the workflow, then choose Abort. A warning message is displayed. Click Yes. The workflow is stopped, and the state of the workflow changes to Aborted in the Workflows table.

Deleting a Workflow

You can delete a workflow from the Workflows window in the Cisco ANA Manage window. The workflow is deleted from the database. To delete a workflow:
Step 1 Step 2

Choose Workflow Engine > Workflows. The list of workflows is displayed in the table. Delete the workflow in one of the following ways:

Right-click the workflow, then choose Delete. Click Delete in the toolbar.

A warning message is displayed.


Step 3

Click Yes. The selected workflow is deleted and is no longer displayed in the table.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

8-5

Chapter 8 Adding Workflow Users (Using runRegTool)

Workflow Administration Tasks

Adding Workflow Users (Using runRegTool)


Enabling new users to run workflows involves making changes to the registry. The following procedure explains how to add a user and specify how many workflows they can run at one time. By default, workflows are saved for 7 days.

Note

Changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative. For information on the format of the runRegTool command, see Changing Registry Settings Using runRegTool, page C-3.

Step 1

To add a user to the list of authorized users, use the following command:
./runRegTool.sh -gs gw-IP add unit-IP "site/avm66/services/workflow/users/username"

This example allows the user jsmith to create workflows:


# ./runRegTool.sh -gs 127.0.0.1 add 0.0.0.0 "site/avm66/services/workflow/users/jsmith"

Step 2

To specify the maximum number of workflow connections allowed for the user, use this command format:
./runRegTool.sh -gs gw-IP set unit-IP "site/avm66/services/workflow/users/username/maxConnections value"

This example allows the user jsmith to run a maximum of 20 workflows at one time:
# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 "site/avm66/services/workflow/users/jsmith/maxConnections 20"

Step 3

Restart AVM 66 (the workflow engine AVM):


# ANAHOME/Main/anactl -avm66 restart

Cisco Active Network Abstraction 3.7 Administrator Guide

8-6

OL-20016-01

CH A P T E R

Managing User Security: Roles and Scopes


These topics describe how Cisco ANA implements a two-dimensional security engine combining a role-based security mechanism with scopes (groups of NEs) that are granted to users. In addition, it describes managing users in the Cisco ANA platform, including defining users and passwords.

Overview of User Authentication and Authorization, page 9-1 Steps for Setting Up Users and Scopes, page 9-5 Creating and Managing Scopes, page 9-6 Managing User Accounts and Controlling User Access, page 9-8 Deleting a Cisco ANA User Account, page 9-13 Changing a Users Cisco ANA Password, page 9-13

Overview of User Authentication and Authorization


Cisco ANA uses a combination of methods to manage user authentication and authorization:

User authentication can be managed locally by Cisco ANA or externally by an LDAP application. Either method can be used to validate user accounts and passwords, thus controlling who can log in to Cisco ANA. If you use Cisco ANA, user information and passwords are stored in the Cisco ANA database. If you use an external LDAP application, passwords are stored on the external LDAP server. See External Authentication, page 9-2. User authorization is managed through a combination of user access roles and scopes:
User access roles control the actions a user can perform in the Cisco ANA GUI clients. When a

users account is created, the user is assigned an access role that determines the users default permissions. For more information, see User Access Roles and Default Permissions, page 9-2.
Scopes are groups of network elements that are created by administrators. Once a scope is

created, you can assign it to users. A users default permissions determine the actions the user can perform on the NEs in the scope. These actions are referred to as the users security level on that scope. If desired, you can assign the user a more strict user access role for a scope. For more information, see Scopes, page 9-3. For example, a user named johnsmith has a user access role (or default permission) that allows him to update the software images on all network elements. You could create a scope called SanFrancisco that contains a group of switches, and then give johnsmith a stricter security access role on that scope. Thus the user johnsmith could update the software images on all network elements, except for the switches in the scope named SanFrancisco.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-1

Chapter 9 Overview of User Authentication and Authorization

Managing User Security: Roles and Scopes

User authorization information (roles and scopes) is always stored in the Cisco ANA database. The external LDAP server, if used, only stores passwords.

External Authentication
External authentication means that user authentication and passwords are validated by an external application, rather than by Cisco ANA. When Cisco ANA performs the authentication, Cisco ANA validates users by checking information that is saved in the Cisco ANA database. If you use an LDAP application, the information is validated by the external LDAP server. If Cisco ANA is using external authentication and cannot communicate with the LDAP server, the only user permitted to log back into Cisco ANA is root. This is because root is the LDAP emergency user, and is validated only by Cisco ANA. The root user can then log in to Cisco ANA, change the authentication method to local, and edit user accounts so that those users can subsequently log in. Cisco ANA uses LDAP version 3. If you want to use external authentication, you must do the following:

Perform the necessary installation prerequisites. See the Cisco Active Network Abstraction 3.7 Installation Guide. Configure Cisco ANA so that it can communicate with the LDAP server. See Using an External LDAP Server for Password Authentication, page 6-12.

If you are switching from external authentication to Cisco ANA authentication, you can import the user information from the LDAP server into Cisco ANA. That procedure is described in the Cisco Active Network Abstraction 3.7 Installation Guide.

User Access Roles and Default Permissions


User access roles control the actions a user is authorized to perform in Cisco ANA. When you create a user account, you assign one security access role to the account. This role determines the users default permissions, which in turn determine the general GUI functions the user can perform, such as:

Logging in to Cisco ANA. Managing alarms in Cisco ANA NetworkVision. Creating, deleting, and opening maps. Arranging maps, adding NEs, managing aggregations, adding NEs to a map, and setting the maps background. Managing business tags.

Note that the previous examples do not perform any type of configuration or provisioning on NEs. When you decide which scopes a user can access, you add a scope (a list of NEs) to the users account, and you assign a security access role for the scope. This becomes the users scope security level and controls the actions the user can perform on the NEs in the scope. For more information on scopes, see Scopes, page 9-3.

Cisco Active Network Abstraction 3.7 Administrator Guide

9-2

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Overview of User Authentication and Authorization

Cisco ANA provides five predefined security access roles that you can grant to users to enable system functions (see Table 9-1). (More examples are provided in Table 9-2 on page 9-4.)
Table 9-1 User Access Roles

Role Viewer Operator

Description Views the network, links, events, and inventory. Has read-only access to the network and to nonprivileged system functions. Performs most day-to-day business operations such as managing alarms, manipulating maps, viewing network-related information, and managing business attachments. Manages the alarm lifecycle. Performs tasks and tests related to configuration and activation of services, through Command Builder, Configuration Archive, NEIM, and activation commands. Manages the Cisco ANA system and its security. Performs all administrative actions, including creating units, AVMs, and VNEs; and managing polling and protection groups, users, scopes, and maps.

OperatorPlus Configurator

Administrator

When a new user is defined as an Administrator, this user can perform all administrative actions, including opening all maps, working with all scopes, and managing the system using Cisco ANA Manage. These activities are performed with the highest privileges. Cisco ANA Manage supports multiple administrators. Access rights do not need to be defined for an administrative user.

Scopes
Scopes are groups of managed NEs. Users can only access NEs that are in their assigned scopes. Furthermore, you designate a user access role within each scope that determines which NEs a user can access and the actions they can perform on those NEs. Cisco ANA provides a predefined scope called All Managed Elements, which cannot be edited. For more information on user access roles, see User Access Roles and Default Permissions, page 9-2. After you allocate a scope and a role to a user, the user can perform various activities on the NEs included in the scope, as follows:

Activate services. View NE, inventory, and link properties. Manage advanced options such as show counters, show utilization, and refresh.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-3

Chapter 9 Overview of User Authentication and Authorization

Managing User Security: Roles and Scopes

Table 9-2 describes the actions a user can perform in the GUI clients or in a scope, based on each user access role.
Table 9-2 Scope and GUI Functions Permitted According to User Access Roles

User Access Role Administrator

Permitted Actions in the GUI Client Platform management:


Permitted Actions in a Scope All

Manage Cisco ANA servers, AVMs, transport, and VNEs. Manage global settings: Polling groups, protection groups, service disclaimers, report settings, and security settings (including user authentication method and password rules). View DB segments. Create and delete scopes. Manage user accounts. Manage static topology links. Manage VNEs from Cisco ANA Manage or Cisco ANA NetworkVision. Open, edit, and delete all user maps. Activation services:

Map management:

Configurator

Map management:

Create maps. Ping and Telnet an NE directly from the client. Enable and disable port alarms. Cisco ANA Command Builder.

Advanced tools:

Add and publish activation commands on managed NE (regardless of whether the NE is inside or outside the Configurators scope)

OperatorPlus

Map management:

Alarm management:

Create new maps and add NEs. Edit, delete, and rename maps. Save maps. Create and break aggregations. Change map layout. Set background image. Create business links.

Acknowledge, remove, and clear alarms that belong to the NEs within a users scope that has the OperatorPlus role. Create business tags for NEs. Include path tool traffic, rates, drops, or any dynamic data.

Map manipulation:

Map manipulation:

Display network information:

Cisco Active Network Abstraction 3.7 Administrator Guide

9-4

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Steps for Setting Up Users and Scopes

Table 9-2

Scope and GUI Functions Permitted According to User Access Roles (continued)

User Access Role Operator

Permitted Actions in the GUI Client Map manipulation:

Permitted Actions in a Scope Display network information:

Create and delete business tags. Open Cisco ANA EventVision.

Refresh port information from NE.

Application:

Viewer

Application:

Display network and business tag information:


Log into Cisco ANA NetworkVision and Cisco ANA EventVision. Change user password. View the device list. View map. View link properties. Use table filter. Export from any table.

View alarm list and alarm properties, and find alarms. Find and view attachments. View NE properties and inventory. Calculate and view affected parties. Open port utilization graph.

Steps for Setting Up Users and Scopes


Figure 9-1 and the subsequent text describe the steps required to customize security using Cisco ANA Manage, and the order in which the steps must be performed.
Figure 9-1 Customizing Security Flow

Step 1: Install licenses

Step 2: Define scopes

Step 3: Define Cisco ANA user accounts

180047

Step 4: Grant scopes and roles to users

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-5

Chapter 9 Creating and Managing Scopes

Managing User Security: Roles and Scopes

1.

Install licenses. This allows you to control and monitor the number of client and BQL connections over a limited or unlimited period of time based on the client licenses installed. For more information, see Managing Licenses, page 2-5. Configure external authentication if you want to use an external LDAP server to store passwords and authenticate users. For more information, see Using an External LDAP Server for Password Authentication, page 6-12. Define scopes. This enables you to group specific managed NEs so that users can view and manage those NEs based on their individual user role. For more information, see Creating and Managing Scopes, page 9-6. Define Cisco ANA user accounts. This enables you to define and manage user accounts, including the maps the user can access. For more information, see Managing User Accounts and Controlling User Access, page 9-8. Grant scopes and roles to users. This enables you to manage general user account information, the list of scopes assigned to each user, and security access roles per scope. For more information, see Changing User Information and Disabling Accounts (General Tab), page 9-10.

2.

3.

4.

5.

Creating and Managing Scopes


Cisco ANA Manage enables you to group specific managed NEs so that users can view and manage those NEs based on their user role or permission. After a scope is created, it can be assigned to a user. Multiple scopes can be assigned to a single user and a single scope can be assigned to multiple users. When the scope is assigned to a user, you must provide the user with security access roles that define the users role within the assigned scope. See Changing User Information and Disabling Accounts (General Tab), page 9-10. These topics explain how to manage scopes:

Creating a Scope, page 9-6 Editing and Viewing Scope Properties, page 9-7 Deleting Scopes, page 9-7

Creating a Scope
To create a scope:
Step 1 Step 2

Select Scopes in the Cisco ANA Manage window. Open the New Scope dialog box in one of the following ways:

Right-click Scopes, then choose New Scope. Choose File > New Scope. Click New Scope in the toolbar.

Step 3

In the Scope field, enter a name for the scope.

Cisco Active Network Abstraction 3.7 Administrator Guide

9-6

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Creating and Managing Scopes

Step 4

Specify the devices to include in the scope:


To add devices to the scope, select the required devices from the Available Devices list and then click Add All or Add Selected to move the devices to the Active Devices list. To remove devices from the scope, select the devices in the Active Devices lists and then click Remove Selected or Remove All to move the devices to the Available Devices list.

Note Step 5

You can select multiple devices by using the Ctrl key.

When the Active Devices list includes the required devices for the scope, click OK. The scope is saved and is displayed in the content area.

Editing and Viewing Scope Properties


Cisco ANA Manage enables you to edit or view the details of a scope. To edit or view scope properties:
Step 1 Step 2 Step 3

Select Scopes in the navigation pane. Select the scope that you want to edit or view in the content area. Open the Properties dialog box for the scope in one of the following ways:

Right-click the scope, then choose Properties. Choose File > Properties. Click Properties in the toolbar.

For more information about the Properties dialog box, see Creating and Managing Scopes, page 9-6.
Step 4 Step 5

Edit and view the properties as required. Click OK.

Deleting Scopes
When a scope is deleted, it is deleted from all users who have the assigned scope. To delete a scope:
Step 1 Step 2

Select Scopes in the navigation pane. Select the scope that you want to delete in the content area.

Note Step 3

You can select multiple scopes by using the Ctrl key.

Right-click the scope, then choose Delete. The scope is deleted and is removed from the content area.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-7

Chapter 9 Managing User Accounts and Controlling User Access

Managing User Security: Roles and Scopes

Managing User Accounts and Controlling User Access


The Users windows enable you to define and manage user accounts. This includes managing general user information as well as security access rights and forced login changes, as required. You can also monitor a users last login time. Configuring a new user account in Cisco ANA involves these steps:
1. 2. 3. 4.

Create the user account and assign the default permissions that will control the users access to GUI functions. See Creating User Accounts and Assigning Default Permissions, page 9-8. (Optional) Specify the maximum number of client connections and when the user must change their password. See Changing User Information and Disabling Accounts (General Tab), page 9-10. Apply scopes and scope permissions that will control the users access to network elements. See Controlling User Permissions and Access to Scopes (Security Tab), page 9-11. (Optional) Control which existing maps a user can access. This feature is disabled by default, and users can only access the maps they create after their user account is enabled. To enable this feature and change configure user access to existing maps, see Controlling User Access to Maps (Maps Tab), page 9-12.

Creating User Accounts and Assigning Default Permissions


A new user is created with the following predefined system defaults:

No scopes are assigned to the user. The number of connections is unlimited. The password must be changed every 30 days. The maximum number of login attempts is 5.

To define a user account:


Step 1 Step 2

Select Users in the Cisco ANA Manage window. Open the New User dialog box in one of the following ways:

Right-click Users, then choose New User. Choose File > New User. Click New User in the toolbar.

Cisco Active Network Abstraction 3.7 Administrator Guide

9-8

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Managing User Accounts and Controlling User Access

Step 3

Enter the information required to define a new user: Field User Name Description Enter the new users name to be used for logging in.
Note

The username is unique and can contain a maximum of 20 characters. Special characters cannot be used. Valid entries contain a maximum of 20 characters; special characters cannot be used.

Full Name

(Optional) Enter the full name of the user.


Note

Description External user only

(Optional) Enter a free text description of the user. If checked, Cisco ANA will only let the user log in if the users password can be validated by an external LDAP server. The password fields are disabled. (If external authentication is being used, the box is checked by default. See Using an External LDAP Server for Password Authentication, page 6-12.) Enter the new Cisco ANA password, which is then stored in the Cisco ANA database. (This field is disabled if the Non-ANA Authentication Only check box is checked.) Passwords must adhere to the global password rules set by the administrator (see Setting Global Password Rules, page 6-15). Reenter the new Cisco ANA password. In the drop-down list, choose the security access role that will be the users default permissions.
Note

Password

Confirm password Role

The permission applies only to activities or actions that are not related to an NE. For more information on the functionality that a user can perform, see User Access Roles and Default Permissions, page 9-2.

Force password change at next login

This check box is checked by default and forces the user to change the user password when they next log in. (This field is disabled if the Non-ANA Authentication Only check box is checked.)

Step 4

Click Create. The new username and default security access role are displayed in the content area.

The basic user account is created. To verify your settings, see Changing User Information and Disabling Accounts (General Tab), page 9-10. The user will not be able to see any network elements until you assign a scope to the user. See Controlling User Permissions and Access to Scopes (Security Tab), page 9-11.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-9

Chapter 9 Managing User Accounts and Controlling User Access

Managing User Security: Roles and Scopes

Changing User Information and Disabling Accounts (General Tab)


After you create a user account, when you view the user properties and select the General tab, you will see the information you entered when the account was created. You can further refine the account by controlling the number of GUI client connections for the user, or forcing them to change their password after a certain time. You can also disable or reenable a user account using the following procedure. To view or edit general user information:
Step 1 Step 2

Select Users in the Cisco ANA window. Right-click the required user, then choose Properties. The Properties dialog box is displayed with the General tab selected by default. Edit the general properties as required: Field User Name Last Login Full Name Description Enable account Description The current username. The username cannot be modified. The date and time that the user last logged in. The users full name. A description of the user. Check this check box to enable the user account, or uncheck the check box to disable the user account. The user account is automatically locked when the number of logins defined is exceeded (the Limit Connections to option is enabled). It is also locked if the user account is not active for a certain number of days, as configured in the Global Settings branch (see Automatically Disabling Accounts for Inactive Users, page 6-16); by default, this period is 30 days. You can manually lock or unlock a users account at any time. A user whose account is locked cannot log into the system. If checked, Cisco ANA will only let the user log in if their password can be validated by an external LDAP server. The passwords entered in the Password field in this dialog box will be disabled, and the user will not be able to log in even if Cisco ANA switches back to local authentication. (If external authentication is being used, the box is checked by default. See Using an External LDAP Server for Password Authentication, page 6-12.) If you uncheck this check box, Cisco ANA prompts you for a new password that will be used for local authentication. The password is stored in the Cisco ANA database, and the Force Password fields become active. Limit connections to The number of instances of Cisco ANA client applications that the user can access at any one time. For example, if the number of connections is limited to 10, the user can have five instances of Cisco ANA Manage and five instances of Cisco ANA NetworkVision open at the same time. If the user then tries to open an instance of Cisco ANA EventVision, the attempt is refused.

Step 3

External user only

Cisco Active Network Abstraction 3.7 Administrator Guide

9-10

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Managing User Accounts and Controlling User Access

Field Force password change after ___ days

Description If checked, it forces the user to change their password after a specific number of days. Uncheck this check box to allow the user to retain their current password indefinitely. If you check the check box, enter the number of days after which the user is forced to change their password. (This field is disabled if the Non-ANA Authentication Only check box is checked.)

Force password change at next login

Check this check box to force the user to change their user password when they next log in. You can set this option at any time. (This field is disabled if the Non-ANA Authentication Only check box is checked.)

Step 4 Step 5

Click Apply to accept your entries. Click OK to close the Properties dialog box or click the Security tab to assign scopes to the user. (See Controlling User Permissions and Access to Scopes (Security Tab), page 9-11 for more information.)

Controlling User Permissions and Access to Scopes (Security Tab)


The Security tab enables you to manage the users capability to view and manage applications and NEs by applying user scopes and security access roles. Users cannot view any network elements until a scope is assigned to them. The scopes, and the level of access to the network elements, is controlled by the settings you specify in the following procedure.

Note

A user can have different security access roles for different scopes. To assign a scope and security level to a user:

Step 1 Step 2 Step 3 Step 4

Select the Users branch in Cisco ANA. Right-click the required user, then choose Properties. In the User Properties dialog box, click the Security tab. In the Default drop-down list, choose the default security level for the user. By default, a new user is assigned the viewer security access role. The level that you select here is the value displayed in the ANA Users table. Click Add to add a scope to the active rights of the user. In the Security Level dialog box, choose the required scope and the appropriate security level within this scope for the user: Field Available Scopes Security Level Description Lists all predefined and unassigned scopes. Displays the security access roles for the defined scopes. For more information, see Scopes, page 9-3.

Step 5 Step 6

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-11

Chapter 9 Managing User Accounts and Controlling User Access

Managing User Security: Roles and Scopes

Step 7 Step 8

Click OK. The scope is added to the list of Active Rights in the Security tab. Click Apply, then OK.

Controlling User Access to Maps (Maps Tab)


You can use the Maps tab to control user access to existing maps.

Note

This feature is disabled by default. When logging in to Cisco ANA NetworkVision, new users do not have permission to view any existing maps; they can only access maps they create going forward. However, administrators can assign existing maps to new users by enabling this feature and manually assigning the maps. To enable this feature.

Step 1 Step 2 Step 3

Log in to the gateway server as user sheer. Change to the ANAHOME/Main directory. Run the following command (which is one line):
# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 site/mmvm/services/securitymanager/map-security-enabled true

Step 4

When the gateway server returns a success message, restart the gateway.

To assign maps to a user (after enabling the feature):


Step 1 Step 2

Select Users in the Cisco ANA window. Right-click the required user, then choose Properties. The User Properties dialog box is displayed. Click the Maps tab. The Maps tab is divided into two parts:

Step 3

The left side displays a list of all available maps in the database that have not been assigned to the user. The right side displays all maps that have been assigned to the user and that the user can open and manage in Cisco ANA NetworkVision.

The following buttons are displayed between the available maps and assigned maps lists in the Maps tab: Button Description Moves the selected map to the Assigned Maps list. Move the entire available map list to the Assigned Maps list.

Cisco Active Network Abstraction 3.7 Administrator Guide

9-12

OL-20016-01

Chapter 9

Managing User Security: Roles and Scopes Deleting a Cisco ANA User Account

Button

Description Removes a selected map from the assigned map list to the Available Map list. Removes the entire assigned map list to the Available Map list.

Step 4

Choose a map from the list of Available Maps, then click the required button to add the map to the list of Assigned Maps to the user.

Note Step 5 Step 6

You can select multiple rows by using the Ctrl key.

Choose and move maps between the two lists, as required, using the appropriate buttons. Click OK to confirm the users assigned maps.

Deleting a Cisco ANA User Account


To delete a user account:
Step 1 Step 2

Select Users in the Cisco ANA window. In the content area, select the user account that you want to delete.

Note Step 3

You can select multiple rows by using the Ctrl key.

Right-click the user, then choose Delete. The selected user is deleted, and is not displayed in the content area.

Changing a Users Cisco ANA Password


You can use Cisco ANA Manage to change a users Cisco ANA password at any time. Passwords must adhere to the global password rules set by the administrator (see Setting Global Password Rules, page 6-15). The following procedures apply only if you are using Cisco ANA to validate users. If you are using an external LDAP application to manage passwords, you must change the passwords in the LDAP server. There are different procedures for administrators and for users, as described in the following.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

9-13

Chapter 9 Changing a Users Cisco ANA Password

Managing User Security: Roles and Scopes

Changing PasswordsProcedure for Administrator


To change a users password as an administrator:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6

Select Users in the Cisco ANA window. In the content area, select the user whose password you want to change. Right-click the required user, then choose Change Password. Enter the new password in the Password and Confirm Password fields. Click OK. A confirmation message is displayed. Click OK.

Changing PasswordsProcedure for Users


Cisco ANA Manage also enables the current user to initiate a change of password. To change your password as a user:
Step 1 Step 2 Step 3 Step 4 Step 5

Choose Tools > Change User Password. Enter the old password in the Old Password field. Enter the new password in the New Password and Confirm Password fields. Click OK. A confirmation message is displayed. Click OK.

Cisco Active Network Abstraction 3.7 Administrator Guide

9-14

OL-20016-01

CH A P T E R

10

Cisco ANA System Security


These topics describe the major security features of Cisco ANA and their configurable points:

Communication Security, page 10-1 Device Communication Security: SSH and SNMPv3, page 10-3 Registry Security, page 10-4 User Authentication and Authorization, page 10-4

Communication Security
Figure 10-1 illustrates the different forms of secure communication that are implemented between the Cisco ANA gateway server, units, clients, and database.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

10-1

Chapter 10 Communication Security

Cisco ANA System Security

Figure 10-1

Communication Security in Cisco ANA

BQL Client

Gateway Server GUI Client Point to Point Communication (SSL) AVM(s) XML-RPC Communication (SSL) Oracle DB ANA Transport Communication (SSL)

Internal administration script(s)

Database Communication (JDBC)

SSH

AVM(s)

Unit Server(s)

A socket factory service that runs on the gateway server implements SSL sockets between:

The gateway and all units The gateway and all clients

With SSL version 3.0, keys are created when you install Cisco ANA on the gateway server. All secured connections use the same private key and certificate for SSL authentication. After installation, these keys are distributed by the gateway to the clients and other units. SSL keys can be recreated (as described in the Cisco Active Network Abstraction Integration Developer Guide). Whenever a socket cannot be opened, a System event is generated and is displayed in Cisco ANA EventVision. If you upgrade your version of Cisco ANA, be sure to upgrade all componentsgateway server, units, and clientsto avoid problems with connections.

Gateway Server and Unit Communication Security


Communication between the gateway server and units is called transport communication. Transport connections are encrypted when the unit and gateway are on different machines, but are not encrypted when both are local to the same machine. Similarly, AVMs use transport communication, and communication between AVMs is encrypted when the AVMs are on different machines. There is no option to change this behavior in the GUI clients.

Cisco Active Network Abstraction 3.7 Administrator Guide

10-2

OL-20016-01

277565

Chapter 10

Cisco ANA System Security Device Communication Security: SSH and SNMPv3

Cisco ANA uses the SSH protocol is used for internal administrative messages (such as scp) between the gateway and units. A random certificate (that is privately signed) is generated on the gateway at installation time. When Cisco ANA is installed on any unit, the keys are copied from the gateway to the unit (and whenever the unit is restarted).

Gateway Server and Client (Including BQL) Communication Security


For gateway and client communication, Cisco ANA uses a proprietary protocol called PTP (Point to Point communication). This is encrypted using SSL. The SSL keys are downloaded to Cisco ANA clients using the JNLP (WebStart) protocol. For BQL clients, the gateway server allows secured and unsecured connections from the local BQL clients (on port 9002), but only secured connections from other machines. By default, port 9002 only allows unsecured connections. Information on how to change this behavior is described in the BQL documentation in the Cisco Active Network Abstraction Integration Developer Guide. For a client to communicate with the Cisco ANA gateway using Perl, a certificate in .pem format is required. This can be generated from the .cer format using the two-stage process described in the Cisco Active Network Abstraction Integration Developer Guide. If a client trusts all servers, the public key is automatically imported as part of the SSL handshake. However, for a client to validate a server's public key, the .truststore file must be manually copied from the server. For more information on SSL sockets and BQL, such as the architecture and negotiation process, see the Cisco Active Network Abstraction Integration Developer Guide.

Database Connections
Cisco ANA is connected to the database using an Oracle encryption feature. Connections between the client and database are always encrypted; connections between the server and database are not encrypted, by default, although you can change this (and choose an encryption type) at installation time. After installation, this can be changed by editing the registry.

Device Communication Security: SSH and SNMPv3


In Cisco ANA, protocol collectors are the components responsible for actively polling devices and transporting information between devices and the Cisco ANA gateway. Protocols collectors are part of the instrumentation layer of Cisco ANA VNEs. A device has a collector for each protocol it supports, such as one collector for SSH and another collector for SNMP. Each collector contains the necessary logic for its specific protocol. The security of device communication is maintained by specifying SSH and SNMPv3 authentication and encryption methods when you create the VNE. Table 10-1 summarizes the security methods that are supported by each protocol.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

10-3

Chapter 10 Registry Security

Cisco ANA System Security

Table 10-1

Device Communication Security Features in SSHv1, SSHv2, and SNMPv3

Protocol SSHv1 SSHv2

Supported Security Feature for Device Communication Encryption ciphers: DES, 3DES, Blowfish Client Authentication: password, public keys (fingerprint or public) Server Authentication: save-first-auth, preconfigured (fingerprint or public keys) Key exchange: DH-group1-sha1, DH-group1-exchange-sha1 MAC algorithm: SHA1, MD5, SHA1-96, MD5-96 Ciphers: 3DES, AES-128, AES-192, AES-256 Host Key Algorithm: DSA, RSA

SNMPv3

Authentication settings:NoAuthPriv (authentication without encryption), AuthPriv (authentication and encryption) Ciphers: DES, AES128, AES192, AES256 Encryption algorithms: MD5, SHA

Registry Security
The Golden Source registry is the master registry responsible for maintaining, distributing, and updating registry configuration files to all Cisco ANA units and the Cisco ANA gateway. The master copy of the Golden Source files is centrally located on the gateway server at: ANAHOME/Main/registry/ConfigurationFiles Credentials data is encrypted. This includes the SNMP, Telnet, and SSH credentials for VNEs, and the database password. Sections that are encrypted are marked with an ENCRYPTED_ENTRY_AES prefix.

User Authentication and Authorization


Cisco ANA uses a combination of methods to manage user authentication and authorization:

User authentication can be managed locally by Cisco ANA or externally by an LDAP application. Either method can be used to validate user accounts and passwords, thus controlling who can log in to Cisco ANA. If you use Cisco ANA, user information and passwords are stored in the Cisco ANA database. If you use an external LDAP application, passwords are stored on the external LDAP server. See Overview of User Authentication and Authorization, page 9-1. User authorization is managed through a combination of user access roles and scopes:
User access roles control the actions a user can perform in the Cisco ANA GUI clients. When a

users account is created, the user is assigned an access role that determines the users default permissions. For more information, see User Access Roles and Default Permissions, page 9-2.
Scopes are groups of network elements that are created by administrators. Once a scope is

created, you can assign it to users. A users default permissions determine the actions the user can perform on the NEs in the scope. These actions are referred to as the users security level on that scope. If desired, you can assign the user a more strict user access role for a scope. For more information, see Scopes, page 9-3.

Cisco Active Network Abstraction 3.7 Administrator Guide

10-4

OL-20016-01

Chapter 10

Cisco ANA System Security User Authentication and Authorization

When creating a user account, the password has to meet stringent rules. These rules can be set globally and are documented in Setting Global Password Rules, page 6-15. That topic also describes how administrators can specify how many login attempts are allowed, after which a user account is disabled. Administrators can also configure a period after which inactive accounts are disabled; see Automatically Disabling Accounts for Inactive Users, page 6-16. Administrators can set up a daily message that is displayed when a user logs in. The message must be acknowledged to get to the login screen. For information, see Customizing a Message of the Day, page 6-2.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

10-5

Chapter 10 User Authentication and Authorization

Cisco ANA System Security

Cisco Active Network Abstraction 3.7 Administrator Guide

10-6

OL-20016-01

CH A P T E R

11

System Health and Diagnostics


The system health and diagnostics tool provides the user with system resource utilization information for the gateway and units (physical, allocated, and used). This web-based tool monitors various aspects of the Cisco ANA system (for example, the size of the Java heap and AVM CPU usage) and enables the user to ensure that the gateway, units, and AVMs are functioning correctly. These topics describe how to work with the system health and diagnostics tool, and the various aspects of the Cisco ANA system that can be monitored:

Logging Into the Diagnostics Tool, page 11-1 Overview of the Diagnostics Tool Window, page 11-2 Viewing Diagnostic Information, page 11-3 Use Cases for the Diagnostics Tool, page 11-6

Logging Into the Diagnostics Tool


This topic provides instructions for accessing the diagnostics tool. The tool is password-protected to ensure security. Before you start working with the tool, make sure you have your username, your password, and the IP address or hostname of the Cisco ANA gateway server. (To change the username and password, see Changing Passwords: Diagnostics Tool, page B-8.)

Note

The connection to the tool is via the HTTPS protocol and authentication method. To access the tool:

Step 1

Enter https://gateway_ip:1311/graphs in your browser where gateway_ip is the gateway IP address. A security alert is displayed regarding the site certificate. Click Yes, and enter the username and password.

Step 2

Note

The username and password were defined during the system installation as User name and Password for the web monitoring tool. For information on how to change the username and password, see Changing Passwords: Diagnostics Tool, page B-8.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

11-1

Chapter 11 Overview of the Diagnostics Tool Window

System Health and Diagnostics

The MC Loads page (Units monitoring page) is displayed. The MC Loads page displays a combined graph of the loads for the gateway and units in a graphical representation.

Overview of the Diagnostics Tool Window


Figure 11-1 shows the MC Loads page (Units monitoring page).
Figure 11-1 MC Loads Page

1 2 3

Details of the IP address of the gateway or unit and the current date and time. Toolbar Web page options. We recommend you do not use Transport Counters or Status. IP address hyperlink for the gateway or unit. Clicking it displays the AVMs for the selection.

5 6 7

Units row. Gateway row. Graph types in columns. Each horizontal row represents a gateway or a unit, and each column represents a different graph type.

Cisco Active Network Abstraction 3.7 Administrator Guide

11-2

OL-20016-01

Chapter 11

System Health and Diagnostics Viewing Diagnostic Information

Toolbar
The toolbar enables you to adjust the graph period and columns that are displayed (see Figure 11-2).
Figure 11-2 Toolbar

The following drop-down lists appear in the toolbar: Field Period Add column Remove column Description Sets the period of time for the graphs on the page. Adds graph types to the page. Removes graph types from the page.

Step 1 Step 2 Step 3

Choose an option from the Period drop-down list. Choose an option from the Add column or Remove column drop-down list. Click Submit. The changes are implemented.

Viewing Diagnostic Information


A table of graphs is displayed on the web pages, where each row represents a gateway or a unit and each column matches one of the graph types described in Interpreting the Diagnostic Graphs, page 11-4. Clicking a graph for a gateway, unit, or AVM opens the individual graph of the selected item in a separate page. Each graph displays the IP address and the name of the graph. For more information about graph types, see Interpreting the Diagnostic Graphs, page 11-4. In addition, a key is displayed at the bottom of the graph. There are two colored vertical lines (indicators) that can be displayed in the graphs (see Figure 11-3):

An out-of-memory indicator (a red vertical line) is displayed on the Java heap graph when an AVM runs out of memory. This is displayed in the combined and individual AVM graphs. A restart indicator (a green vertical line) is displayed in the AVM graph of the specific individual AVM that was restarted, as well as in the combined graph, when a Cisco ANA unit is restarted.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

11-3

Chapter 11 Viewing Diagnostic Information

System Health and Diagnostics

Figure 11-3

Out of Memory and Restart Indicators

The horizontal lines displayed in the graphs show the maximum and minimum values for a period of time. The graph history is maintained for a period of 28 days. The data history is maintained as follows:

Data of every 15 seconds is saved for a period of 3 hours. All data from 3 hours to 24 hours is diluted to a sampling rate of 300 seconds. All data from 24 hours to 7 days is diluted to a sampling rate of 15 minutes. All data from 7 days to 28 days is diluted to a sampling rate of 2 hours.

Interpreting the Diagnostic Graphs


Table 11-1 identifies the available graph types.
Table 11-1 Graph Types

Graph Type Java Heap Process Size CPU % GC Time Dropped Messages Logged Lines CPU Total

Description The sizes of the Java heaps in the AVM processes. AVM memory process sizes. AVM CPU usage. AVM Java Garbage Collector (GC) activity. The number of messages dropped in the Cisco ANA transport messaging mechanism. This can happen when the system is under a heavy load. The number of lines written to AVM logs. The system CPU metrics for Cisco ANA unit operation.

Cisco Active Network Abstraction 3.7 Administrator Guide

11-4

OL-20016-01

Chapter 11

System Health and Diagnostics Viewing Diagnostic Information

Web Page Options


You can view the following web pages:

MC Loads Page, page 11-5Displays a combined graph of the loads for the gateways and units. MC server-ip Load Page, page 11-5Displays combined and individual AVM graphs.

The web page options that are available depend on the web page being viewed.
MC Loads Page

Each row in the table corresponds to a Cisco ANA unit or gateway, and each column matches one of the graph types described in Interpreting the Diagnostic Graphs, page 11-4. The MC Loads page displays the combined unit and gateway graphs, where each graph stacks the readings from all AVMs in the unit graphs. Clicking the hyperlink of a unit or gateway opens the MC [server ip] Load page. For more information, see MC server-ip Load Page, page 11-5.
MC server-ip Load Page

The first row in the table of the MC server-ip Load page displays the combined AVM graph, and every row thereafter represents the graphs for an individual AVM. Each graph stacks the readings for the AVM. See Figure 11-4.
Figure 11-4 MC [server ip] Load Page

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

11-5

Chapter 11 Use Cases for the Diagnostics Tool

System Health and Diagnostics

Invoking Additional Parameters


When a single graph page is opened, additional parameters can be invoked on the graph through the browser URL field, in an HTTP GET format. Table 11-2 describes the parameters that can be used and provides examples of their use.
Table 11-2 Available Graph Parameters

Parameter period

Description The period of the graph, in hours, minutes, days, and weeks, by using the letters h, m, d, and w to indicate hours, minutes, days, and weeks respectively. For example, to generate a graph that covers a period of three hours: https://10.56.56.26:1311/graphs/graph.cgi?type=heap&mcip=127.0.0.1&period=3h

end

The starting time of the graph, using the same time format as in period. For example, to generate a graph from two days ago for a period of four hours: https://10.56.56.26:1311/graphs/graph.cgi?type=heap&mcip=127.0.0.1&period=4h &end=-2d

refresh

Refreshes the graph page periodically. The period is defined in seconds. We recommend that you set the minimum period to 20 seconds, because Cisco ANA graph data is collected every 20 seconds. In the following example, the page is refreshed every 20 seconds: https://10.56.56.94:1311/graphs/graph.cgi?type=heap&mcip=127.0.0.1&refresh=20

width height

The width of the graph in pixels. The height of the graph in pixels. In the following example, the graph is drawn with a width of 800 pixels and height of 600 pixels: https://10.56.56.94:1311/graphs/graph.cgi?type=heap&mcip=127.0.0.1&width=800 &height=600

Use Cases for the Diagnostics Tool


The following are two use case examples for the system health and diagnostics tool.
Use Case 1

If a unit CPU graph shows consumption and the GC Time graph is high as well, one of the AVMs might not have sufficient memory; for example, if the CPU is loaded with Java Garbage Collector tasks. If this is the case, reducing the Java Garbage Collector can help return CPU consumption to normal.
Use Case 2

For memory consumption, we recommend that 30% of the AVM memory remain free (in a steady state). The graphs provide you with a visual way to check this rate. Check the Java Heap graph for the unit. The upper horizontal line displays the configured memory size for the AVM. The graph shows the real memory usage of the selected AVM.

Cisco Active Network Abstraction 3.7 Administrator Guide

11-6

OL-20016-01

Chapter 11

System Health and Diagnostics Use Cases for the Diagnostics Tool

For example, in the Java Heap graph shown in Figure 11-5, there is only 20% free memory:

Configured memory: 250 Mb Used memory: 200 Mb Free Memory: 50 Mb (250-200)


Use Case 2

Figure 11-5

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

11-7

Chapter 11 Use Cases for the Diagnostics Tool

System Health and Diagnostics

Cisco Active Network Abstraction 3.7 Administrator Guide

11-8

OL-20016-01

CH A P T E R

12

Managing the Event Listener


These topics describe the Cisco ANA Event Listener and how to configure it to run on both a gateway and a unit:

Overview of the Event Listener, page 12-1 Installing and Configuring the Event Listener, page 12-1

Overview of the Event Listener


Cisco ANA event listener is a Cisco ANA internal service which runs inside the AVM 100. The event listener listens to the SNMP traps and syslogs sent by the network elements and forwards the traps and syslogs to their corresponding VNEs. VNEs must register with an event listener to receive these SNMP traps and syslogs. Each event listener has a Cisco ANA internal address, which is used by the VNEs for registration. When a VNE is initialized, the VNE reads the address of the event listener from the registry and registers with the event listener with its own IP address. After registration is performed, any trap or syslog arriving at the event listener that has the VNE-registered IP address as its source IP address is sent to that VNE. After the VNE receives an SNMP trap or syslog from the event listener, it uses a framework to identify the event and operate upon it.

Installing and Configuring the Event Listener


During installation, an AVM 100 containing the event listener service is created on the gateway and all units. By default, it is disabled. You can configure Cisco ANA to run with a single AVM 100 or multiple AVM 100s. The event listener has the internal address 1.2.3.4. By default, any VNE registered with the event listener uses this internal address. When one event listener is deployed in the system, its AVM 100 should be enabled and the AVM 100s on all other gateways or units should be disabled. No configuration changes are required; that is, the default event listener internal address and VNE configuration can be used. When multiple event listeners are deployed, each event listener must be configured with a unique internal address, as described in Configuring Multiple Event Listeners Using runRegTool, page 12-2.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

12-1

Chapter 12 Installing and Configuring the Event Listener

Managing the Event Listener

Configuring a Single Event Listener


During installation, an AVM 100 containing the event listener service is created on the gateway and units. By default, it is disabled. The following procedure describes how to enable the event listener.
Before You Begin

Network elements must be configured to send SNMP traps and syslogs to the gateway or unit IP address on which the event listener is running. If the event listener will run on a unit that has a hot standby server, configure the network elements to send SNMP traps and syslogs to both the primary unit and to the hot standby server.

To configure a single event listener:


Step 1

Perform the mandatory prerequisites, if required:


If AVM 100 is running, stop it by selecting the AVM and choosing Actions > Stop. If AVM 100 was running at any time since the last boot, stop and restart the gateway server:
# cd /export/home/ana37/Main # ./anactl restart

Step 2 Step 3

In the Servers tree, go to the gateway or unit on which you want AVM 100 to run. Right-click the AVM 100 and choose Actions > Start.

After installation, any event listener configured on a gateway or unit has the internal address 1.2.3.4. By default, any VNE registered with the event listener uses this internal address.

Configuring Multiple Event Listeners Using runRegTool


These topics describe how to configure multiple event listeners in Cisco ANA using the runRegTool command:

Configuring Multiple Event Listeners, page 12-2 Configuring an Event Listener for New VNEs, page 12-3 Using runRegTool to Configure an Event Listener: Examples, page 12-4

Configuring Multiple Event Listeners


Complete the following procedure for each additional event listener that needs to be configured.
Before You Begin

Network elements must be configured to send SNMP traps and syslogs to the gateway or unit IP address on which the event listener is running. If the event listener will run on a unit that has a hot standby server, configure the network elements to send SNMP traps and syslogs to both the primary unit and to the hot standby server.

Cisco Active Network Abstraction 3.7 Administrator Guide

12-2

OL-20016-01

Chapter 12

Managing the Event Listener Installing and Configuring the Event Listener

To configure multiple event listeners:


Step 1

Perform the mandatory prerequisites, if required:


If AVM 100 is running, stop it by selecting the AVM and choosing Actions > Stop. If AVM 100 was running at any time since the last boot, stop and restart the gateway server:
# cd /export/home/ana37/Main # ./anactl restart

Step 2 Step 3

Choose a unique address for the event listener. From the gateway, issue the following runRegTool command to add an additional event listener to Cisco ANA:
# ./runRegTool.sh -gs 127.0.0.1 set unit-ip avm100/agents/trap/xidip event-listener-address

This command updates the Golden Source. The update is automatically propagated from the gateway to the relevant units.
Step 4

Start AVM 100 on the unit with Cisco ANA Manage by right-clicking the AVM and choosing Actions > Start.

For an example of how to configure an event listener on two units, see Example: Configuring Event Listeners on Two Units, page 12-4.

Configuring an Event Listener for New VNEs

Note

Before performing the following procedure, verify that all VNEs are configured in the relevant units. Complete the following procedure for each new VNE configured in any AVM on a unit:

Step 1 Step 2 Step 3

Choose the event listener that is to receive the traps and syslogs for the VNE. Locate the AVM on which the VNE resides. Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 4

Issue the following runRegTool command:


# ./runRegTool.sh -gs 127.0.0.1 set unit-ip vne-avm/agents/da/vne-name/trap/ip event-listener-address

This command updates the Golden Source. The update is automatically propagated to the relevant units. For details on the command syntax, see Using runRegTool to Configure an Event Listener: Examples, page 12-4.
Step 5

Reload the VNE with Cisco ANA Manage by right-clicking the VNE and choosing Actions > Start.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

12-3

Chapter 12 Installing and Configuring the Event Listener

Managing the Event Listener

Using runRegTool to Configure an Event Listener: Examples


The runRegTool command uses the following format: ./runRegTool.sh -gs 127.0.0.1 set unit-ip vne-avm/agents/da/vne-name/trap/ip event-listener-address The runRegTool command accepts the following arguments: Argument event-listener-address Description The Cisco ANA internal IP address of the event listener. This address is used for communication between the VNEs and the event listener. For example, VNE registration is performed using this address. The format of the internal address is a standard IP address. The address must be unique in the system; the same address cannot be used by other VNEs or event listeners.
Note

A VNE uses its management IP address as the internal IP address.

unit-ip

The IP address of the UNIX machine on which the unit resides (if there are no units, this is the gateway IP address). This IP address is defined during installation and configuration. The AVM on which the VNE is configured. The name of the VNE in Cisco ANA.

vne-avm vne-name

Example: Configuring Event Listeners on Two Units

This example contains a gateway and two units:


Gateway IP address: 192.168.10.1 Unit 1 IP address: 192.168.10.2


Contains AVM 100, which is an event listener with the address 1.1.1.1. Contains AVM 200, which is a VNE AVM.

Unit 2 IP address: 192.168.10.3


Contains AVM 100, which is an event listener with the address 1.1.1.2. Contains AVM 300, which is a VNE AVM.

In this example, two event listeners are configured, one on each unit. Each event listener handles the events (SNMP traps and syslogs) sent from the network elements that correspond to the VNEs it manages. After installing the gateway and the two units, configure the event listeners and the VNEs:
Step 1

Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd Main

Step 2

Issue the following commands to configure the event listener addresses:


# ./runRegTool.sh -gs 127.0.0.1 set 192.168.10.2 # ./runRegTool.sh -gs 127.0.0.1 set 192.168.10.3 avm100/agents/trap/xidip 1.1.1.1 avm100/agents/trap/xidip 1.1.1.2

Cisco Active Network Abstraction 3.7 Administrator Guide

12-4

OL-20016-01

Chapter 12

Managing the Event Listener Installing and Configuring the Event Listener

Step 3

Issue the following commands to configure the VNEs to register to their event listener:
a.

For each VNE configured to receive traps and syslogs from AVM 100 on Unit 1, use the following command:
# ./runRegTool.sh -gs 127.0.0.1 set 192.168.10.2 avm200/agents/da/vne-name/trap/ip 1.1.1.1

b.

For each VNE configured to receive traps and syslogs from AVM 100 on Unit 2, use the following command:
# ./runRegTool.sh -gs 127.0.0.1 set 192.168.10.3 avm300/agents/da/vne-name/trap/ip

1.1.1.2
c. Step 4

Restart the reconfigured VNEs.

Start the new event listeners with Cisco ANA Manage by right-clicking the AVM and choosing Actions > Start.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

12-5

Chapter 12 Installing and Configuring the Event Listener

Managing the Event Listener

Cisco Active Network Abstraction 3.7 Administrator Guide

12-6

OL-20016-01

CH A P T E R

13

Purging Data and Maintaining System Stability


These topics provide basic information about data purging and archiving and system stability:

Purging Old Data Using the Integrity Service, page 13-1, describes how the Cisco ANA integrity service maintains system stability by checking for and purging old data. Disabling Auto-Archiving of Raw Events Received from Devices, page 13-2, provides a procedure you can use to disable the auto-archiving of incoming events from devices, which may be desirable in some configurations.

Purging Old Data Using the Integrity Service


The Cisco ANA integrity service is responsible for maintaining system stability by running integrity tests to maintain the database and eliminate clutter in the system. It is an internal service that runs on a gateway or units. Integrity tests run every 12 hours, except for the test that enforces active ticket limits (which runs hourly). You can schedule integrity tests to run automatically at specific intervals using cronjob commands. By default, integrity service tests run automatically every hour. For example, the following line in the crontab file runs the file every_12_hours.cmd at 11:00 a.m. and 11:00 p.m.:
0 11,23 * * * local/cron/every_12_hours.cmd > /dev/null 2>&1

In this example, the integrity service capacity tests are defined in the every_12_hours.cmd file; for example:
echo `date '+%d/%m/%y %H:%M:%S -'` running integrity.executeTest capacity cd ~/Main ; ./mc.csh localhost 8011 integrity.executeTest capacity >& /dev/null

In this example, the first line is written to the gateway log and indicates the test start time. The next line runs the test. Integrity service test parameters are defined in the registry.

Note

Changes to the registry should be performed only with the support of Cisco. For more information, contact your Cisco account representative.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

13-1

Chapter 13 Disabling Auto-Archiving of Raw Events Received from Devices

Purging Data and Maintaining System Stability

The integrity service tests include the following:


backupBacks up the registry, encryption keys, and crontab files. (Registry backup settings are described in Backing Up and Restoring the Registry, page A-1.) activeTicketArchives tickets when the systems open tickets count (total number of active tickets) exceeds a defined threshold. By default, this threshold is 15,000. Cisco ANA generates a warning alarm when the total exceeds 6,000 tickets. When the total exceeds 15,000 tickets, Cisco ANA purges the total number of tickets to 12,000. partitioningMonitors the size of database partitions (whether to split the partitions and drop old data). businessObjectChecks for invalid OIDs in business objects. capacityChecks the disk space capacity and sends alarms. mapAspectRemoves mapAspect OIDs which are not connected to any hierarchy. unusableIndexesChecks for unusuable table indexes and, if found, rebuilds them. oidArraysRemoves OIDs which exist in the OidArrays table, but not in a parent table. workflowEngineDeletes all complete workflows that have reached a certain age (in days). analyzeTestGenerates a System event if the period between the current date and the date each database table was analyzed is larger than the analyze-Period setting. Removes old reports.

Disabling Auto-Archiving of Raw Events Received from Devices


By default, Cisco ANA archives all event notifications it receives from devices. However, this feature can be disabled using the following procedure.

Note

If you disable this feature, the data will not be available for event-related reports. Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 1

Step 2

Issue the following command:


# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 site/trap/agents/trap/netEventPersistencyEnabled f

Step 3

Restart AVM 100.

Cisco Active Network Abstraction 3.7 Administrator Guide

13-2

OL-20016-01

A P P E N D I X

Backing Up and Restoring the Registry


These topics describe how to backup and restore the Cisco ANA registry:

Backing Up the Cisco ANA Registry, page A-1 Restoring the Cisco ANA Registry, page A-4

Note

The procedures described in these topics do not back up the Oracle database. Refer to your Oracle documentation for instructions on how to back up the Oracle software.

Backing Up the Cisco ANA Registry


These topics describe the Cisco ANA registry backup procedure:

Overview of the Registry Backup Procedure, page A-1 Before You Begin Backing Up the Registry, page A-2 Performing a Manual Backup, page A-2 Changing the Periodic Backup Time, page A-3

These procedures do not back up the Oracle database. Refer to your Oracle documentation for instructions on how to back up the database.

Overview of the Registry Backup Procedure


Cisco ANA backs up its registry data, encryption key, and crontab files once a week using the UNIX cron mechanism. By default, an entry in the cron table (crontab) runs the backup procedure every Sunday at 1:00 a.m. To restore data, you must execute the restore.csh command manually. The backup files are stored in the directory ANAHOME/db/db_backup/[date+time] where:

ANAHOME is the installation directory, normally /export/home/ana37. [date+time] is a directory name composed of the date and time of the backup.

For example, /export/home/ana37/db/db_backup/200904130404/ is created on 13 April 2009 at 4:04 a.m. By default, the cron table executes the backup procedure every Sunday at 1:00 a.m.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

A-1

Appendix A Backing Up the Cisco ANA Registry

Backing Up and Restoring the Registry

Note

If you reinstall the server using the install.pl script, the ana37 user and the content under it is deleted; this includes the default backup directory. You can change the location, but the user ana37 must be able to write to the location. For example, the default directory permissions are:
(drwx-----2 ana37 ana37 512 Sep 24 02:54)

We recommend that you do not locate the backup directory under /tmp, since this directory is deleted whenever the server is rebooted, and the backed-up content lost. To maximize data safety, we recommend that you copy the backed-up directory to an external storage location, such as a DVD or a disk on a different server.

Before You Begin Backing Up the Registry


Cisco ANA uses SSH to connect to the machine on which you will back up your data. Even if you copy files to a local drive, the SSH connection must be established for the procedure to succeed. To avoid any possible SSH errors, perform the following procedure, which makes sure the SSH hosts file (ANAHOME/.ssh/known_hosts) will accept connections from all hosts. (ANAHOME is the installation directory, normally/export/home/ana37.)
Step 1 Step 2 Step 3

Make sure the SSH daemon is running. Log in to the gateway server as user ana37. Enter the following command:
# ssh localhost ls

If Cisco ANA returns a list of files, you are done. Otherwise (if SSH informs you that it did not find a fingerprint), proceed to Step 4.
Step 4

Enter yes after the following output:


The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. DSA key fingerprint is 33:dc:5a:39:20:48:5f:5d:7d:94:63:dc:83:1a:1d:13. Are you sure you want to continue connecting (yes/no)?

Step 5

Repeat Step 3. Cisco ANA returns a list of files, indicating that the system was updated.

Performing a Manual Backup


As described in Overview of the Registry Backup Procedure, page A-1, Cisco ANA automatically performs a registry backup every week. You can also perform manual backups using the following procedure.
Step 1 Step 2

Perform the procedure described in Before You Begin Backing Up the Registry, page A-2, to make sure Cisco ANA can communicate over SSH. Open an SSH session to the Cisco ANA gateway and log in as ana37.

Cisco Active Network Abstraction 3.7 Administrator Guide

A-2

OL-20016-01

Appendix A

Backing Up and Restoring the Registry Backing Up the Cisco ANA Registry

Step 3

Change the directory to the installation directory:


# cd ANAHOME

Step 4

Start the backup:


# mc.csh localhost 8011 integrity.executeTest backup

Note

It is normal for null to appear in response to this command.

Changing the Periodic Backup Time


Registry backups are controlled according to commands in the crontab file. The crontab file consists of lines, where each line contain six fields: min hour day-of-month month-of-year day-of-week command The fields are separated by spaces or tabs. The first five are integer patterns that can contain the following values: Field min hour day-of-month month-of-year day-of-week command Acceptable Values Minute in range 0-59 Hour in range 0-23 Day in range 1-31 Month in range 1-12 Day in range 0-6 (0=Sunday). Command

To specify days using only one field, set the other fields to *. For example, 0 0 * * 1 runs a command only on Mondays. In the following example, core files are cleaned up every weekday morning at 3:15 a.m.:
15 3 * * 1-5 find $HOME -name core 2>/dev/null | xargs rm -f

The sequence 0 0 1,15 * 1 runs a command on the first and fifteenth of each month as well as every Monday. Use this procedure to change when Cisco ANA backs up its registry (this command also changes when Cisco ANA will run integrity tests; see Purging Old Data Using the Integrity Service, page 13-1).
Step 1 Step 2 Step 3

Perform the procedure described in Before You Begin Backing Up the Registry, page A-2, to make sure Cisco ANA can communicate over SSH. Log into the Cisco ANA gateway machine as user ana37. Edit the cron table as follows:
crontab -e

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

A-3

Appendix A Restoring the Cisco ANA Registry

Backing Up and Restoring the Registry

Step 4 Step 5

Make your changes to the crontab file. Restart the gateway server.

Restoring the Cisco ANA Registry


Before you begin, the Cisco ANA gateway must be installed as described in the Cisco Active Network Abstraction 3.7 Installation Guide. You need to log in as root. To restore from a backup:
Step 1

Change to the directory to ANAHOME/Main/scripts by executing the following command:


# cd ANAHOME/Main/scripts

Step 2

Execute the restoration script:


# chmod 700 restore.csh # restore.csh backup-files-location sheer-home-location

Note

By default, backup-files-location is ANAHOME/db/db_backup/date+time (as configured through the registry). The filler date+time is a directory name composed of a date and backup time. For example, /export/home/ana37/db/db_backup/200904130404/ is created on 13 April 2009 at 4:04 a.m.

Step 3

Once the restoration is successful, initialize the Cisco ANA gateway by running the following commands:
# su - ana37 # cd Main # ./anactl restart

Cisco Active Network Abstraction 3.7 Administrator Guide

A-4

OL-20016-01

A P P E N D I X

System-Wide Commands and Utility Scripts


The following topics describe the Cisco ANA utility scripts that you can use to perform the following commonly used procedures:

Restarting the Cisco ANA Gateway Using anactl, page B-1 Restarting a Cisco ANA Unit Using anactl, page B-2 Adding Multiple VNEs in Bulk, page B-2 Changing Passwords: Cisco ANA Database, page B-5 Changing Passwords: bosenable, bosconfig, bosusermanager, page B-7 Changing Passwords: Diagnostics Tool, page B-8 Running a Command on All Cisco ANA Units, page B-8

Restarting the Cisco ANA Gateway Using anactl


You can restart the gateway from the UNIX command line. ANAHOME is the Cisco ANA installation directory, normally /export/home/ana37. To restart the gateway:
Step 1 Step 2

Open an SSH session to the Cisco ANA gateway, and log into the machine. Run the following script:
# ANAHOME/Main/anactl restart

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

B-1

Appendix B Restarting a Cisco ANA Unit Using anactl

System-Wide Commands and Utility Scripts

Restarting a gateway restarts all units that were down. It does not restart units that were up before the gateway was restarted. Those units remain up. For information on restarting units, see:

Restarting a Cisco ANA Unit Using anactl, page B-2 Running a Command on All Cisco ANA Units, page B-8

Note

When the gateway is restarted, all clients are reconnected.

Note

The server status can be verified using Cisco ANA Manage.

Restarting a Cisco ANA Unit Using anactl


Restarting a unit stops all AVM processes on that unit and restarts them. Given that the system saves part of its information within the process memory, restarting a unit causes some of the information to disappear. Therefore, it takes as long as the longest full polling cycle for the system to recover all information that was stored in the process memory prior to the restart. Data that was saved in persistent storage before restarting is available immediately. Restarting a machine can cause some of the VNEs running on the machine to be reported as unreachable. This is due to handshake protocols with the unit that fail due to the unavailability of the VNEs. Restarting a machine stops all active queries, flows, and transactions that are currently being run within the VNEs that run on the restarted Cisco ANA unit. If a unit is running, you cannot restart it by restarting the gateway. The anactl command restarts Cisco ANA only on the server (gateway or unit) on which you run anactl. For more information, see Restarting the Cisco ANA Gateway Using anactl, page B-1. To restart a unit:
Step 1 Step 2

Open an SSH session to the Cisco ANA unit and log into the machine. Run the following script:
% ANAHOME/Main/anactl restart

Adding Multiple VNEs in Bulk


Cisco ANA provides a sample Perl script that enables you to add multiple VNEs to Cisco ANA at the same time. The script name is vne_creation_script.pl and it resides in Main/scripts. This script reads a configuration file with the relevant VNE information, adds the VNEs to Cisco ANA, and produces a report log file for your reference. If appropriate for your network and environment, you can schedule this script to run as a cron job.

Cisco Active Network Abstraction 3.7 Administrator Guide

B-2

OL-20016-01

Appendix B

System-Wide Commands and Utility Scripts Adding Multiple VNEs in Bulk

The high-level process for adding multiple VNEs includes the following tasks:
1. 2. 3.

Create a configuration file that contains the VNEs that you want to add. For details, see Configuration File, page B-3. Run the command as described in Command Syntax, page B-3. Verify the results as described in Results, page B-5.

Command Syntax
Log into the Cisco ANA gateway as user ana37 to run this command. The vne_creation_script.pl script uses the following command format: perl vne_creation_script.pl [configuration_filename] [log_suffix] where:

configuration_filename is the name of the file containing the information about the VNEs to be added to Cisco ANA. See Configuration File, page B-3 for more information about this file. log_suffix is a unique identifier for the bulk VNE addition.

If you do not supply the arguments, the script prompts you for the information. For example:
# cd ANAHOME/Main/scripts # perl ./vne_creation_script.pl please enter input file name : vne_addition_1.txt please enter log file suffix ( any number or id so you will know it belongs to your setup ): 333 . . finished reading at : 16:42:37 finished

Configuration File
The vne_creation_script.pl script takes the name of a configuration file as one of its arguments. The configuration file contains information about the VNEs that you want to add to Cisco ANA and uses a flat text file format. To create a configuration file for adding VNEs:
Step 1

Open a text editor and begin the configuration file text with the following entry:
# mm

gateway-ip

The configuration file must begin with this entry.


Step 2

(Optional) Enter the Cisco ANA username and password, as follows:


user username password password

If you do not enter the username and password in the configuration file, you are prompted for them when the script runs.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

B-3

Appendix B Adding Multiple VNEs in Bulk

System-Wide Commands and Utility Scripts

Step 3

Enter information for the VNEs that you want to add by using any of the following entries: Entry mc unit-ip scheme scheme-name Description Adds the unit with the IP address unit-ip and uplinks it to the gateway. Specifies the scheme to be used for the VNE: ipcore, product, or default. (If you enter default, Cisco ANA uses the product scheme.) For more information about schemes, see Choosing a VNE Scheme, page 5-14. Adds an AVM with the ID of avm-number, and optional memory allocation. Loads (starts) the AVM with the ID of avm-number.

avm avm-number [memory-allocation] load avm-number

agent-name-ip agent-ip-address telnet Adds and loads the agent with any specified Telnet or SNMP information. telnet-seq [snmpr read-community-string] If you do not enter the optional SNMP read and write [snmpw write-community-string] community strings, Cisco ANA defaults to public and private, respectively. cloud-name ip cloud # remark read_file file-containing-BQL-commands Adds and loads a cloud with the specified name and IP address. Treats the line as a comment. Places the specified BQL file content into the gateway. (This can be used for adding static links.) For more information about using BQL scripts to add AVMs and VNEs, see the Cisco Active Network Abstraction 3.7 Customization User Guide.

When you are done, your configuration file might resemble the following:
mm 172.20.68.122 user root password admin scheme product mc 172.20.68.122 avm 208 350 22.2.4.22_10 20.0.10.17 telnet ":,admin,Router>,enable,:,admin,Router#," 22.3.9.22_10 20.0.10.33 telnet ":,admin,Router>,enable,:,admin,Router#," 22.10.2.22_10 20.0.10.103 telnet ":,admin,Router>,enable,:,admin,Router#," 22.8.4.22_10 20.0.10.83 telnet ":,admin,Router>,enable,:,admin,Router#," 22.5.7.22_10 20.0.10.53 telnet ":,admin,Router>,enable,:,admin,Router#," 22.7.1.22_10 20.0.10.69 telnet ":,admin,Router>,enable,:,admin,Router#," 22.7.6.22_10 20.0.10.74 telnet ":,admin,Router>,enable,:,admin,Router#," Cloud1 10.10.10.1 cloud Cloud6 10.10.10.6 cloud Cloud54 10.10.10.54 cloud Cloud4 10.10.10.4 cloud

Another example of a configuration file is provided with Cisco ANA at ANAHOME/Main/scripts/vne-examples.txt.

Cisco Active Network Abstraction 3.7 Administrator Guide

B-4

OL-20016-01

Appendix B

System-Wide Commands and Utility Scripts Changing Passwords: Cisco ANA Database

Results
When the vne_creation_script.pl script has successfully executed, you can view the additions in Cisco ANA Manage (see Figure B-1) or the log file. The log file resides in the directory from which the script was run and is named scriptlogxxx.txt where xxx is the suffix that you specified when issuing the command. Using the example that was provided in Command Syntax, page B-3, the log file would be named scriptlog333.txt.
Figure B-1 Bulk VNE Addition in Cisco ANA Manage

If the vne_creation_script.pl script fails, it displays the errors it encounters. For example:
<Description type="String">ERROR (5111): An VNE by that name already exists</Description> <ErrorStackTrace type="java.lang.String_Array"> <java.lang.String>com.sheer.metromission.plugin.bosmanage.handlers.ElementManagementElemen tHandler.validateNewElement(ElementManagementElementHandler.java:442)</java.lang.String>

If errors appear, correct the configuration file or BQL script and run the command again.

Changing Passwords: Cisco ANA Database


The passwords for user the database schemas are established during Cisco ANA installation. Cisco ANA supports three schemas:

ana37, the main database tables. ana37_EP, the event processing database tables. ana37_DWE, the Workflow Engine database tables.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

B-5

Appendix B Changing Passwords: Cisco ANA Database

System-Wide Commands and Utility Scripts

The following procedures explain how to change the passwords for these schemas.
Before You Begin

Change the Oracle password of the user ana37 before changing the Cisco ANA database password as described in this procedure. To change the schema password for ana37 (the main database tables):
Step 1 Step 2

Open an SSH session to the Cisco ANA gateway server and log in as ana37. Enter the following sqlplus command to change the ana37 schema password in the Oracle software:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql DBA-username DBA-password ANA-DB-user ANA-DB-new-password DB-IP DB-port SID

For example:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql system systempassword ana37 ana37newDBpassword 127.0.0.1 1521 MCDB

Step 3

Enter the following to change the ana37 schema password in the Cisco ANA software (the gateway server must be up and running):
# cd $ANAHOME/Main # ./runRegTool.sh -gs localhost setEncrypted 0.0.0.0 persistency/nodes/main/PASS ANA-DB-new-password

Step 4

Restart the gateway server and units:


# $ANAHOME/Main/anactl restart

To change the schema password for ana37_EP (the event processing database tables):
Step 1 Step 2

Open an SSH session to the Cisco ANA gateway server and log in as ana37. Enter the following sqlplus command to change the ana37_EP password in the Oracle software:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql DBA-username DBA-password ANA-EP-DB-user ANA-EP-DB-new-password DB-IP DB-port SID

For example:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql system systempassword ana37ep ana37EPnewDBpassword 127.0.0.1 1521 MCDB

Step 3

Enter the following to change the ana37_EP password in the Cisco ANA software (the gateway server must be up and running):
# cd $ANAHOME/Main # ./runRegTool.sh -gs localhost setEncrypted 0.0.0.0 persistency/nodes/main/PASS ANA-EP-DB-new-password

Step 4

Restart the gateway server and units:


# $ANAHOME/Main/anactl restart

Cisco Active Network Abstraction 3.7 Administrator Guide

B-6

OL-20016-01

Appendix B

System-Wide Commands and Utility Scripts Changing Passwords: bosenable, bosconfig, bosusermanager

To change the schema password for ana37_DWE (the workflow database tables):
Step 1 Step 2

Open an SSH session to the Cisco ANA gateway server and log in as ana37. Enter the following sqlplus command to change the ana37_DWE schema password in the Oracle software:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql DBA-username DBA-password ANA-WF-DB-user ANA-WF-DB-new-password DB-IP DB-port SID

For example:
# sqlplus /nolog \@$ANAHOME/Main/unix/setPassword.sql system systempassword ana37dwe ana37DWEnewDBpassword 127.0.0.1 1521 MCDB

Step 3

Enter the following to change the ana37_DWE schema password in the Cisco ANA software (the gateway server must be up and running):
# cd $ANAHOME/Main # ./runRegTool.sh -gs localhost setEncrypted 0.0.0.0 persistency/nodes/main/PASS ANA-WF-DB-new-password

Step 4

Restart the gateway server and units:


# $ANAHOME/Main/anactl restart

Changing Passwords: bosenable, bosconfig, bosusermanager


The passwords for bosenable, bosconfig, and bosusermanager are established during the Cisco ANA installation. Use the following to change these passwords.
Step 1 Step 2

Using an SSH session, log in to the Cisco ANA gateway as the ana37 user. Switch to the Main directory:
# cd ANAHOME/Main

Step 3

Encrypt the new password using the following command: java -classpath ./classes.jar com.sheer.metromission.authentication2.PasswordEncrypt password The encrypted password is listed in the command output (after the comma). You will need this information in Step 4. For example, the following command creates a new password for test. The portion of the output that is in bold is what you will need in the subsequent step.
# java -classpath ./classes.jar com.sheer.metromission.authentication2.PasswordEncryp test 'test' -> 'PEv1:DC57A2A7', '7E84D3A8F60F30B7B62946D532E24608'

Step 4

Log in to the Oracle database and change the password for bosenable, bosconfig, and bosusermanager.
a.

Change the password for bosenable using the following command, where xxx is the second string of output from Step 3: update bosuser set ENCRYPTEDPASSWORD='xxx' where username='bosenable';

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

B-7

Appendix B Changing Passwords: Diagnostics Tool

System-Wide Commands and Utility Scripts

For example:
SQL> update bosuser set ENCRYPTEDPASSWORD='7E84D3A8F60F30B7B62946D532E24608' where username='bosenable'; 1 row updated.

b.

Commit the change:


SQL> commit; Commit complete.

c.

Repeat Step a and Step b for bosconfig and bosusermanager.

Changing Passwords: Diagnostics Tool


The username and password for the Diagnostics Tool (described in System Health and Diagnostics, page 11-1) is established during the Cisco ANA installation. To change the passwords:
Step 1 Step 2

Using an SSH session, log in to the Cisco ANA gateway as the ana37 user. Switch to the Main directory:
# cd ANAHOME

Step 3

Change the username and password for the Diagnostics tool using the following command:
# ./utils/solaris/apache/bin/htpasswd ./Main/webroot/.passwd new-username

The utility will prompt you for a new password for new-username.

Running a Command on All Cisco ANA Units


The script rall.csh is a utility used to run a given command on all units (not on the gateway), as follows:
# ANAHOME/rall.csh script

where script is the script name. The following script example restarts all units:
# ANAHOME/rall.csh ./Main/anactl restart

Cisco Active Network Abstraction 3.7 Administrator Guide

B-8

OL-20016-01

A P P E N D I X

Working with the Registry


The following topics provide an introduction to the Cisco ANA registry and common settings you may want to customize:

Overview of the Cisco ANA Registry, page C-1 Changing Registry Settings Using runRegTool, page C-3

Overview of the Cisco ANA Registry


The Cisco ANA registry is a collection of xml files (called hives) that comprise and control the Cisco ANA system configuration. The registry contains almost all definitions and configurations used by Cisco ANA. A copy of the registry is located on the gateway server and every unit in the following location: ANAHOME/Main/registry/ Registry files are made up of key names and entry names. The following file fragment shows some key and entry names in the polling groups registry file:
<key name="pollinggroups"> <key name="default"> <key name="buffering"> <entry name="interval">190000</entry> </key> <key name="configuration"> <entry name="interval">900000</entry> </key> </key> </key>

The registry files on the gateway server and units are replicas of the Golden Source registry. The Golden Source registry is the master that is responsible for maintaining, distributing, and updating registry configuration files to all units and the gateway server. Whenever a unit or gateway restarts, it accesses the Golden Source registry to retrieve any updates to the configuration. If a unit cannot connect to the gateway, it uses its local copy of the registry files. The master copy of the Golden Source files is centrally located on the gateway server at: ANAHOME/Main/registry/ConfigurationFiles

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

C-1

Appendix C Overview of the Cisco ANA Registry

Working with the Registry

The contents are:


/0.0.0.0The template directory, which is used by the system. /127.0.0.1The gateway directory. A subfolder for each unit.

The subfolders are created during the installation procedure. Each subfolder contains the relevant registry .xml files. These files can be edited as described in Changing Registry Settings Using runRegTool, page C-3. All Golden Source subdirectories contain a file called site.xml. This file contains registry settings that have been customized. When the system restarts, these settings are copied to (and override) all other Golden Source directories. Every key and entry in the Golden Source can be overridden by an entry in site.xml.

Note

All registry customizations should be made to ANAHOME/Main/registry/ConfigurationFiles/0.0.0.0/site.xml.

Figure C-1 displays an example of the registry files for each server and the Golden Source hives.
Figure C-1 Registry Files And Golden Source Hives

Cisco Active Network Abstraction 3.7 Administrator Guide

C-2

OL-20016-01

Appendix C

Working with the Registry Changing Registry Settings Using runRegTool

The Golden Source mechanism enables consistent management of the entire system. Each unit and gateway has its own set of registry configuration files and parameters. The registry files are replicated automatically during the installation of the unit and gateway. Each time a unit and gateway process starts, it accesses the Golden Source and retrieves the updated configuration. All additions and changes to the Golden Source are automatically sent to the relevant servers. Each unit keeps a local copy of its relevant registry files. When a unit cannot connect to the gateway, this local copy is used.

Changing Registry Settings Using runRegTool


You can change registry settings using the runRegTool command, which is located in ANAHOME/Main.
Note

Changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative. The runRegTool command has the following format: ./runRegTool -gs hostname command key [value]

Note

Registry changes should only be made to the site.xml file. Therefore, your command syntax should always include site as the first part of the key name: ./runRegTool -gs hostname command site/key [value]

The runRegTool command takes the following options. Argument/ Option -gs hostname command

Description Performs a registry command using the Golden Source. Hostname of the unit or gateway server. runRegTool command:

setSets a registry key named key to a new value of value setEncryptedSets and encrypts the registry key named key to value unsetReturns a registry key named key to its default value addAdds a new registry key named key with a value of value removeDeletes a registry key named key listNoDefaultLists all registry keys that are not set to their default value getRetrieves the value of a registry key named key getallRetrieves the value of all registry keys

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

C-3

Appendix C Changing Registry Settings Using runRegTool

Working with the Registry

Argument/ Option key

Description Registry entry name consisting of the XML file name, the key name(s), and entry.

To change a registry setting for a specific instance of a VNE, you must precede the key argument with a string in the following format: avmxxx/agents/da/vne-key/... where:
avmxxx is the AVM on which the VNE resides vne-key is the VNE ID used by Cisco ANA

(You can view these values by selecting the AVM from the ANA Servers branch in the Cisco ANA Manage window.)

For all other registry changes, you should precede the key string with site/ so that changes are made to the local site.xml file. This example would change the agents key in the mmvm.xml file, but only write the changes to the local (site) copy of the registry: site/mmvm/agents/

value

The new value for the registry entry.

The following are some examples of how to use the runRegTool:

This command returns the current settings for all polling groups:
# ./runRegTool.sh -gs localhost get pollinggroups

This command configures the LDP Neighbor Down event to not persist its alarm information:
# ./runRegTool.sh -gs gateway_IP set unit_IP "site/event-persistency-application/events/LDP neighbor loss/sub-types/LDP neighbor down/alarm-persistency" unpersist

This command returns the current adaptive polling settings for a VNE with the ID CRS1-local, that runs on AVM 521:
# ./runRegTool.sh -gs gateway_IP get unit_IP "avm521/agents/da/CRS1-local/dcs/type/com.sheer.metrocentral.coretech.common.dc.Man agedElement/adaptivePolling

Cisco Active Network Abstraction 3.7 Administrator Guide

C-4

OL-20016-01

A P P E N D I X

Using High Availability


These topics describe the high availability (redundancy) and protection options available for units and gateways:

Overview of High Availability, page D-1 Configuring Cisco ANA Units for High Availability, page D-8 Managing the Watchdog Protocol, page D-12 High Availability Registry Settings, page D-13

Note

High availability is an optional feature that can be used with Cisco ANA. Cisco ANA does not provide a solution for the configuration of high availability for a Cisco ANA gateway. For information on configuring high availability for a Cisco ANA gateway using Veritas, contact your Cisco account representative.

Overview of High Availability


The high availability architecture ensures continuous availability of Cisco ANA functionality by detecting and recovering from a wide range of hardware and software failures. The distributed design of the system enables the impact radius caused by a single fault to be confined. This prevents all types of faults from setting into motion the domino effect, which can lead to a crash of all the management services. High availability of the server backbone is achieved at several complementary levels. For example:

NEBS-3 compliant carrier-class server hardware. Internal watchdog within each unit, responsible for monitoring and, if necessary, automatically reloading failed processes. N+m warm standby protection for unit groups.

Note

Cisco ANA does not provide a solution for the configuration of high availability for a Cisco ANA gateway. For information on configuring high availability for a Cisco ANA gateway using Veritas, contact your Cisco account representative.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-1

Appendix D Overview of High Availability

Using High Availability

See the following topics for more information:


Watchdog Protocol, page D-2 Unit N+m High Availability, page D-2 Estimating Down Time in Case of Failure, page D-4

Watchdog Protocol
The watchdog protocol monitors the AVM processes to make sure any AVMs that have failed are restarted. The watchdog protocol is normally denoted in the GUIs as AVM Protection. Each unit executes several processes: one control process and several AVM processes that execute VNEs. Each process within the unit is completely independent. The isolation concept is tailored throughout the design so that a failure of a single process does not affect other processes on the same machine. The exact number of processes on each unit depends on the capacity and computational power of the unit. The control process executes a watchdog protocol, which continuously monitors all other processes on the unit. This watchdog protocol requires each AVM process to continuously handshake with the control process. A process that fails to handshake with the control process after a number of times is automatically cancelled and reloaded. The dynamic design of the control process implements runtime adaptation and escalation. The escalation procedure moves the AVM to suspended mode; that is, the process is suspended. An example of an escalation procedure is to stop reloading a process that has crashed more than n times within a given period, because it is suspected of having a recurring software problem. The reload process is local to the unit, and thus very rapid, with a minimal amount of downtime. Because the process can use its previous cache information (temporary persistency used to improve performance), once the stuck process is detected, reloading the process takes only a few seconds with no data loss. All watchdog activity is logged and an alarm is generated and sent when the watchdog reloads a process.

Note

An alarm persistency mechanism enables the system to clear alarms that relate to events that occurred while a VNE, an AVM, a unit, or the whole system was down, thus preserving system integrity. For more information about alarm persistency, see Appendix E, VNE Persistency Mechanism. All watchdog protocol parameters, such as pulse interval and retry times, are configurable in the registry. The higher these parameter values are, the longer the AVM or unit failure lasts, but this increases the certainty that a failure has actually occurred. Configuring these parameters with lower values may shorten the AVM or unit recovery, but might result in a false positive which could unnecessarily restart an AVM or revert to a standby unit when the AVM is just busy or the unit is processing a heavy load of data. For information on these registry settings, see High Availability Registry Settings, page D-13.

Unit N+m High Availability


The clustered N+m high availability mechanism uses the Cisco ANA fabric is designed to handle the failure of a unit. Such failures include hardware failures, operating system failures, power failures, and network failures, which disconnect a unit from the Cisco ANA fabric. Unit availability is established in the gateway, running a protection manager process, which continuously monitors all the units in the network. Once the protection manager detects a unit that is malfunctioning, it automatically signals one of the standby servers in its cluster to load the configuration of the faulty unit (from the system registry), taking over all of its managed network elements. This design

Cisco Active Network Abstraction 3.7 Administrator Guide

D-2

OL-20016-01

Appendix D

Using High Availability Overview of High Availability

provides many possibilities for trading off protection and resources. These possibilities range from segmenting the network into clusters without any extra machines, to having a warm-swappable empty unit for each unit in the setup. We recommend that you cluster units according to geography and add an additional empty unit to heavily loaded clusters. The switchover of the redundant standby unit does not result in any loss of information in the system because all information is autodiscovered from the network, and no persistent storage synchronization is required. As a result, the redundant standby unit relearns all the information from the network elements with no danger of persistent information corruption. Furthermore, when there is cluster saturation (that is, when more than one unit in a cluster fails at the same time and there are no extra machines), the remaining units continue to operate and manage their network scope normally. When a unit is configured, it can be designated as being an active or standby unit. The active units (excluding the standby unit) that are connected to the gateway are known as a protection group. The standby unit that is configured for the gateway is linked to that protection group. You can define more than a single protection group. Each protection group defined has a set of protected units and a protecting standby unit. Figure D-1 shows a protection group (cluster) of units controlled by a gateway with one unit configured as the standby for the protection group.
Figure D-1 Cisco ANA Architecture

Cisco ANA Gateway

In the example configuration, when the gateway determines that one of the units in the protection group has failed, it notifies the standby unit of the protection group to immediately load the configuration of the failed unit. The standby unit loads the configuration of the failed unit, including all AVMs and VNEs, and functions as the failed unit. All events are recorded in the Cisco ANA EventVision system log, which enables you to take the necessary action to bring the failed unit up again. When the failed unit becomes operational, you can decide whether to configure it as the new standby unit or to reinstate it to the protection group and configure another unit as the standby unit.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

180096

Cisco ANA unit

Cisco ANA unit

Cisco ANA unit

Cisco ANA unit

Cisco ANA unit (standby)

D-3

Appendix D Overview of High Availability

Using High Availability

Estimating Down Time in Case of Failure


When a failure occurs in a unit or AVM, the length of time that the system is down depends on the type of failure, how long it takes to detect that the component is not working, and the length of the recovery period (during which the unit or AVM reloads and the system begins to function normally again). Three types of failure can occur, as described in these topics:

Catastrophic Process Failure, page D-4 Timeout Process Failure, page D-5 Timeout Machine Failure, page D-7

Catastrophic Process Failure


Each AVM has a log file which is constantly monitored by a Perl process for log messages about catastrophic failures, such as AVM processes running out of memory. When such a failure occurs, the Perl process restarts the AVM almost immediately, so the mean time to repair (MTTR) is based on the AVM loading life cycle. Table D-1 describes the impact on different AVMs when experiencing such a failure.
Table D-1 Catastrophic Process Failure Impact on AVMs

Process AVM 0 (switch AVM) AVM 99 (management AVM)

Impact

MTTR

Probability of Failure Messages are constantly being sent and received in the system, so the probability of failure is high. Registry modifications are made only when the VNE is first loaded into the system, so the probability of failure is low. Modifications are rarely made while the system is up and running. Traps and syslogs are constantly received in a live, scaled system, so there is a high probability of losing traps and syslogs during the reloading period. Since AVM 11 handles Oracle communication and various gateway functions such as alarm processing, there is a high probability of loss of event persistency during this period. No alarm processing occurs when the AVM is down, so traps and syslogs sent to the VNEs are lost. The probability of the loss of traps and syslogs for a period of one minute is high.

Loss of messages One minute to reach to and from the bootstrap. machine. Loss of registry notifications on changes made to the Golden Source. One minute to reach bootstrap.

AVM 100 (trap management AVM)

Loss of traps and One minute to reach syslogs from bootstrap, plus time for devices. all the VNEs to register again for traps and syslogs. Loss of persistency of any kind. Six to ten minutes to reach bootstrap on a scale.

AVM 11 (gateway)

AVM 101-999

Loss of management to a section of devices managed by the AVM.

One minute to reach bootstrap, plus time to load the VNEs depending on the number and type of VNEs.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-4

OL-20016-01

Appendix D

Using High Availability Overview of High Availability

Timeout Process Failure


Each AVM is constantly monitored by the management AVM (AVM 99) using a watchdog protocol pulse message sent to the AVM at preconfigured intervals. When the AVM fails to respond to the pulse message after a preconfigured number of attempts, the management AVM restarts the process. The management process also keeps a history of the number of times it has restarted the AVM. When it reaches the maximum number of preconfigured restart times, the management AVM stops restarting the AVM because this indicates a serious problem with the AVM. Each restart is logged as a System event (except when AVM 11 is restarted, because this AVM handles all persistency). Failures on AVMs in the system are measured in a way similar to that used for catastrophic process failures (see Table D-1), with the addition of the watchdog protocol overhead. This is measured by the pulse interval multiplied by the number of restart attempts.

Note

The maximum number of preconfigured restart times is five, after which the management process does not try to reload the AVM. It takes approximately one minute for the system to detect that an AVM (including AVM 100) is not working. The recovery period during which an AVM (including AVM 100) reloads and the system starts to function normally again is approximately five minutes, depending on the number of VNEs per AVM and the complexity of each.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-5

Appendix D Overview of High Availability

Using High Availability

Figure D-2 provides a typical example of how high availability timer parameters work while monitoring AVMs.
Figure D-2 HA Parameter Timers and AVM Monitoring Example

Gateway A (Active)
AVM99 AVM11 AVM11 to AVM99 Pings every 1.5 min Waits for response 15 min Wait timer is adjustable (0 -15) AVM0 AVM66

Gateway B (Standby)

Protection Group A/B

Unit A (Active)

AVM99

Unit B (BackUp )

AVM99 to AVM100 Pings every 60 sec Waits for response 5 min Adjustments to wait timer are not recommended.

AVM99 to AVM101 Pings every 60 sec Waits for response 5 min Adjustments to wait timer are not recommended AVM101

AVM100 VNE A

Syslogs/Traps

Polled Events

Measuring Ticket-Processing Down Time for AVMs

When a failure occurs on an AVM, the time during which ticket processing is down is measured as the sum of the following factors:

The time it takes to determine that the AVM has failed. The time it takes for the AVM to reload, depending on the number of VNEs. The time it takes to pass syslogs or traps to the VNEs (in the case of AVM 100), or to pass events to the gateway (in the case of AVM 101-999).

Note

For the first 30 minutes after AVM 99 (the management AVM) has started, there is no monitoring of the system to find high availability issues. This allows the system enough time to get up and running.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-6

196262

OL-20016-01

Appendix D

Using High Availability Overview of High Availability

Timeout Machine Failure


The Cisco ANA gateway constantly monitors units by sending a watchdog protocol pulse message to the unit management AVM at preconfigured intervals. If the unit management AVM fails to respond to the pulse message after a preconfigured number of retries, the gateway loads the standby unit to replace it. The impact of such a failure on the system is that the unresponsive unit does not manage the devices for a period of time. This unmanaged period of time is measured by the pulse interval multiplied by the number of retry times, plus the unit load time.

Note

Unit load time depends on the AVMs and the load time required for the VNEs to complete their modeling, as described in Table D-1. Figure D-3 illustrates how a unit handles events during the loading time.
Figure D-3 Stages in Event Handling Through System Restart

Measuring Ticket-Processing Down Time for Units

When a failure occurs on a unit, the time during which ticket processing is down is measured as the sum of the following factors:

The time it takes to determine that the unit has failed (depending on the ping interval). The time it takes for the unit to reload, depending on the number of AVMs and VNEs in the unit. The time it takes to pass correlated events to the gateway (a minimum of five minutes to obtain device history, plus a variable time depending on the number of VNEs per AVM).

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-7

Appendix D Configuring Cisco ANA Units for High Availability

Using High Availability

Configuring Cisco ANA Units for High Availability


The following topics describe customizing protection groups, configuring units for high availability, and configuring standby units:

Configuring Units for High Availability Using Protection Groups, page D-8 Configuring Standby Units, page D-9 Checking the Assignment of Units to Protection Groups, page D-10 Changing the Protection Group of a Unit, page D-11 Switching to a Standby Unit, page D-11

Configuring Units for High Availability Using Protection Groups


You can change the default settings of a unit and assign it to a customized protection group. For more information about creating, viewing, and deleting protection groups, see Managing Protection Groups, page 6-9. In addition, you can enable or disable high availability for a unit. In other words, these settings enable you to define to which protection group a unit is assigned and whether it is enabled for high availability. For information about how long a unit or AVM is down when switching to a standby unit, see Estimating Down Time in Case of Failure, page D-4.

Note

By default, all units in the Cisco ANA fabric belong to the default-pg protection group and high availability is enabled. Advanced configurations can be found in the registry to:

Enable or disable the watchdog protocol for each process, including timeouts for discovery when the process is down. Control the timeouts for detecting when a unit is down.

For more information, see High Availability Registry Settings, page D-13.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-8

OL-20016-01

Appendix D

Using High Availability Configuring Cisco ANA Units for High Availability

To configure a unit for high availability and assign it to a protection group:


Step 1 Step 2

Open the New ANA Unit dialog box by right-clicking the ANA Servers branch, then choose New ANA Unit. Enter the information for the new unit: Field IP Address Description Enter the IP address of the unit. The IP address must be unique.
Note

An error message is displayed if a unit is already configured with the same IP address.

Enable Unit Protection Standby Unit Protection Group

Confirm that this check box is checked. When this option is checked, high availability is enabled on the unit. Confirm that this check box is not checked. Select the protection group for which the newly created unit will act as a standby unit. For more information about protection groups, see:

Managing Protection Groups, page 6-9 Changing the Protection Group of a Unit, page D-11

Gateway IP
Step 3

Confirm that the IP address of the gateway appears.

Click OK. The new unit is displayed in the Cisco ANA Manage window.

If the new unit is installed and reachable, the following events occur:

It starts automatically. It is registered with the gateway. A configuration registry for the new unit is created in the Golden Source.

Configuring Standby Units


Cisco ANA Manage enables you to configure standby units and assign standby units to protection groups. For information about how long a unit or AVM is down when switching to a standby unit, see Estimating Down Time in Case of Failure, page D-4.
Before You Begin

If you are changing an active unit into a standby unit, you must first delete the active unit as described in Deleting a Cisco ANA Unit, page 3-9.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-9

Appendix D Configuring Cisco ANA Units for High Availability

Using High Availability

To configure a standby unit:


Step 1

Open the New ANA Unit dialog box by right-clicking the ANA Servers branch, then choose New ANA Unit.

Note

For a detailed description of configuring units, see Chapter 3, Managing the Cisco ANA Gateway and Units.

Step 2

Enter the information for the standby unit: Field IP Address Description Enter the IP address of the unit. The IP address must be unique.
Note

An error message is displayed if a unit is already configured with the same IP address.

Enable Unit Protection

Confirm that this check box is checked. When this option is checked, high availability is enabled on the unit.
Note

The Enable Unit Protection check box is selected by default. We strongly recommend that you do not disable this option.

Standby Unit Protection Group

Check this check box to define the unit as a standby unit. Select the protection group for which the newly created unit will act as a standby unit. For more information about protection groups, see:

Managing Protection Groups, page 6-9 Changing the Protection Group of a Unit, page D-11

Gateway IP
Step 3

Confirm that the IP address of the gateway appears.

Click OK.

Note

Standby units are not displayed in the ANA Servers branch in the navigation tree.

For information about changing the protection group to which a unit is assigned, see Changing the Protection Group of a Unit, page D-11.

Checking the Assignment of Units to Protection Groups


You can view the protection groups to which units are currently assigned, allowing you to confirm at a glance that the configuration or assignment matches the initial deployment plan. To view unit and protection group assignments, select the ANA Servers branch in the Cisco ANA Manage navigation pane. The properties of the ANA Servers are displayed in the content area, including the details of the protection group to which each unit and standby unit currently belongs.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-10

OL-20016-01

Appendix D

Using High Availability Configuring Cisco ANA Units for High Availability

Changing the Protection Group of a Unit


You can easily and quickly change the protection group to which a unit has been assigned. To change the protection group of a unit:
Step 1 Step 2

Expand the ANA Servers branch and select the required unit. Open the ANA Unit Properties dialog box by right-clicking the unit, then choose Properties.

Note

For a detailed description on configuring units, see Chapter 3, Managing the Cisco ANA Gateway and Units.

Step 3 Step 4

In the Protection Group drop-down list, select the protection group to which you want to assign the unit. Click OK to save the updated protection group setting for the selected unit.

Switching to a Standby Unit


Cisco ANA Manage enables you to switch to a standby unit either manually or automatically.

Automatic switchover to a standby unit occurs when the gateway discovers that one of the active units has failed. Such failures include hardware failures, operating system failures, power failures, and network failures, which disconnect a unit from the Cisco ANA fabric. For more information on automatic switchover, see Unit N+m High Availability, page D-2. Manually switching to a standby unit is useful if you must temporarily shut down the unit for maintenance.

When a switchover occurs, Cisco ANA automatically transfers all data from the failed unit to a standby unit in the same protection group. The original unit is removed from the standby setup and is no longer displayed in Cisco ANA Manage. To manually switch to a standby unit:
Step 1 Step 2 Step 3

Expand the ANA Servers branch and select the required unit. Right-click the required unit, then choose Switch. A confirmation message is displayed. Click Yes. The standby unit becomes the active unit and is displayed in the ANA Servers branch. The original unit is removed from the setup and can be safely shut down. It is no longer displayed in the Cisco ANA Manage window.

Note

In the event of unit failover, the Cisco ANA gateway randomly selects a redundant unit when more than one standby unit is available.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-11

Appendix D Managing the Watchdog Protocol

Using High Availability

Managing the Watchdog Protocol


The following topics describe how to define AVMs for units and enable or disable the watchdog protocol on the AVM:

Configuring AVMs for High Availability, page D-12 Viewing and Changing Watchdog Protocol Settings, page D-13

Configuring AVMs for High Availability


Every AVM in the Cisco ANA fabric is, by default, managed by the watchdog protocol. Cisco ANA Manage enables you to define AVMs for units and enable or disable the watchdog protocol on each AVM. To define an AVM:

The unit must be installed. The unit must be connected to the transport network. The following default AVMs must be running:
AVM 0The switch AVM. AVM 99The management AVM. AVM 100The trap management AVM.

The new AVM must have a unique identifier within the unit.

Note

For detailed information on defining AVMs, see Chapter 4, Managing AVMs. To define an AVM for high availability:

Step 1 Step 2 Step 3

Open the New AVM dialog box by right-clicking the required unit (or gateway), then choose New AVM. Define the properties of the AVM. For more information, see Chapter 4, Managing AVMs. Check the Enable AVM Protection check box to enable the watchdog protocol on the AVM.

Note Step 4

We strongly recommended that you do not uncheck the Enable AVM Protection check box.

Click OK. The new AVM, with the watchdog protocol enabled, is added to the selected unit and is displayed in the content area. Adding the new AVM creates the registry information for the new AVM in the specified unit. The AVM can now host VNEs.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-12

OL-20016-01

Appendix D

Using High Availability High Availability Registry Settings

Viewing and Changing Watchdog Protocol Settings


You can view the properties of an AVM, such as its status and location. In addition, you can edit some of the properties of the AVM, including enabling or disabling the watchdog protocol.

Note

For detailed information on defining and editing AVMs, see Chapter 4, Managing AVMs. To view and edit AVM settings:

Step 1 Step 2

Open the AVM Properties dialog box by right- clicking the required AVM, then choose Properties. Edit the details of the AVM, as required.

Note Step 3

We strongly recommended that you do not uncheck the Enable AVM Protection check box.

Click OK. The new properties for the AVM are displayed in the content area.

High Availability Registry Settings


The high availability and AVM watchdog protocol functions are controlled by settings in the registry. The registry entries and default values are provided in Table D-2.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.

Table D-2

Registry Settings for Unit High Availability and AVM Watchdog Protocol

Registry Entry agent_defaults/delay

Description

Default Value

Grace period (in milliseconds) during which events 1800000 (30 minutes) are not raised. The grace period begins at system startup. It defines the amount of time during which the system does not perform high availability operations of any kind on the configured target (either the AVM or the unit). There is one exception: When the configured target responds for the first time with a ping, the grace period is over. 300000 Timeout (in milliseconds) for AVMs. This is the initial recovery period. This period includes device (5 minutes) polling and inventory buildup. End-to-end services, such as RCA and topology, can take longer before they become available. Timeout (in milliseconds) for units. 300000 (5 minutes)

agent_defaults/timeout

haservice/timeout

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

D-13

Appendix D High Availability Registry Settings

Using High Availability

Table D-2

Registry Settings for Unit High Availability and AVM Watchdog Protocol (continued)

Registry Entry agent_defaults/maxTimeoutReloadTime agent_defaults/maxTimeoutReloadTries

Description

Default Value

Threshold (in milliseconds) for AVM reload retries. 1800000 When exceeded, the AVM is suspended. (180 minutes) Maximum number of retries for AVM reloads. When 5 exceeded, the AVM is suspended.

Cisco Active Network Abstraction 3.7 Administrator Guide

D-14

OL-20016-01

A P P E N D I X

VNE Persistency Mechanism


Persistency is the ability to store information in the unit for later use. These topics describe the VNE persistency mechanism in Cisco ANA:

Persistency Overview, page E-1 Alarm Persistency, page E-2 Instrumentation Persistency, page E-5 Topology Persistency, page E-6

Note

These topics describe some of the persistency registry settings. Changes to the registry should be performed only with the support of Cisco. For details, contact your Cisco account representative.

Persistency Overview
Persistency information is stored across unit, AVM, and VNE restarts. VNE data persists during runtime when a VNE polls data from a device, and the VNE updates the files in the file system for changes in the devices response according to the persistency variables. When a VNE is started or restarted, the persistency information is read from these files once. Every normal polling or refresh that takes place after the first time will read the data from the device itself and not from the files. VNE data persistency is lost in the following scenarios (but alarm persistency is saved):

A user manually moves the VNE to another AVM, or moves the parent AVM to another unit. A high availability event occurs, causing a unit to switch over to the standby unit. The device the VNE models is reconfigured (for example, a new sysOID or software version change).

The upgrade mechanism automatically clears all persistency files on Cisco ANA gateways and units. This option does not clear the alarm history that is stored in the Cisco ANA database.
Instrumentation Persistency

Instrumentation persistency is used mainly to:

Shorten the starting time of VNEs for devices. When the information from the local file system is used, the devices response time and network latency are eliminated; thus the VNE finishes modeling its first state very quickly.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

E-1

Appendix E Alarm Persistency

VNE Persistency Mechanism

Provide information about the old state of the VNE, to initiate alarms if the status has changed while the VNE was unloaded. For example, a Port Down alarm is initiated only if the port status was up and changed to down. This ensures that an alarm is not issued on ports which should be down. By maintaining information about the old state of the port, the system understands whether or not the current state is valid. Help lower the CPU load on the device while starting when many polling commands are generated. Also, when persistence data is loaded from the unit, traffic bandwidth between the unit and device is much lower than when the system is loaded using ordinary device discovery and modeling.

For more information, see Instrumentation Persistency, page E-5.


Topology Persistency

Topology persistency creates topology between devices on startup when the VNE is loaded, instead of performing the entire discovery process. Verification of the links is then performed. For more information, see Topology Persistency, page E-6.
Alarm Persistency

Alarm persistency saves information about the VNE components that send alarms. When a VNE sends an alarm, the VNE can save this information (that it has sent an alarm of type X). This information can then be used by the VNE components after restarts to verify whether the VNE needs to send clearing alarms where changes have occurred in the device when the VNE was down. For more information, see Alarm Persistency, page E-2.

Alarm Persistency
Alarm persistency enables the system to clear alarms that relate to events that occurred while the system was down. For example, a Link Down alarm is generated, and then the system goes down. While the system is down, a Link Up event occurs in the network, but because the system is down, it does not monitor the network. When the system goes up, the alarm is cleared because the system remembers that a Link Down alarm exists, and the system needs to clear it by sending a corresponding alarm. Persisting events are held in the AlarmPersistencyManager. Each VNE contains an AlarmPersistencyManager object. Alarms are added to and removed from the AlarmPersistencyManager object in order to maintain the status of an event, whether it exists in the repository or not; that is, whether an up alarm or a clearing alarm has been generated. Two copies of alarm persistency information are maintained: one in the memory, and the other on disk. At startup, the AlarmPersistencyManager retrieves the events persisting for the containing VNE. Event data in the files is updated at the following times:

At shutdown. After a change, when an event is added or removed. After a specific interval of time has passed. This prevents data from being rewritten to the persistency file when a stream of events is added or removed during a short period of time, because the data is saved only after the specified period of time has elapsed.

Cisco Active Network Abstraction 3.7 Administrator Guide

E-2

OL-20016-01

Appendix E

VNE Persistency Mechanism Alarm Persistency

Initialization
Alarm persistency is controlled by settings in the registry. Global alarm persistency information is stored in agentdefaults.xml. The major settings are listed in Table E-1. The settings for these configurable items only apply when trying to retrieve data from the persistency files. Individual event persistency information is described in Configuring Alarm Persistency for a Specific Event, page E-4.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.
Table E-1 Default Settings for Alarm Persistency

Registry Entry enabled writing-delay

Description Enabled the persistency mechanism for this VNE.

Default Value true

300000 Interval (in millseconds) between the arrival of a new event or the removal of an existing event, and the writing (5 minutes) activity of the persistency file. How many days an event remains in a persistency file before it becomes obsolete. 7

max-alarm-age-in-days

Retrieving Events
At startup, each VNE calls its AlarmPersistencyManager to load the persisting events. If the file does not exist or is corrupt, no events are loaded. Faulty event objects are not loaded. Events which have been in the file for longer than the configured maximum age are not loaded. No age tests are held during ordinary runtime.

Storing Events
At shutdown, events are saved to the VNEs event persistency file as a precaution in case the events have not already been saved.

Removing an Event
An event is searched for and removed using the same information which was used to add it. The event is removed from memory because an up alarm (for example, a Link Up alarm) has been generated, and the persistency information is no longer required. After the removal, the AlarmPersistencyManager stores the events after a writing delay, as specified in the registry.

Removing an Event and Clearing an Alarm


The AlarmPersistencyManager is able to search for and remove an event, and send a clearing alarm for the event, if it is found that this information is no longer required because the alarm has been cleared. After an event has been added to or removed from the AlarmPersistencyManager, a delayed message is sent to the AlarmPersistencyManager. Upon its arrival, the message triggers the events to be stored to the file.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

E-3

Appendix E Alarm Persistency

VNE Persistency Mechanism

Configuring Alarm Persistency for a Specific Event


Alarm persistency can be configured per event using the setting described in Table E-1. Event-specific persistency information is stored in event-persistency-application.xml.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.
Table E-2 Registry Setting for Alarm Persistency for a Specific Event

Registry Entry alarm-persistency

Description Enable persistency for a specific event.

Default Value See Alarm Persistency Default Configuration, page E-4

In the following LDP Neighbor Loss alarm, the LDP Neighbor Down event is persisted, but the LDP Neighbor Up event is not:
<key name="LDP neighbor loss"> <entry name="default">event-persistency-application/templates/generic persistency event</entry> <key name="sub-types"> <key name="LDP neighbor down"> <entry name="alarm-persistency">persist</entry> </key> <key name="LDP neighbor up"> <entry name="alarm-persistency">unpersist</entry> </key> </key> </key>

Alarm Persistency Default Configuration


The following alarms are configured to be persistent: BFD Connectivity Down BFD Neighbor Loss BGP Neighbor Loss Dual Stack IP Changed GRE Tunnel Down LDP Neighbor Loss MEP Down MPLS TE FRR State Changed MPLS Interface Removed Ascend Link Down Trap Card Down Card Down Syslog Card Out Fabric Hardware Syslog Flash Card Removed Syslog IMA Admin Down IMA Oper Down Interface Status Keepalive Set L2TP Peer Not Established L2TP Sessions Threshold LAG Down LAG Link Down Layer 2 Aggregation Down Layer 2 Tunnel Down Link Down

Cisco Active Network Abstraction 3.7 Administrator Guide

E-4

OL-20016-01

Appendix E

VNE Persistency Mechanism Instrumentation Persistency

Component Unreachable CPU Utilization Discard Packets Dropped Packets Drops Exceed Limit DS0 Bundle Down DS1 Path Link Down DS1 Path Port Down DS3 Path Link Down DS3 Path Port Down Duplicate IP on VPN DWDM Controller Down DWDM g709 Status Down EFT Down Envmon Condition Syslog Envmon Fan Syslog IMA Admin Down

Link Utilization LSP Removed Memory Utilization MLPPP Down PIM Interface Down Syslog PIM Neighbor Loss Syslog Port Down RX Dormant RX Utilization Shelf Out Sonetpath Link Down Sonetpath Port Down Sub-interface Down TX Dormant TX Utilization VSI Down

Instrumentation Persistency
The instrumentation layer persists the information that was collected from the device to the file system. When the VNE restarts, it uses this information to emulate the devices response, and thus the VNE can be modeled according to its last persistent state. The next polling instance is performed against the real device. The registry entries that control instrumentation persistency are provided in Table E-3.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

E-5

Appendix E Topology Persistency

VNE Persistency Mechanism

Table E-3

Registry Settings for Instrumentation Persistency

Registry Entry persistencydir

Description

Default Value

Specifies the directory in which persistency information is saved instrumentor-persistency on the local file system. This is a relative path. Allowed values are a string that represents the relative directory in the file system. Controls the level of persistency to be used. The allowed values are Full (persisted) or Off (not persisted). These values can be used for certain commands to make sure some are persisted and some are not.
Note

persistencylevel

Full

If a compound command contains both Full and Off persistency levels, Cisco ANA will use the full level for all commands. true 600000 (10 minutes)

persistencystorageenabled persistencystorageinterval

Controls whether the whole storage mechanism is enabled. Interval (in milliseconds) for which the data to be persisted is accumulated and then written to the persistent storage in bulk. Files are only updated if they have changed. The default value (10 minutes) is a compromise between small intervals (which cause more I/O operations in the local file system) and long intervals (which result in stored information not being up-to-date).

persistencytimeout

Timeout period (in milliseconds) at which initial data is marked as obsolete; all subsequent commands will run directly on the device. If the persistency mechanism is enabled when the instrumentation layer starts, it loads all the data from the files. This data can be used for the commands only the first time they are executed. Some commands can be used for the first time, long after other commands have finished multiple cycles; for example, commands which run only when the status on the device has changed. The default value (1 minute) is a compromise between a small value (which can cause the instrumentation layer to ignore the persistent data) and a large value (which causes the data to be retrieved long after the VNE has finished loading).
Note

600000 (1 minute)

We recommend that this value be at least 600000 (1 minute).

Topology Persistency
Cisco ANA supports persistency for Layer 1 topological connections. Layer 1 topology supports one connection per Device Component (DC), so the physical topology reflects a single port connected by a single link. The following topologies are persisted:

Layer 1 counter-based topologies. Static topologies.

Cisco Active Network Abstraction 3.7 Administrator Guide

E-6

OL-20016-01

Appendix E

VNE Persistency Mechanism Topology Persistency

Static topology, which identifies physical links configured by the user, is persisted once a user configures the static link between the two entities. This link is then stored in the registry, in the AVM key that contains the specific VNE registrations. For other topologies, every time a link is created, the persistency mechanism writes the link to this file. When a link is disconnected, the file representing the link is removed.

Note

Topology persistency assumes that the XID (the unique device component ID) is persistable. For example, the port XID should remain the same after the device reboots or after the VNE reboots. This is not dependent on whether the ifIndex is changed from time to time. Topology persistency is controlled by the setting listed in Table E-4.

Note

All changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative.
Table E-4 Registry Setting for Topology Persistency

Registry Entry persistency

Description Enable physical topology persistency.


Note

Default Value true

We recommend that this entry remain enabled.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

E-7

Appendix E Topology Persistency

VNE Persistency Mechanism

Cisco Active Network Abstraction 3.7 Administrator Guide

E-8

OL-20016-01

A P P E N D I X

CPU Utilization and Cisco ANA


Cisco ANA is an extensible and scalable platform residing between the network elements and OSS management applications, providing unified end-to-end network and service management for service provider and large enterprise networks. In common with other service management solutions, the effectiveness of Cisco ANA in managing a network is directly proportional to the timeliness and accuracy of data from the managed network. For example, alarms cannot be correlated to root causes, and root causes cannot be identified, unless the system has accurate and timely inventory and topology information. This information needs to be collected and discovered from the network. In Cisco ANA, managed network data is collected by the Virtual Network Elements (VNEs). VNEs are autonomous device drivers running on the unit servers. Each VNE interacts with its respective network element, discovers its physical its logical inventory and connectivity, and maintains a virtual, in-memory model of the device by repetitively querying the device for this data. However, collecting such data comes with a cost. The devices must assign CPU cycles for responding to management protocol requests This purpose of these topics is to describe how Cisco ANA optimizes the way in which management data is obtained from network devices in order to minimize the effect on CPU utilization.

Key Factors That Affect CPU Consumption, page F-1 Cisco ANA Solutions for CPU Consumption Problems, page F-2

Key Factors That Affect CPU Consumption


It is essential to first understand the key factors that affect the network CPU utilization. These factors are described in the following.
Type of Operating System Used by Network Elements

Device operating systems may react differently to a single atomic query. In the case of Cisco devices, the Cisco IOS XR operating system is likely to produce higher CPU peaks than the Cisco IOS operating system. This is because the Cisco IOS XR architecture supports a distributed infrastructure that runs on multiple CPUs, while the Cisco IOS architecture supports a monolithic infrastructure. Cisco IOS XR supports preemptive scheduling that allocates CPU (even at elevated levels) as needed, while continuing to function normally and support the feature and functionality it is designed to deliver.

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

F-1

Appendix F Cisco ANA Solutions for CPU Consumption Problems

CPU Utilization and Cisco ANA

Type of Query Issued by Cisco ANA VNEs

Typically, queries that result in large responses require more time to calculate and use more CPU. The time and CPU required by a query depends on the command type.

Note

As the level of technology support within Cisco ANA increases, VNEs may run more queries. An increased number of queries imply more polling time is needed, and more polling time can cause CPU usage to peak for longer periods of time. However, it is not the number of queries that directly impacts CPU utilization; it is the nature of the queries that is important, as described above.
Rate of Queries Issued by Cisco ANA VNEs

Cisco ANA VNEs poll the network element in a repetitive fashion according to a predefined time interval, referred as a polling cycle. For queries that affect device CPU, a higher repetition of these queries will result in longer CPU peaks and higher average CPU utilization over time.

Cisco ANA Solutions for CPU Consumption Problems


The following topics describe how Cisco ANA is optimized to not only provide better reporting of CPU high utilization in the network, but also to reduce the CPU cycles it consumes:

CPU Monitoring for Cisco IOS XR Devices, page F-2 Optimizing the Type of Queries Issued by Cisco ANA VNEs, page F-6 Optimizing the Rate of Queries Issued by Cisco ANA VNEs, page F-6

CPU Monitoring for Cisco IOS XR Devices


Network operators often consider the CPU utilization levels to be a rough indication of the network elements health. However, when running a distributed operating system the apparent high CPU utilization does not necessarily indicate a problem. For example, a Cisco IOS XR router can operate at 100% utilization for extended periods of time. Therefore, in Cisco ANA, the configuration for Cisco IOS XR VNEs was recalibrated to higher thresholds, as described in the following topics.

CPU Overutilized Alarm Support for Cisco IOS XR Devices


To properly recalibrate CPU monitoring to the configurations appropriate for Cisco IOS XR behavior, Cisco ANA retrieves the average device CPU utilization calculated over a 5-minute period. The command for retrieving this data is sent to the device every 1 minute. Therefore, if Cisco ANA reports a high CPU utilization on a Cisco IOS XR VNE, it means that for last 5 minutes, the average CPU utilization has been crossing the recommended threshold. Table F-1 describes the CPU Overutilized alarm registry parameters (and default values) for Cisco IOS XR VNEs.

Cisco Active Network Abstraction 3.7 Administrator Guide

F-2

OL-20016-01

Appendix F

CPU Utilization and Cisco ANA Cisco ANA Solutions for CPU Consumption Problems

Table F-1

Registry Settings for Cisco IOS XR CPU Overutilized Alarm

Registry Entry cpu-util-polling-interval cpu-util-counter-bucket upper lower high-cpu-alarm-sample clear-cpu-alarm-sample

Description How often (milliseconds) to poll the CPU usage in order to determine the average CPU usage. Length of period (minutes) during which to calculate the average CPU usage (polled every 1 minute). Upper threshold (%) to trigger CPU alarm. Lower threshold (%) to clear CPU alarm. Alarm is generated once it crosses upper threshold after this many polling cycles. CPU alarm is cleared once it moves below the lower threshold after this many polling cycles.

Default Value 60000 (1 minute) 5 90% 70% 1 polling cycle 3 polling cycle

Use the following procedure to check the registry parameters for the CPU Overutilized alarm for Cisco IOS XR VNEs.

Note

We recommend that you do not change any of these settings. Changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative. Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 1

Step 2

Use the following runRegTool commands to check the current registry settings. For information on the format of the runRegTool command, see Changing Registry Settings Using runRegTool, page C-3.

To check the cpu-util-polling-interval setting for Cisco IOS XR VNEs:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/instrumentationservices/command/pa rsing params/cpu-util-polling-interval

To check the current cpu-util-counter-bucket setting for Cisco IOS XR VNEs:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/instrumentationservices/command/pa rsing params/cpu-util-counter-bucket

To check the current high-cpu-alarm-sample setting for a specific VNE:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 avmxxx/agents/da/vne-key/dcs/type/com.sheer.metrocentral.coretech.common.dc.Manage dElement/Alarms/cpuusage/high-cpu-alarm-sample

To check the current clear-cpu-alarm-sample setting for a specific VNE:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 avmxxx/agents/da/vne-key/dcs/type/com.sheer.metrocentral.coretech.common.dc.Manage dElement/Alarms/cpuusage/clear-cpu-alarm-sample

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

F-3

Appendix F Cisco ANA Solutions for CPU Consumption Problems

CPU Utilization and Cisco ANA

VNE Adaptive Polling Settings for Cisco IOS XR Devices


If the CPU utilization exceeds a defined threshold, the adaptive polling mechanism extends the polling cycle and suspends queries. More information about the adaptive polling mechanism is described in Smooth Polling and Adaptive Polling, page 6-5. When a Cisco IOS XR VNE is using normal polling and CPU usage exceeds the maximum threshold for five consecutive polls, the VNE moves to slow polling. If CPU usage continues to exceed the threshold for ten more consecutive polls, the VNE moves to maintenance mode. This behavior for Cisco IOS XR devices is illustrated in Figure F-1.
Figure F-1 Cisco IOS XR VNEs: How Adaptive Polling Works

5 times above the maximum threshold level

10 times above the maximum threshold level

Normal polling

Slow polling

Maintenance

The following steps describe this behavior. For Cisco IOS XR devices, each polling cycle is 1 minute lon (as described in Table F-1 on page F-3).
1. 2. 3. 4.

CPU usage is polled 5 times (upper tolerance) and is running above the maximum threshold value. The VNE moves to slow polling. The CPU usage is polled an additional 10 times and is running above the maximum threshold value. The VNE moves to maintenance mode because CPU usage remained above the maximum value of 15 polling cycles (maintenance tolerance). It will stay in maintenance mode until it is manually restarted.

Table F-1 describes the registry parameters (and default values) for adaptive polling for Cisco IOS XR VNEs.
Table F-2 Registry Settings for Cisco IOS XR Adaptive Polling

Registry Entry threshold alarm value threshold clear value upper_tolerance

Description Lower threshold (%) at which to move VNE to normal polling.

277588

5 times below the minimum threshold level

Default Value 60%

Upper threshold (%) at which to move VNE to slow polling. 90%

When upper threshold is crossed this number of consecutive 5 CPU polls, move the VNE to slow polling. (Using the settings in this table and in Table F-1, this means the VNE would move to slow polling after 5 minutes.)

low_tolerance

When CPU utilization falls below the lower threshold for this number of consecutive polls, move the VNE to normal polling.

Cisco Active Network Abstraction 3.7 Administrator Guide

F-4

OL-20016-01

Appendix F

CPU Utilization and Cisco ANA Cisco ANA Solutions for CPU Consumption Problems

Table F-2

Registry Settings for Cisco IOS XR Adaptive Polling (continued)

Registry Entry maintenance_tolerance

Description

Default Value

When upper threshold is crossed this number of consecutive 15 CPU polls, move the VNE to maintenance mode. (This number includes the 5 polls in the lower tolerance. See Figure F-1 for an example of this configuration.) Hold this number of history samples. At a minimum, this 15 value should be largest of the upper, lower, and maintenance tolerance values.

max history length

Use the following procedure to check the registry parameters for adaptive polling on Cisco IOS XR VNEs.

Note

We recommend that you do not change any of these settings. Changes to the registry should only be carried out with the support of Cisco. For details, contact your Cisco account representative. Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 1

Step 2

Issue the appropriate runRegTool command to check the current registry settings. For information on the format of the runRegTool command, see Changing Registry Settings Using runRegTool, page C-3.

To check the threshold alarm value setting for Cisco IOS XR VNEs:
# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/sub command handlers/script threshold command handler/command handler params/script-parameters/threshold alarm value

To check the threshold clear value setting for Cisco IOS XR VNEs:
# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/sub command handlers/script threshold command handler/command handler params/script-parameters/threshold clear value

To check the upper_tolerance setting for Cisco IOS XR VNEs:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/sub command handlers/script threshold command handler/command handler params/script-parameters/upper_tolerance

To check the low_tolerance setting for Cisco IOS XR VNEs:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 cisco-router-iox-repository/cpu-util-iox-telnet/sub command handlers/script threshold command handler/command handler params/script-parameters/low_tolerance

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

F-5

Appendix F Cisco ANA Solutions for CPU Consumption Problems

CPU Utilization and Cisco ANA

To check the maintenance_tolerance setting for Cisco IOS XR VNEs:


# ./runRegTool.sh -gs 127.0.0.1 get 0.0.0.0 site/cisco-router-iox-repository/cpu-util-iox-telnet/sub command handlers/script threshold command handler/command handler params/script-parameters/maintenance_tolerance

The adaptive polling registry settings for specific VNEs are available under vne-path/dcs/type/com.sheer.metrocentral.coretech.common.dc.ManagedElement/AdaptivePolling.

Optimizing the Type of Queries Issued by Cisco ANA VNEs


Cisco ANA VNEs are designed to use optimized queries that avoid any undesired overhead on the managed element.

Optimizing the Rate of Queries Issued by Cisco ANA VNEs


The following section describes general mechanisms in Cisco ANA that provide a relief to the rate of queries issued by Cisco ANA VNEs when needed.

Cisco ANA Smooth Polling


Smooth polling is a mechanism that takes commands in the same polling cycle, and spreads out their execution over the polling cycle. This ensures that the commands get executed at least once within the required period, while also reducing the probability that two or more commands will run at the same time. For more information on smooth polling, see Smooth Polling, page 6-5. Note that smooth polling augments regular polling only after the completion of the first poll. Smooth polling is enabled in Cisco ANA by default.

Cisco ANA VNE Polling Cycles


The VNE polling cycles determine the intervals between consecutive queries to a network element. Users can fine-tune the frequency at which information is retrieved from the managed elements, thus controlling the amount of network traffic used by the various VNEs. These intervals are controlled by Cisco ANA polling groups, which users can configure in Cisco ANA Manage. Cisco ANA comes with two predefined polling groups: default and slow. To reduce the average CPU load on devices that, on average, consume high CPU, we recommend that you extend the polling cycles for registration commands by applying the slow polling group settings to the relevant VNEs. The settings for the slow and default polling groups are listed in Polling Groups Overview, page 6-3.

Cisco ANA VNE SNMP Retries Setting


If the network element is busy processing CLI commands, it may not answer SNMP queries that are sent in parallel by the VNE. The VNE will continue to send the SNMP commands within a timeout window, using multiple query-retries. This situation might also contribute to additional CPU load on the devices. Reconfigure the SNMP timeout and retries parameters to a longer period that will allow the CLI queries to complete. Increase the SNMP command timeout and double the query retries, as shown in the following procedure.

Cisco Active Network Abstraction 3.7 Administrator Guide

F-6

OL-20016-01

Appendix F

CPU Utilization and Cisco ANA Cisco ANA Solutions for CPU Consumption Problems

Step 1

Log into the gateway as user ana37, and change to the Main directory by entering the following command:
# cd ANAHOME/Main

Step 2

Issue the following command to change the SNMP command timeout from 5 seconds to 30 seconds (300000 milliseconds):
# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 "site/agentdefaults/da/ip_default/protocols/snmp/timeout" 30000

Step 3

Issue the following command to change the SNMP query retry count from 3 to 6:
# ./runRegTool.sh -gs 127.0.0.1 set 0.0.0.0 "site/agentdefaults/da/ip_default/protocols/snmp/retries" 6

Step 4

Restart the gateway server:


# ./anactl restart

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

F-7

Appendix F Cisco ANA Solutions for CPU Consumption Problems

CPU Utilization and Cisco ANA

Cisco Active Network Abstraction 3.7 Administrator Guide

F-8

OL-20016-01

INDEX

A
adaptive polling configuring turning off
5-32, 6-5 F-4

LDAP configuration overview Cisco IOS XR devices and


5-34 5-34 9-3 9-1

6-13

Authentication Method (GUI client) AVMs configuring high availability creating deleting editing
4-3 4-7 11-3, 11-4, 11-5

1-19

D-12

Administrator (user access role) admin status, AVM alarms database purging persistency scopes and
E-2 13-1 13-1 5-7 4-2

diagnostics
4-5 D-4 4-7

failure finding moving

maintenance mode and saving in database


9-3

GUI client and


4-6 4-5 4-1

1-10

properties
E-2

system shutdown and user roles and


9-2 B-1

reserved

starting and stopping


5-34

3-2, 3-5, 4-5 4-2

ANAHOME (default) ARP technology ATM


5-14 5-14 5-15

status (admin and operational)

ANA settings (VNE adaptive polling)

B
backup backed-up content
9-9, 9-10 A-1 A-3

ATM PW

authentication, user choosing external changing configuring GUI client overview problems Cisco ANA

changing schedule immediate overview prerequisites


A-2 A-1 A-2 A-4

9-9, 9-10 6-12, 9-2

6-15 9-2

restoring from banners


9-2

changing to Cisco ANA


6-12

running manually for registry creating removing


6-2

A-2

emergency user
1-19

Message of the Day (GUI client)


6-2

1-14, 1-15

6-12, 9-2 6-15

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

IN-1

Index

BGP

5-14 B-7

navigation pane Scopes branch tables


1-3, 1-5

1-3, 1-4 1-22

bosenable, bosconfig, bosusermanager passwords

C
CatOS. See Cisco CatOS VNEs CEM Group CFM
5-15 5-26 5-15

Topology branch Users branch Cisco CatOS VNEs Cisco IOS VNEs
1-25

1-24

Workflow branch

1-26 5-11, 5-13 xii

Cisco documentation, obtaining


5-11, 5-13, 5-26

cipher (SSHv2) Cisco ANA backing up deploying diagnostics

Cisco IOS XE VNEs


A-2

5-11, 5-13, 5-26 5-11, 5-13, 5-26

Cisco IOS XR VNEs cloud VNE

database. See database


2-1 11-1 12-1 B-1

configuring duplicate IP addresses Ethernet overview


5-3 5-2 5-6 6-4 9-3

5-4

Event Listener restarting gateway units setup


2-1 B-2

installation directory, default


B-1

communication state, VNE

Configuration polling, default Configurator (user access role) conventions, in this guide
11-1 3-2, 3-5 xi

content area (Cisco ANA Manage window) counted licenses


2-5 6-5, F-1

1-3, 1-5

system health VNEs


5-1

version, checking Cisco ANA Manage logging out password starting


1-2 1-3 1-2

CPU overutilized alarm

Currently Unsynchronized (VNE investigation state)

5-6

D
database password, changing purging security
1-13 1-19 13-1 10-3 1-13, 6-1 1-13 B-5 1-6, 1-10

Cisco ANA Manage window ANA Servers branch content area


1-3, 1-5

Global Settings branch DB Segments


1-13

segments, viewing default (polling group)

Authentication Method Message of the Day Password Settings Polling Groups Report Settings Protection Groups
1-16 1-17

DB Segments (GUI client)


6-4

1-14, 1-15 1-21

default installation directory default-pg (protection group) deployment plan (system)

B-1 3-6, 6-10 5-6

Defined Not Started (VNE investigation state)


2-1

1-18

Device Type Settings (VNE adaptive polling) device unreachable (VNE communication state)

5-34 5-7

Cisco Active Network Abstraction 3.7 Administrator Guide

IN-2

OL-20016-01

Index

device unreachable error diagnostics AVMs gateway graphs tool


11-5 11-2, 11-5 11-6

5-19 5-19, 5-39

on a gateway overview installing overview RegTool


12-1 12-1 12-1

12-2

device upgrades and Cisco ANA

example command events


11-4

12-4

information provided overview password starting window units


11-2 11-6 11-2, 11-3, 11-4 9-10 11-1 11-5

high availability exporting table data

D-13 13-1

purging from the database


1-33

page options
11-1 11-2

11-1, B-8

external authentication. See authentication, user

F
failover parameters default values
5-6 D-13 D-13

use cases viewing

disabling user accounts document contents


ix xi ix

for high availability filters clearing defining setting up


1-31 1-30 1-31

Discovering (VNE investigation state)

conventions organization Down AVM status VNE status DSx


5-15

fixed (uncounted) licenses


xii

2-5

documentation, obtaining
4-3 5-5

Frame Relay

5-15

G
gateway Cisco ANA version
3-2, 3-5

E
EFP
5-15 9-2 5-15

diagnostics overview restarting status

11-2, 11-3, 11-4, 11-5 1-6

GUI client and


3-1 B-1

emergency user, LDAP Ethernet (technology) Ethernet Channel Event Listener configuring for new VNEs
5-15

starting and stopping


3-2, 3-5

3-2, 3-5

Ethernet OAM CFM

5-15

viewing properties

3-2 5-14, 5-21 1-13

General tab (VNE properties) Global Settings, GUI overview


12-3 12-2

multiple listeners

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

IN-3

Index

Golden Source registry GRE


5-15

C-1

investigation state, VNEs Defined Not Started

5-6 5-6

Currently Unsynchronized
5-6

H
HDLC
5-15

Discovering Initializing Maintenance Operational


D-12 D-8 D-4

5-6 5-6 5-7 5-6 5-7

high availability configuring, AVMs configuring, units events


D-13 D-13

Partially Discovered Shutting down Stopped


5-7 5-6 5-7

estimating failure down time

Unsupported

failover parameters, default values overview


D-1, D-2 D-4

IOS. See Cisco IOS VNEs IOS XE. See Cisco IOS XE VNEs IOX. See Cisco IOS XR VNEs IP (technology)
5-15

process failure

protection groups changing units in creating new deleting editing


6-10 6-10 D-10 6-9 D-11

IPoDWDM IPv6
5-15

5-15 5-15

IP Routing (technology)

verifying units in automatically manually


D-11

switching to standby unit


D-11

K
key exchange (SSHv2)
5-25

timeout machine failure timeout process failure high CPU problems HVPLS
5-15 6-5, F-1

D-7 D-5

L
L3 VPN and VRF LAG
5-15 6-4 5-15

watchdog protocol. See watchdog protocol host key algorithm (SSHv2)


5-26

Layer 1 polling, defaults Layer 2 polling, defaults


6-4

I
ICMP settings, VNEs IMA
5-15 5-6 5-32

VPN Layer 3

5-15

links, missing VPN VRF


B-1 5-15 5-15

3-5

Initializing (VNE investigation state) installation directory, default

LDAP. See authentication, user

Cisco Active Network Abstraction 3.7 Administrator Guide

IN-4

OL-20016-01

Index

licenses counted installing managing types


2-5 2-6 2-5 2-5

N
navigation pane (Cisco ANA Manage window) network elements polling settings (default) scopes
9-3 6-4 5-9 1-3, 1-4

fixed (uncounted)
2-6 2-5

required configuration tasks

viewing properties licenses (client) scopes and users and


9-5 9-5

O
1-24 5-34

links, Topology GUI and logging in logging out


1-2 1-3

Operational (VNE investigation state) operational status, AVM Operator (user access role) organization, of this guide
4-2 9-3 9-3

5-6

Local Settings (VNE adaptive polling)

OperatorPlus (user access role)


ix

M
MAC (SSHv2)
5-25

OSPF

5-15

MAC-based discovery and missing Layer 3 links disabling automatic


3-5 3-5

P
Partially Discovered (VNE investigation state) passwords bosenable, bosconfig, bosusermanager Cisco ANA Manage
1-2 B-7 5-7

maintenance mode
6-5 5-39 5-7

changing status overview


5-7

database

B-5 11-1, B-8 5-10

Maintenance VNE investigation state maps and user access Martini (technology) Message of the Day GUI overview managing MP-BGP MPLS MPLS (technology) MSTP
5-15 5-15 5-15 5-15 6-2 1-14, 1-15 9-12 5-15

diagnostics tool users

required for VNE setup Password Settings GUI overview permissions maps scopes
9-12 9-11 9-2 1-21

1-21, 6-12, 6-15, 9-9, 9-11, 9-13

user access roles user defaults persistency, VNE alarms


E-2 9-8

MPLS TE-Tunnel (technology)

instrumentation persistency overview


E-1 E-6

E-5

topology persistency

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

IN-5

Index

polling adaptive changing smooth creating default deleting editing polling groups customizing
6-4 6-9 6-8 1-16 6-5, F-4 6-7, 6-8 6-5, F-6 F-6 6-7 6-7

R
registry adaptive polling and backing up
A-1 C-1 A-2 6-5

Golden Source security reports purging sharing


6-11 6-11 10-3

running backups manually related documentation


i-xi

GUI overview managing overview settings slow POS PPP


5-15 5-15 6-4 6-3 6-3 6-4

Report Settings GUI overview reserved AVMs


1-16 4-1 1-18

Polling Groups (GUI client)

restore manually procedure


A-1 A-4

private key, SSH protection groups creating new default-pg deleting editing PTP 1588
6-10 6-10

5-31

6-9

S
SBC scopes
1-17 5-15 5-14, 5-21

3-6

schemes (VNE)

Protection Groups branch (GUI client)


5-15 5-31 8-1

activities included in scope alarms and creating defined deleting editing


9-6 9-3 9-7 9-7 1-22 9-5 9-3

9-3

public key, SSH PVST PWE3


5-15 5-15

purging from Cisco ANA

GUI overview

Q
Q-in-Q
5-15

licenses and security users and viewing SDH


5-15 9-3

user access roles and


9-5 9-7

9-4, 9-11

Scopes branch (GUI client)

1-22

Cisco Active Network Abstraction 3.7 Administrator Guide

IN-6

OL-20016-01

Index

security communication (within Cisco ANA) communication, to/from devices database


10-3 9-2, 10-4 10-3 10-2 10-3 10-1

standby units switching

D-9

automatically manually switchover Starting Up AVM status VNE status static links
4-3 5-5 D-11

D-11

default permissions

D-2, D-5

gateway and client communication gateway and unit communication registry scopes
10-3 9-3, 10-4 10-1 9-2, 10-4 xii

system, overview user access roles Shutting Down AVM status VNE status
4-3 5-5

creating deleting validating status AVMs VNEs


5-7

7-1 7-3 7-1

service request, submitting

4-2 5-4 6-4 5-7

Shutting down (VNE investigation state) slow polling group smooth polling SNMP traps
5-12, 5-13 5-19 5-10 6-4 6-5, F-6

Status polling, defaults STP SVI


5-15 5-15

Stopped (VNE investigation state)

syslogs dropped
5-14, 5-34 5-13 6-4

unique engine IDs VNE requirements VNE setup VNE type SONET SSH
5-15 5-22 5-21

VNE settings

System polling, defaults


3-2, 3-5

software version, Cisco ANA

T
tables
5-12 1-3, 1-5 1-33

device configuration prerequisites file format private key public key login sequence VNE settings SSHv1 SSHv2
5-31 5-31 5-24

exporting data filtering sorting TDM


5-15 5-16 1-30

finding text
1-32

1-30

prerequisites to adding VNEs


5-18 5-24 5-25

5-10, 5-12

TDM PW Telnet

credentials, changing in runtime disconnecting (with VNE) VNE settings


5-18

5-18

5-2, 5-18, 5-23

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

IN-7

Index

toolbars (GUI) ANA Servers branch AVMs


1-12 1-10 1-16 1-18 1-8

upgrading devices user access roles alarms and overview scopes and types users
9-3 9-2

5-19, 5-39

gateway servers Polling Groups Scopes units Users


1-23 1-24

assigning default permissions


9-1, 9-2, 10-4 9-4, 9-11

9-8

Protection Groups Topology


1-10 1-26

access, controlling
1-27, 1-28 1-24 3-5

9-8

access roles. See user access roles and workflows


8-6

Workflows

Topology branch (GUI client) traps dropped VNEs


5-14, 5-34 5-12, 5-13

authentication. See authentication, users controlling map access creating deleting disabling
9-8 9-8 9-12

topology discovery, CDP and MAC-based

default permissions
9-13 9-10

U
units adding deleting
3-6 3-9 11-2, 11-3, 11-4, 11-5 3-8

emergency (LDAP) GUI client settings GUI overview licenses and passwords scopes and setting up utilization, CPU
1-17 1-25 9-5

9-2 9-10

maximum connections

9-10

diagnostics

1-21, 6-12, 6-15, 9-9, 9-11, 9-13 1-22, 9-5, 9-11 2-4 1-25

editing properties overview


3-4 3-5

high availability. See high availability prerequisites restarting

Users branch (GUI client) problems


6-5, F-1

protection groups GUI


3-8, B-2

running command on all standby (high availability) starting and stopping Unreachable (AVM status) Unreachable (VNE status) Up AVM status VNE status
4-3 5-5

B-8 D-9

V
version, Cisco ANA VLAN
5-6 5-15 5-16 3-2, 3-5 9-3

3-2, 3-5 4-3 5-5

Viewer (user access role) VLAN Bridging VNE persistency

Unsupported (VNE investigation state)

instrumentation persistency topology persistency


E-6

E-5

Cisco Active Network Abstraction 3.7 Administrator Guide

IN-8

OL-20016-01

Index

VNEs adaptive polling adding individual


5-17 B-2 5-32

syslog settings Telnet settings traps VPLS VPN Layer 2


5-11, 5-13 5-15 5-15 5-15 5-16

5-13, 5-14, 5-34 5-18, 5-23

5-12, 5-13, 5-14, 5-34

multiple (script) prerequisites Cisco IOS devices


5-9

Cisco CatOS devices Cisco IOS XE devices Cisco IOS XR devices deleting editing
5-41

Layer 3 VRF, Layer 3 VTP


5-16

5-11, 5-13, 5-26 5-11, 5-13, 5-26 5-11, 5-13, 5-26

device upgrades and


5-20 5-34 5-34

5-19

W
watchdog protocol configuring editing events
D-13 D-13 D-12 D-12

event settings events settings finding


4-7

General settings ICMP settings managing moving polling


5-1 5-40

5-20 5-32 5-7, 5-39

managing for high availability overview units and


D-2, D-5 D-7 D-13 1-26

maintenance mode

viewing properties
5-10

Workflow branch (GUI client) workflows aborting


6-5 5-32 5-10 8-1 8-5 8-6

passwords required for setup


5-19

polling, adaptive polling settings properties


5-20

adding users deleting history


8-5

prerequisites to adding

GUI overview
8-1

1-26

restarting. See VNEs, stopping and starting SNMP settings SSH settings states communication investigation status changing overview
5-39 5-4 5-6 5-6 5-18, 5-22 5-18, 5-23, 5-24, 5-25 5-39

password, changing templates deleting viewing


8-3 8-2 8-4 8-1

B-5

starting and stopping

viewing output Workflow Editor

Cisco Active Network Abstraction 3.7 Administrator Guide OL-20016-01

IN-9

Index

Cisco Active Network Abstraction 3.7 Administrator Guide

IN-10

OL-20016-01