NAS User Training

HP Network Automation
Software (NAS)
User Training
Course Introduction
Tarpley Adams
Cisco Advanced Services
Operations and Network Management Practice
October 2008
2006 Inc. All rights reserved. Proprietary and confidential.

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 1
Introductions and Logistics
Hewlett Packard Network Automation Software

- A tool to aid in device configuration management
- Originally developed by Rendition Networks, and

called TrueControl
- Opsware bought Rendition Networks in 2004, and
product name changed to Network Automation
Server (NAS)
- HP bought Opsware in 2007, and product name is
Network Automation (HPNA), but everyone still
calls it NAS
Introductions and Logistics
Cisco resells HPNA as CiscoWorks Network

Compliance Manager (NCM)
Cisco has been helping implement NAS at GE

Your instructor is from Cisco:
Tarpley Adams
Atlanta
Dont be confused if you see the Cisco logo in

some screen shots

Slides are located at
http://libraries.ge.com/foldersIndex.do?entity_id=3787239
101&sid=101&sf=1&prod_id=80137
Training folder

Course Outline
Module : Introductions and Logistics

Module : NAS Overview
Module : Device Access Method and Device Groups
Module : Adding Devices
Module : Troubleshooting Device Discovery
Module : Scripting and ACL(s)
Module : Software Images and CLI
Module : Managing Policies

Module : Managing Reports
Module : Workflow
Module : User Accounts

HP Network
Automation
Training Course
NAS Overview

Compliance Provisioning & Process Real-time

& Security Configuration Automation & Policy
Management Management Control Enforcement
Reporting
(compliance, change, visibility)
GUI Telnet/SSH Proxy API
Management Engine
Network Infrastructure Automated
Switch Router
Load Balancers Switches Routers Firewalls

NAS
Functional Overview
Workflows &
Approvals
Policy-Based or Ad Hoc Sequencing
Scheduling
Change & Process model
Configuration Change approvals
Management
Integration Connectors
Device provisioning Other Network
Automated Configuration
Management
Discovery & Scripting
Reporting Systems
Inventory Import OS image updates
Network compliance
Individual devices (e.g.,
from DCR) Deployed assets
Network topology Change history
or 3rd party
Detailed asset inventory Audit & applications
OS images Compliance
Network audits
Network Best practices enforcement Central Data
SOX, VISA CISP, HIPAA, Repository
GLBA, ITIL, CobiT, COSO Member of
Federated CMDB

NAS at GE
NAS
NAS NAS
Oracle
(Master)
Oracle Alpharetta Oracle
Cincinnati
London
(Singapore)
syslog relay
Network
NAS at GE User Access
Alpharetta gisops32.admin.net.ge.com
Managing Americas
London - gisops34.admin.net.ge.com
Managing EMEA
Cincinnati - gisops30.admin.net.ge.com
Managing ASPAC
Transitioned to Singapore at some point
User Account is by SSO or other special arrangement. Most are

loaded, but currently disabled.

NAS
Architectural Overview (cont.)
Robust Security Model

Device-level access per user
Task-level access per user
Sensitive Data Masking and Encryption
Directory Services & AAA Integration
LDAP / Active Directory
RADIUS / TACACS
SecureID
High Availability Configurations
High Availability Replication
Satellite Off-loading
Microsoft and Veritas (Solaris) Clustering
Extensibility
APIs (Perl, Java, Web Services (XML)
Open database schema
Integration with and 3rd party NMS

Where does NAS fit in Network Management
Space?
FCAPS Model Used by Network Management Industry to

Identify Items in Network.
Fault management Typically focused on alerts from devices such as
up/downs and out of memory errors, and polls for status
Examples include: SMARTS, Netcool, HPOV, Nortel ENMS
Configuration Management NAS and other vendor solutions
such as LMS or Nortel Enterprise Management tools
Accounting Management Traditional Usage Measurements
Performance Focused on Application and Network Perfomance
Examples include Concord, IPM or NAPA
Security Covers a wide variety of products from Network Intrusion to
Password Management

NAS: Core, Mesh, Sites
Mesh
Core 1 Core 2
Database
Database
Site: A Site: B Site: C

Realm and Site
Realm 1 Realm 2
Realm 1 Realm 2
Site 1 Site 2
Device Secure Device
Management Tunnel Management
Site 1A Site 1B Site 2A
Opsware Opsware
NAS
Realm 2:
NAS
Device Gateway
Gateway Gateway
Gateway 10.1.2.3
Management
NAS
NASCore
Core
Realm1: Realm 1: Realm 2:
10.1.2.3 10.4.5.6 10.1.2.3
Realm 1:
10.1.2.3
Realm
NAS supports management of overlapping IP or loosely coupled IP networks
Each IP network has a Realm
A core manages devices in its local or remote Realm
Remote Realm management is accomplished via gateways (NAS Gateway)
Site
A site is a subdivision of a Realm
Each site belongs to one core and each device belongs to one site

Realm, Site, Core
Realm: Redmond Realm: HongKong
NAS Gateway L1 NAS Gateway R1
NAS Core
NAS Gateway R2
NAS Gateway L2
Local Site: 1 Remote Site: 1 Remote Site: 2

Generically Views & Partitions
A View is a way of segmenting the
device inventory Sites View B View C
Each device appears once in a given View Default Site Default B Default C
You can only have 3 Views
Partitions are subdivisions within a Device B
given View Site 2 B-2 C-2
Each device appears in exactly one

partition in each View Device A
Each View has a Default Partition, where Site 3 B-3 C-3

devices appear if they are not in any of the
other partitions Device A
Each View can have any number of .
.
.
.
.
.
Partitions . . .
Site N B-N C-N
One View is predefined the Sites
Device B Device A Device B

Device Driver Architecture
Driver Scalable
Interfaces Implementation Supports a large set of
Perl
network devices
Configuration
Expect Object-oriented
Provisioning SNMP
TFTP Implementation is separate
Software Mgmt. FTP from the interface
SCP
Password Mgmt.
Telnet
SSH


Benefit of Driver Architecture
Broad heterogeneous device support (over 700)

Ease of driver addition and enhancement
Highly extensible
Ease of driver update (driver installer)
and 35 other vendors.

The Web User Interface

The Search Window

My Workspace Window - Example

The Main Menu Bar

The Devices Menu
The Devices menu bar provides access

to device monitoring tools

The Tasks Menu
Shows the interaction between the

NAS and the network
Can be scheduled or run
immediately
Results display completion status
Examples of tasks include
Snapshots that identify device and
configuration changes
Configuration policy compliant devices
De-duplication of a device IP address
Detecting a network device

The Policies Menu
The Policies menu provides access to policy monitoring tools which include:
An inventory of the policies on your device or network
Ability to create new policies
Ability to test for policy compliance

The Reports Menu
The Reports menu allows you to

create different types of reports
including user and system reports.
User reports are defined by the user

search criteria.
A user report can be promoted to a

system report status.
NAS reports include static and ad-hoc

Reports
Reports can be saved, imported, or

printed

The Admin Menu
The Admin menu provides

menu items that allow you
to configure the NAS server
using a graphical user interface
A user with admin credentials

can add new users, groups, and
change user properties such as
password, userID, and so on
The Admin menu also allows you

to change user roles, permissions,
and device views

Training Course
Device Access Methods and Device

Groups

Access Methods Overview
To Discover and Snapshot devices NAS uses the following methods
in the following order by default:
SNMP with TFTP
SSH with TFTP
SSH with CLI screenscrape
Telnet with TFTP
Telnet with CLI screenscrape
Some devices do not support one or more of the above protocols so
exceptions exist:
Common Exceptions:
- Unix devices F5, Checkpoint require SSH with SCP since they do
not support or allow SNMP, Telnet or TFTP
-Nortel Passports - FTP is required to capture the config
- PIX SSH or Telnet using CLI is disabled by default and therefore
TFTP is required.

Configuring Access Methods Password
Rules
AdminDevice Password Rules

Device Groups Overview
Groups devices by:

Geographical or physical location, such San Fran or Atlanta
Business unit or department, such as marketing or engineering
Role in the network, such as edge, core, or switch
The Initial system group is Inventory.
All devices belong to this group.
Device group hierarchy
Parent (always public)
Child (can be public or private, belongs to one parent only)
Device group permissions
Public: Shared and visible to all users
Private: Visible only to owner and admin

Sites
A Site is a subdivision of a Realm.
Each Site belongs to exactly one Realm
Each Realm can include one or more Sites
Each Site belongs to one Core
This is the Core which will manage devices in the Site
Each device belongs to exactly one Site
If a device doesnt belong to any other Site, then it belongs to the Default Site
Site is a NAS administrative concept
Identifies which Realm a given device is in
Identifies which Core a device is managed by
Can be used to drive View Permissions
Realm 1 Realm 2
Can be used to tie together the permissions
model, the group hierarchy, the distribution
of devices across Cores, and the physical Site 1A Site 1B Site 2A
network topology
In many cases this will be the
customers preferred model,
since in many customer
environments these concepts Realm 1: Realm 1: Realm 2:
end up linked together 10.1.2.3 10.4.5.6 10.1.2.3

Views & Partitions
A View is a way of segmenting the
device inventory
Each device appears once in a Sites View B View C
given View Default Site Default B Default C
You can only have 3 Views
Partitions are subdivisions within a
Device B
Site 2 B-2 C-2

given View
Each device appears in exactly Device A
one partition in each View Site 3 B-3 C-3
Each View has a Default Device A
Partition, where devices appear .

.
.
.
.
.
.
.
.
if they are not in any of the other Site N B-N C-N
partitions Device B Device A Device B
Each View can have any number

of Partitions
One View is predefined the Sites

Relationship Between Sites, Partitions
and Device Groups
Sites and Partitions are Device
Groups
Sites and Partitions are
always public groups
They can be placed within the
Device Group Hierarchy
They have some special
behaviors
If a device is added to one
Site or Partition, then it is
automatically removed from
the Site or Partition that it
previously belonged to
If a Site or Partition is
deleted, then all contained
devices are automatically
placed in the Default Site or
Partition
This is done in order to
ensure that a device appears
in exactly one Site, and in
exactly one Partition for each
of the defined Views
Viewing Device Groups
Select Devices->Groups.
Click on any group to see the devices in the group.
List of all devices known to the system

Creating Device Groups (Child Group)
Select Devices-
>Groups->New Group.
Or
Select Devices->New
Device Group.
Click Save to
complete the process.

Modifying Device Groups
1. From Devices menu, select the Groups menu item.
2. From the Actions menu click on Edit
List of all devices known to the system

Modifying Device Groups cont.
3. Change sharing and ownership

4. Add/remove devices
5. Save the task

Performing Device Batch Edits
1. Expand the group to edit.

2. Click on the devices or select All.
3. Select Batch Edit from the Actions
drop down menu.
4. Set configuration options.
Creating a Parent Group
1. From Devices menu, select

New Parent Group.
2. Enter the name of the
parent group.
3. Add device group to the
parent group
4. Click Save.

Modifying a Parent Group
1. Select Device->Groups.
2. Locate parent and click Edit.
3. Select Child Device Group.
4. Copy.
5. Click Save.

Creating Sites
1. From the Devices

menu, select Sites menu
item
2. In the Sites window,

click on New Site

Tasks Overview
Interaction between NAS
and network devices
Specific actions
Can be immediate or
scheduled
Examples of tasks
Take Snapshots
Run Diagnostics
Discover driver

Accessing Device Tasks
The Tasks menu enables you to:

Display specific user tasks.
Create multiple tasks.
Display task load
Track tasks.
Schedule tasks.
Execute tasks
View tasks.
Create new tasks.

Displaying Tasks User & Load
My Tasks displays:
Task name
Date
Status
Type of task
Related actions
Task Load displays

Starting tasks
Waiting tasks
Running tasks

Creating Multiple Task Project
From the Tasks menu select the Multi-Task Project menu item
1. Enter the name of the multi task project
2. Add which tasks to run
3. Select the devices on which to run the tasks
4. Schedule and save task

Displaying Tasks Results
Running Tasks
Task status is shown as:
Running
Waiting
Pending
Succeeded
Failed, and so on
Completed Tasks

Tracking Tasks with Activity Calendar

The Scheduled Tasks Tab
View scheduled tasks by selecting the Scheduled Tasks

menu item from the Tasks menu.

The Running Tasks Tab

The Recent Tasks Tab

Creating New Tasks
Types of New Tasks
To detect a network device:
1. Select Tasks->New Tasks->
Detect Network Devices.
2. Specify scanning methods (SNMP
or TCP/IP).
3. Specify number of nodes.
4. Specify IP or CIDR range.
5. Click Save.

Taking a Snapshot - Example
1. Provide a device
name or IP
address.
2. Check applicable
task options.
3. Check scheduling
options.
4. Save task.
5. Verify the output of
the task.

Assigning Tasks by Device Groups
Users can assign tasks to devices by group.
More than ten tasks are available. To assign
tasks to a device group:
Select the current working group.
Optionally, list the active devices only.
From the Select Task drop down menu,
choose the task to run on the group.
In addition to the tasks, the following actions
can be performed on device groups:
Activate.
Deactivate.
Batch Edit.
Remove from group.
Delete.

Training Course
Adding Devices

Device Management Overview
A managed device requires a management IP address.
Management protocols and port addresses are required.
This includes device-specific information including passwords and
snmp strings
Over 40 vendors are supported and additional vendors added
monthly.
Change detection can be configured via Syslog or via a AAA
Agent.

Adding Devices with the New Device
Wizard
A one-step process for adding devices

Only requires an IP address
Not recommended for production environments

Adding Devices with the New Device
Option
Verify the correct IP address or hostname of the device

Verify the site of the device
Ensure device in the proper Device Group so to match
the device password rule
Use network-wide password rules
Double-check access protocols turn off SSH if
device does not support it
Double-check Auto-syslog setting if checked it will
add a line into the device config file pointing to the
NAS syslog server (or a relay)

Adding Devices from a File
Devices->New Device Task->Import
Admin->New System Task->Import
Tasks->New Tasks->Import

Example of a CSV File

Discovering Device Drivers
From the Devices menu,

expand the New Device
Task menu item
Click on Discover Driver
Or
From the Tasks menu,
expand the New Task
menu item and click on
Discover Driver Or
Search for IP/Hostname,
then use Edit &
Provision->Discover
Driver menu.
Detecting Network Devices
NMAP
Router
Nortel VPN Switch
SNMP Get
F5 Load Balancer

Detecting Devices
Specify the maximum number of devices.

Specify the range of IP addresses.
Specify the range of address to exclude.
Specify the scanning method (SNMP, Nmap).

Adding Devices from an Existing NMS
NAS

Verifying the Connection Options

NAT Information
NAT IP address
internally configured IP address of the device (if it is different than the
primary IP address NAS uses to access the device)
be sure to enter the IP address that NAS should use to access the
device in the Device IP box at the top of the page
TFTP Server IP
NATd IP address of the NAS server local to the device
If not using NAT leave both fields empty

Bastion Host Information
If you dont have direct connectivity from NAS to the network

device, you can use an intermediary host to communicate
Check Use a Unix or Linux Bastion Host for Telnet & SSH
Enter:
IP address or hostname of the bastion host
Username (typically root) used to access the bastion host
Password used to access the bastion host
Password again for confirmation

New Device What happens?
1. Discovery of the device using SNMP or CLI (SNMP

usually much faster)
2. (First) Snapshot
3. Default Diagnostics
4. Modules Diagnostics
5. Auto-syslog (if enabled)
6. (Second) Snapshot

Searching for Devices
Three Ways:
Reports>Search
For>Devices
Search menu
Reports>Advanced
Search
Ability to perform
Boolean
search

Viewing a Device Configuration
There are two types of configurations:

Startup configuration
Running configuration
Select View->Current Configuration.

Editing a Device
Based on OR
IP address (or DNS name) NAT Information

- NAT or TFTP Server IP address
Host Name
Site Connection Information
Group membership - Connection method, Transfer
Change detection and polling protocol, or Bastion Host
information
Management status
Device driver ACL Parsing
Password Information - Enabled
- Disabled
- Device-specific or Network-wide
Additional Information
- Additional device description

Editing a Device - Example
You can:
Edit per device.
Edit by group.
Edit by batch.

Viewing Device Details - Home

Viewing Other Device Details
ACLs
ACL ID, Handle, Type, Last Modified, Actions
Interfaces
Port Name, Port Status, IP Address
Managed IP Address
IP Address, Used to access device (yes/no), Type (primary/secondary)
IP Address
Port Name, Address, Address Type, VLAN, First Seen, Last Seen
MAC Addresses
Port Name, Address, Address Type, VLAN, First Seen, Last Seen
VLANs
Port Name, VLAN, VLAN Description
Modules
Slot, Model

Deleting Devices

Comparing Configuration Versions
Displays line changes.
Shows context changes.
Shows UNIX-style diff.
Includes a running configuration link.
Compares two configurations.
Displays the host name and IP address.
Displays the date and time of the last change.

Training Course
Troubleshooting Devices

Common Devices Problems
Generic IOS Driver

Allows snapshot, command scripts and diagnostics for which
there is no exact driver yet
Does not allow to upgrade software
Automatically assigned to new models of IOS devices for
which , Inc. has not yet fully tested

Common Device Problems
PIX Unable to snapshot
Problem 1:
TFTP is required between the device and the NAS server
If not allowed in the environment, use PIX non TFTP driver
(caveat: no rollback and software updates)
Problem 2:
PIX chooses to send the config file over the wrong interface
Correct interface needs to be hard coded

UNIX-based devices
F5 and Checkpoint most common

Tend to have multiple config files and lack SNMP / TFTP support
Multiple configs usually captured using SSH/SCP protocol; however
not always editable
F5 allows editing and deployment of some not all
Checkpoint does not allow redeployment
Tend to have a full-feature GUI provided by the vendor
Customers do not like to use a command-line
Software upgrades through not supported
Usually requires root password to access the device

Nortel Devices: BayRS Intro
Can be tricky to Discover and Snapshot
Long history and numerous incarnations
Two different command-line interfaces in addition to Java UI
application
Java application aka Site Manager:
Version specific
Can change only one device at a time
Cannot change all the settings inside a config
Uses SNMP to push the changes onto the device

Nortel Devices: BayRS Intro
(cont.)
Two levels at the command-line:
Technician Interface (TI)
Most stable & least user-friendly
Commands entered with MIB values
Can be cryptic
Bay Command Console (BCC)
Historically added to be more user friendly -like interface
Runs as an application on the router
Can be unstable and even crash the router on older devices

Nortel Devices: BayRS with NAS
NAS uses SNMP or TI interface

Config file stored in NAS is the binary config of the
device (converted from binary to ASCII using a tool
from Nortel)
Customers tend to be familiar with the BCC version of
the config
Assure customers that it is the same / full config just in
a different format

Version compatibility
Which version does the customer run?

Is it a custom developed version? (more common than
expected)
If so, it has to be QAed by prior to using it with NAS
Customers should be running 14.20 code or higher

If older, discuss upgrade paths with the customer as anything
below 14.20 is not supported by Nortel

Setting up NAS for BayRS
Edit Event Notification and Alerts:
Edit Compact Flash on Low Space Alert and enable it
Edit Collect Diagnostics on Change Detection Event:
Add ONA Check Flash Disk Space (leave others as-is)
Doing this will prevent the device from running out of

Flash memory (due to a Nortel bug/feature of not
freeing up released memory)

Discovering Devices
Start with one BayRS device

NAS only discovers a limited number of code versions,
if Discovery fails:
If customers different AND above 14.20 and not custom code:
Assign manually to BayRS SNMP/TI driver
Attempt snapshot, if OK:
Add particular version to the Discovery tree on the
Admin page
If snapshot NOT OK:
Analyze session log

Importing Devices Common Problems
BayRS devices slow to respond or slow transfer of
config files
NAS offers 3 customizable timeouts
Use the session log to decide which to change
Timeouts edited through the Device Access Settings
either globally (using the device password rules) or
using Device Specific passwords

Baystack Devices: Intro
Numerous models and software versions of Baystack
switches
Commands, device interaction (e.g. error messaging)
can be very different between seemingly similar
software versions (e.g. 3.0 and 3.1)
Device differ greatly between 450s and 470s
Managing devices offered through a command line
interface or a menu-based interface

Baystack Devices: Importing devices
If device not discovered:

check the list of supported devices
If customer running higher level code version than what NAS
supports:
manually assign a Baystack driver
verify that it works correctly (let customer knows that is not a tested
driver and avoid performing automated changes)
If customer running lower level code version than what NAS
supports:
Do not import it
Check whether customer plans to upgrade soon
If not, submit a driver request to , Inc.

Baystack Devices:
Not all NAS features supported

Majority of Baystack devices do not support syslog
Might need to create specific polling task
Command Scripting and Diagnostics not supported
Baystack often need to be waken up before they can

respond to a snapshot
Up the retry count by 1 on the polling task

Training Course
Scripting and ACL(s)

Command Scripting Overview
Collection of commands written either in network device
native language, or Expect or Perl
Types of scripts
Basic (written in network device native OS language)
Advanced (written in Perl or Expect)
Languages supported
Expect-based regular expressions
Perl
Scripts perform very specific tasks.
Example (script to modify the banner of a given string)

Scripting Example Set NTP Server
Set NTP Server

IOS Configuration
ntp server $NTP_Server_IP$

Advanced Scripting - Example
Advanced Scripting mode
Advanced Scripting fields include:
Name Set Banner only if needed
Description Classroom script
Script type General purpose,
Existing, New, Advanced Scripting
Device Family A collection of devices
with similar configuration CLI
commands, example IOS. Baystack,
Aruba
Language Expect, Perl
Other languages can be configured
in admin settings (e.g. Ruby)
Parameters - The script must include
device login codes.
Script
Variables
Pull variables button

Creating a Script from a Template
1. Display existing templates.

2. Select a vendor form the list.
3. Select the template.
4. Select Update to build script.
5. Create Script.

Creating Expect Scripts from
Telnet/SSH Sessions
Make sure session logging
(commands, responses) is
enabled. This is the default
setting.
Log into the network device
using the NAS Telnet/SSH
proxy.
Execute device command
actions.
View the log session from the
device information page.
Convert the log session to an
expect script.

Using Parameters in Scripts
Add variables using variable name

Variable names must start and end in $
Parameters can be used both in Basic and Advanced
scripts
Variable names must only contain letters, numerals,
and underscores (_).
Examples: $Location$, $Reports$, $IP_Address$, $Port_ID$
banner motd $banner$
set system location $Location$

Using Parameters Examples

Using Parameters Example cont.

Editing a Command Script
Edit a script to:

1. Change the name.
2. Change the mode.
3. Modify the script.

Running a Command Script
1. Enter the name of the device.

2. Click Run.
3. Verify results.
Diagnostics
NAS gathers other device info (in addition to configuration files):

Routing tables
Port statistics
IP settings

Useful in determining the effects of configuration changes and
troubleshooting complex issues such as routing problems and
performance degradation
NAS captures a basic set during configuration change
Sys Admin can define additional diagnostic tasks or event rules to
capture diagnostics at different times
Can also define additional custom diagnostics

Diagnostics -- Example

ACLs Overview
What is an ACL?
A statement that filters network traffic
A collection of statements that define packet patterns
A security feature for restricting routing updates
It is embedded in the configuration file of most network
devices.
NAS extracts ACLs from device configuration files.
ACLs can be:
Viewed
Commented
Modified and deployed to a device

Limitations in managing ACLs with NAS
Currently not supporting all the devices

Supported devices include:
Juniper
Netscreen
No support for Nortel devices at this time

Also not supporting all the ACL types (e.g. BGP Prefix
list for devices not supported)
Check the documentation for specific device / ACL
type support (NAS Users Guide)

Components of an ACL
ACL ID
Identifier
Handle
Comments
Configuration
Specify ACL Handle Here
Application

Viewing ACLs
1. Search for ACL.

2. View ACL.
Action->View ACL

Searching for ACLs
You can search for ACLs using handles
Primary way handles are assigned to a group of ACLs
Use case:
Need to change a number of VTY access lists
Some devices have ACL handle 5, others 99
User searches for ACLs looking for vty in the application and
then creates a group and assigns it a handle name

Creating an ACL script

Running an ACL Script
Identify the ACL to run

Select the related device
Ask for approval, if necessary
Run the script
Note: Must have permission
on the device

Editing ACLs
Edit an ACL to make changes to existing content

Deleting ACLs
1. Select Devices->New Task-
>Delete ACLs.
2. Enter the device name or IP
address to apply delete ACLs.
3. To delete a single ACL, select Must have access
the ACL from a list of ACLs to device
4. Click Save Task.
5. For a group of devices, select
ACL(s) from list of ACLs.
6. Click Save Task.

Changing ACL Handle

Training Course
Software Image Management and CLI

Software Images Overview
Required for upgrading network devices
Based on image sets
Based on device model, drivers, hardware type, and so on
Supported for several vendors
Cisco
Nortel
Juniper
Netscreen

Downloading the Software Image
Download device image from
vendor site. Vendor
Softwar
Save image to a file on the e
server or client.
Save image set.
Upload image to NAS.
TFTP Server
Save Software.
Opsware network device
Update the device Network
Automation
with new image via TFTP

NAS
service.

Specifying the Image Set to Deploy
1. From Device menu, select

Device Tools menu item and
click on Software Images
2. Click Add Image Set.
3. Specify the image set name.
4. Specify the location of the file.
5. Specify the drivers required.
6. Specify the device model.
7. Click Save Software.

Managing the Image Set
1. Edit Image Set.

2. Add Images.
3. Update Device Software.
4. Display existing software images.

Updating Device Software Specifying
the Device

Updating Device Software Identify Image Set

Updating Device Software Selecting the
Software

Deploying the Software Image
1. Specify which image to add

2. Specify which image to remove
3. Specify device.
4. Save Task.

Overview of Command-line interface
(CLI)
Allows direct command-line interaction with a network
device
Provides audit trail of all commands executed on the
devices
Allows network engineers to use a familiar interface to
interact with the devices
Provides easy generation of advanced (Expect) scripts
from (automatically) recorded user sessions

Using command-line interface through
Telnet/SSH Sessions
Opsware
NAS
Network
Automation
`
Router
End User

Creating advanced scripts from
ssh/telnet sessions

Creating advanced scripts from
ssh/telnet sessions (cont.)
Not always 100% correct code

Usually needs additional manual changes
Direct Access to the telnet/ssh proxy
Can use your favorite ssh or telnet client to access the

proxy directly
Point your ssh client (e.g. putty) to the DNS name or IP
of your NAS server
If NAS server runs on Windows default telnet / ssh
ports are used (23/22)
IF NAS server runs on Solaris / Linux non-standard
ports are used (8023/8022)

Training Course
Managing Policies

Policy Compliance Overview
Implemented with a Policy Manager
The Policy Manager informs the user when there is a violation in:
Configuration Policy
A policy has rules (uses regular expressions).
Configuration Rule (two rule types)
Apply to entire configuration.
Apply to a subset of the configuration (Block).
Defines a starting block pattern.
Defines ending block pattern.
Configuration Rule Exception
Some devices may be excluded from the rules.
Portion of a configuration of a particular device.

Policy and Software Compliance
Importance Ratings
These ratings are based on the following corporate policy
rankings:
Critical
High
Medium
Low
Informational
Policy and software compliance importance ratings allow users to
assess risk and prioritize the corporate policies.
Policy reports can be sorted (filtered) in the order of importance.
Event rule response is based on importance ratings.
Configuration policy and software vulnerability events can be
searched, sorted, and filtered based on importance ratings.

The Policies Menu
Note: You can create a new

configuration policy through
Policies->New Policy or through
Policies->Policy List.
The Test Configuration

Compliance option
allows users to verify the policy
compliance status for each device.
You can test for all applicable
policies or for selected policies.

Displaying Device Policies

New Configuration Policy Form
Required field

Creating a New Configuration Policy
1. Select Policies->New Policy.

2. Provide the name of the new policy.
3. Include any rules for the new policy.
4. Activate the policy.

Creating a new Configuration Policy Rule
1. Provide a rule
name.
2. Provide the device
family.
3. Provide any new
exceptions.
4. Apply the rule to
the configuration
file.
5. Save the rule.

Editing a Configuration Policy
1. Select Policies->Policy List.

2. Select Configuration Policy.
3. Click View & Edit.
To edit the Rule:
1. Click View & Edit of
Configuration Rule.
2. Modify rule.
3. Save.

Policy Example Logging only to NAS
server
Must contain:
(?<!logging
\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?\n
)(logging NAS_Server\n)(?!logging
\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?\n
)

Policy Example Logging set to A and B
and nothing else (any order)
Must contain
(?<!logging
\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?\n
)(logging (A|B)\n){2}(?!logging
\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?\n
)

Policy Example SNMP write community
string set up xxxx
Must not contain

snmp-server community (?!xxxx)

Policy Example All interfaces of type X
have IP addresses configured
Each block starting with

interface X
And ending with
!
Must contain
ip address \d+\.\d+\.\d+\.\d+ \d+\.\d+\.\d+\.\d+

Policy Example All interfaces with IP
address 172.20.* are shut down

interface .*\n( .*\n)+ ip address
172.20.
And ending with
!
Must contain
\n shutdown

Policy Example all devices configured
with feature X, have option Y set
Example: all devices configured for "aaa new-model"

(X) must contain "tacacs-server host 1.2.3.4" (Y).
aaa new-model
And ending with
\nend
Must contain
tacacs-server host 1.2.3.4

Importing/Exporting Policies
To import a policy:
1. Browse for the policy.
2. Click Import.
To export a policy:
1. Select the policy from
policy list.
2. Click Export.
Example Policies
Ensure Logging
Ensure Passwords
No Delay on Interfaces
NSA Router Best Practices

Reviewing Policy Activity
1. Select Policies->Policy Activity.

2. Click Summary to view event summary.
Or
2. Click Policy Name to view the rules.

Verifying Policy Compliance
1. Verify the host name &

IP address.
2. Verify if in compliance.
3. Verify importance rating.
Policy Events
4. Check policy events.
5. Check policies applied.

Reviewing Software Policy
1. Verify software
version.
2. Verify compliance
rating.
Add Compliance

NAS LiveNet
What is it?
New, optional subscription service that provides NAS
users with ongoing updates of security alerts and
automation packs
Benefits:
Security Alerts vendor security alerts translated into

NAS software policies
Shared Product Extensions leverage scripts,

packages and policies
Functionality Updates new capabilities available

outside the release cycle

NAS LiveNet Security Alerts
Automatically downloads and continuously updates

Network Vulnerability Alerts
Based on industry leading alert service
NAS translates alerts into Software Compliance
Policies
NAS server securely downloads new alerts (approx. ~3-
5 per week)
Users can review and activate desired policies in their
environment

NAS LiveNet - Example Security Alert

Verifying Configuration Policy
Compliance
From the Tasks menu, select
10.255.1.39 New Task->Check Policy Compliance.
Or
From the Policies menu, select
New Policies Task->Check Policy Compliance.
Verify compliance results
View result details for

compliance status

Testing Compliance
Test configuration compliance
against:
All applicable policies
Applicable policies to selected
device groups
Selected policies
Existing devices
Configuration

Training Course
Managing Reports

Reports Overview
The NAS system provides reports for:
User & System
Network Status
Best Practices
Device Status
Statistics Dashboard (summary of frequently requested reports)
Device Software
Software Vulnerability
Software Compliance
System & Network events
New Reporting Tasks:

Generate Summary Reports.
E-mail Reports.

The Reports Menu
One-stop menu for all system and network reports

Displaying User and System Reports
User reports are based on performed searches; saved to a file

Creating a Report Based on Users
Search criteria
Search report

Creating a System Report
User report can be promoted

to become system reports with
Mark as System Report

Network Status Report - Sample

Best Practices Report - Sample

Device Status Report - Sample

The Statistics Dashboard - Sample

Other Reports
Device software report

Software report per device
Software vulnerability report
Reports on device software and software compliance
Diagramming reports
Topology views of L2, L3, VLAN devices or ports
System and network events
Reports generated on per-hour intervals
Summary reports
Overview of configuration summary

Other Reports - Example

Other Reports Example cont.
Network events for audit trail

Diagramming for topology views Diagramming

Generating Summary Reports - Sample
Summary reports consist of:

Frequency
Statistics
Changes
and more
Note: Summary reports and email reports
must be generated from New Reporting Task

Compliance Center

Training Course
Workflow

Workflow Overview
Process manager for network configuration
Benefits
Ensures that network changes are completed based on pre-defined policies.
Ensures the correct sequence of policy process completion.
Ensures that appropriate people approve policies.
Workflow Wizard
Aids with the easy setup of tasks.
Process flow
Project
Originator
Approver (approved, not approved, suspended, override)
FYI recipients

Workflow Process
Eight-step Approach
1. Start Setup Wizard.
2. Enable Workflow.
3. Manage approval rules. Create a new rule or modify existing rules.
4. Originator setup. Define the user who has process origination
permissions.
5. Set up tasks. Determine which tasks to include in the process.
6. Set up the device group. Identify which device group to use for
workflow.
7. Set up approver. Note, originator cannot approve tasks.
8. Identify FYI users (originator need not be added). Save workflow.

Creating a Workflow Steps 1-2
Step 1: Start Setup Wizard
Step 2: Enable Workflow
Admin->Workflow Setup

Creating a Workflow Steps 3-5
Step 3:
Create New Rules or Modify Existing Rules.
Step 4:
Set up Originator.
Step 5:
Create Tasks for
Approval.

Creating a Workflow Steps 6 & 7
Step 6:
Set up device group to use
for workflow.
Step 7:
Set up the list of
approvers.
Check here if no
approvers required.

Creating a Workflow Step 8
Step 8:
Identify FYI Users.
Save Workflow.

Managing Workflow Approval Rules
Delete a rule
Decrease priority
Increase priority

Task with Workflow Enabled
Note that tasks specified in

the Workflow Rule cannot be
performed for this device
without an approval

Events Notification Overview
Several operations in NAS generate events.
Event types
Device access failure
User login
Events are stored in the database.
Events rules can trigger other events or tasks.
Events trigger on:
Event type (one or more per event rule)
Time window (e.g., 9 a.m. 5 p.m.)
Device groups

Configuring for Event Notification
Over 16 pre-packaged notification rules
Inactive rules marked with a # sign
Edit or delete a rule based on requirements

Creating an Event Notification & Response
Rule

Editing a Response Rule Example

Training Course
User Accounts

User Accounts Basics
Users
Logged on Users
New User
User Groups
New User Groups
User Roles and Permission

Users
Properties
Login name
First name
Last name
E-mail address
Actions
Edit
Delete
Permissions
Configuration Changes

New User Form User Information

New User Form Authentication Requirements

Creating New Users
The required fields are username and password

However, user should belong to a group
Viewing All Users

Viewing Logged on Users
Properties
User Name
User Host
Last Access Time

Searching for Users
Two ways:
Reports->Search For->Users
Admin->Users->Search for Users

User Groups
Limited Access User
Limited Access Command
permissions
Power User
Power Command, All Scripts
permissions
All Tasks except change admin and
user settings
Full Access User

Full Access Command, All Scripts
permissions
All Tasks but only to a single device
at a time and no recurring tasks
Administrator
Administrator Command
permissions

New User Group and Permissions
From the Admin menu, select the New User

Group menu item to invoke the new user window
Enter the name of the group
Select which permissions to grant/deny the group

New User Group and Permissions cont.
Assign members to
the User Group

Adding Users to User Group
Admin->Users.
Edit.
Add User Group.
Save.

Viewing User Groups
Select the group, drill down for details,

select an action and modify the group
properties

User Roles and Permissions
Limited Access User
Full Access User
Power User
Administrator
Users are granted access permissions based on their roles.

Only the system administrator or user with similar permission
can modify permissions for all users.

User Group and Roles
Group Roles
Limited Access User Limited Access (Command permission)
Full Access User Full Access (Command Permission )

All Scripts (Script Permission )
All Devices (Modify Device Permission )
Power User Power (Command Permission )
All Scripts (Script Permission )
All Devices (Modify Device Permission )
Administrator Administrator (Command Permission)

Changing User Roles Command
Permission

Changing User Roles Modify Device
Permission

Changing User Roles Script Permission

Changing User Roles View Device
Permission

Viewing User Permission Summary Page
From the Admin menu, select

User Roles & Permission
menu item.
Identify the User Group
Click on Permissions
View Permissions for each of
Administrator
Power User
Limited Access User
Full Access User

Limiting Group Access to Devices
Admin->User Groups
Edit.
Specify permissions.
Enter the group name

Specify which:
Command Permissions
Modify Device Permissions
Script Permissions

Limiting Group Access to Devices cont.
Admin->User Groups
Edit.
Specify permissions.
Define the View Permissions

for the selected group
Select which users should be
added or removed

Auto-created Users
NAS automatically creates additional users by change detection
For example:
NAS notices that username tim logged into a network device
directly
Username tim does not currently exist in NAS
NAS automatically creates a new username tim_auto (with
no permissions)
When no particular username is used, NAS might use one of the
other attributes (e.g. IP of the telnet client that the person is using)
to create a new user (192.168_auto)

NAS User Training

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

NAS User Training

Enviado por

Direitos autorais:

Formatos disponíveis

HP Network Automation

2006 Inc. All rights reserved. Proprietary and confidential.

Hewlett Packard Network Automation Software

- Originally developed by Rendition Networks, and

Cisco resells HPNA as CiscoWorks Network

Cisco has been helping implement NAS at GE

Dont be confused if you see the Cisco logo in

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 3

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 4

Module : Introductions and Logistics

Module : Managing Policies

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 5

2006 Inc. All rights reserved. Proprietary and confidential.

Compliance Provisioning & Process Real-time

GUI Telnet/SSH Proxy API

Network Infrastructure Automated

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 7

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 8

User Account is by SSO or other special arrangement. Most are

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 10

Robust Security Model

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 11

FCAPS Model Used by Network Management Industry to

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 12

Site: A Site: B Site: C

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 13

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 14

Local Site: 1 Remote Site: 1 Remote Site: 2

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 15

given View Site 2 B-2 C-2

Each device appears in exactly one

Each View has a Default Partition, where Site 3 B-3 C-3

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 16

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 17

Broad heterogeneous device support (over 700)

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 18

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 19

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 20

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 21

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 22

The Devices menu bar provides access

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 23

Shows the interaction between the

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 24

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 25

The Reports menu allows you to

User reports are defined by the user

A user report can be promoted to a

NAS reports include static and ad-hoc

Reports can be saved, imported, or

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 26

The Admin menu provides

A user with admin credentials

The Admin menu also allows you

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 27

Device Access Methods and Device

2006 Inc. All rights reserved. Proprietary and confidential.

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 29

AdminDevice Password Rules

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 30

Groups devices by:

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 31

Presentation_ID 2006 Systems, Inc. All rights reserved. Confidential 32

Site 2 B-2 C-2