420 likes | 460 Views
Policy-Based Network Management. 寬頻網路技術與應用 指導老師 : 陳明仕 姓名:劉原孝. Outline. ISP 網管系統目前的問題 Policy-Based Network Management Policy-Based 網管技術在 ISP 的應用 結論. ISP 網管系統目前的問題. ISP 目前遇到的網管問題. New types of services. New services. More options per device. More devices.
E N D
Policy-Based Network Management 寬頻網路技術與應用 指導老師:陳明仕 姓名:劉原孝
Outline • ISP 網管系統目前的問題 • Policy-Based Network Management • Policy-Based網管技術在ISP的應用 • 結論
ISP 目前遇到的網管問題 New typesof services New services More options per device More devices Configuration complexity Lack of qualified,experienced personnel Dynamicprovisioning of service Policy-basednetworking
ISP 對網路管理的需求 • 以低成本實現網管服務自動化。 • 將商業政策轉換成網路政策簡化管理過程 • 將網路服務流程標準化隱含在網管系統中,從而提高管理效能。 • 對異質網路與設備的管理能力,並提供對企業網路SLA的實現。
ISP對網管五大功能的實現 • 組態管理(Configuration Management) Tells you where everything is in the network . • 故障管理(Fault Management) Tells you what your network is doing. • 品質管理(Performance Management) Tells you how the network is doing. • 計費管理(Accounting Management) Tells you when your network is used. • 安全管理(Security Management) Tells you who is using your network.
Why Policy-Based Management? (1/2) • Today, companies connect to the Internet to create the business opportunities and to transmit information. • Ideally, • all users can be trusted to access their resources • the network have enough resources • the network have enough bandwidth • all application can be trust to use the resources they needed
Why Policy-Based Management? (2/2) • However, • not all user can be trusted in the network • the network have limited resources • the network have limited bandwidth • not all application can be trust to use the resources they needed • Technologies are needed to control the network traffic • Quality of service • Security
Problem of the Current Networks Firewall/Security Service E-Commerce Video Conference IP VPN Router QoS Firewall Security Internet Connection Access Server Tunneling Switch
The Definition of the PBNM • PBNM (Policy-Based Network Management) • Policies are rules which describe the overall company intention as well as derived business, user, or application specific behaviors • The Level of the Policies • Business-level policies • Policy rules • Abstract device policies • Device configurations
The Level of the Policies (1/2) • Business-level policies • The Service Level Agreement (SLA) • It writes by the human language. • It defines the authority and responsibility between the customer and service provider. • The content of the SLA is easy to read and to understand by the people. • Policy rules • The policies are specifies in a sequence of rules. • Each rule combines the condition part and the action part. • If (conditions) then (actions) • Policies specifies in this fashion are easily to analyze than the human language.
The Level of the Policies (2/2) • Abstract device policies • The policies are specified on a pre-device base. • The policies are specified in some generic format. • Device configuration • This is the exact machine configuration of a particular device. • Different devices have different configuration format • The network devices can read information defined by such a format. • Sometimes, it is hard to read and understand by the people.
Policy Examples (1/3) • Provide the JitterFreeMPEG1 video service for authorized users between authorized points, but only at agreed-upon times • All employees can not access stock web site from 8:00 to 17:00 • Deny all P2P connections
Policy Examples (2/3) Policy Condition IP Address in “Engineering Group" Rule “Gold Service” Rule “Silver Service” Condition Set priority := Height Rule “Bronze Service” An example of QoS policy
Policy Examples (3/3) Provide the JitterFreeMPEG1 video service for authorized users between authorized points, but only at agreed-upon times Content Provider 骨幹網路 Backbone Network 接取網路 Access Network Internet • Token Ring • FDDI • ATM • SONET/SDH • DWDM • DSL • ISDN網路 • EPON • 無線通訊網路
Policy-Based Network Management (1/2) • SLA: Service Level Agreement, describe services provided to customers, both in qualitative and quantitative measures. Customers SLA Services Provider …... Device configuration information • Device configuration describes how and what the device is to do on the network. Network
Policy-Based Network Management (2/2) Automatically translate and distribute policies Content Provider 骨幹網路 Backbone Network 接取網路 Access Network Internet
The Evolution of the PBNM (1/2) • The term policy was first used for the routing policies in the Internet • In 1996, IETF develops a protocol called Common Open Policy Service (COPS) • For resource reservation (QoS) • In 1998, Microsoft and Cisco propose the Directory Enabled Networks (DEN) • Drive the networks from a central repository originally based on a directory.
The Evolution of the PBNM (2/2) • At the end of 1998, the companies involved in DEN decided to migrate the work to the DMTF (Distributed Management Task Force). • DMTF defines a common information model (CIM) that was originally intended to be used to describe the characteristics of a computer. • http://www.dmtf.org • The goal of the IETF activity was to define a framework that could be used to specify policies
DMTF v.s. IETF • In the DMTF • Information models • In the IETF • Policy framework WG • RAP WG • IPSP (IPsec policy) WG • SNMPCONF WG • IETF policy issues • Policy specification • System architecture and policy storage • Policy transport protocols
Roles of the DMTF and the IETF • DMTF is concerned about information modeling independent of the underlying implementation • Exception: DEN • IETF is concerned protocols, schema, and API • Exception: policy needs information modeling
DMTF and IETF Interactions IETF Policy Framework DMTF Policy MIB DiffServ Policy MIB Levels of abstractions DEN XML LDAP CIM DiffServ MIB SNMP SNMPCONF DiffServ PIB COPS RAP DiffServ
Policy-base網路系統架構 • 依循IETF Policy-base網路系統架構,包括三個主要模組技術 • Policy Manager 提供管理者編輯、修改Policy資料的應用系統,通常會透過一個容易使用的管理界面來編輯網路政策,並將編輯好的Policy資料轉成一定格式,存於Policy Repository中。 • Policy Repository Policy儲存機制,可以是一個目錄系統,或是資料庫系統,主要用來提供管理者儲存已編輯完成的網路政策資料(Policy),及其他系統相關的網路設備資訊或設定參數等資料。
Policy-base網路系統架構 • Policy Decision Point (PDP) 通常也稱為Policy Server,是整個系統的決策中心,負責依管理者所設定的Policy,分配網路管理政策至Policy Enforcement Point (PEP),以達到管理需求。 • Policy Enforcement Point (PEP) 接受Policy管理的設備,可能是路由器、Switch、防火牆等網路設備,這些接受Policy管理的設備(PEP)的組合就是一個 Policy Administrative Domain。
The Framework (1/2) SLA: Service Level Agreement PDP: Policy Decision Point PEP: Policy Enforcement Point Policy Transaction Protocol: COPS (Common Open Policy Service), SNMP, CLI, CORBA Directory Access Protocol: LDAP (Lightweight Directory Access Protocol) Policy Console Policy Server Repository Policies SLA Directory Access Protocol PDP Policy Transaction Protocol Network Traffic PEP PEP
The Framework (2/2) Repository Policy Console Policy Server LDAP & SNMP LDAP Policy management tool author new policy associate policy with PEP conflict detection store policy and association notify new policy PDP obtains the policy provide status for monitoring PDP COPS/SNMP/CLI/CORBA PEP
3-tier Policy-Based Management system PEP PEP Agent Policy aware Tier 1 LDAP Policy Console Policy Server Repository LDAP SNMP Tier 2 Policy Decision Point COPS, SNMP, CLI, CORBA Tier 3 Network Traffic Policy Enforcement Point Policy unaware
2-tier Policy-Based Management system Tier 1 LDAP Policy Console Policy Server Repository LDAP SNMP Tier 2 PDP Network Traffic Policy Enforcement Point
Policy Conflict • When the conditions of two or more policies can be simultaneously satisfied, but the actions of at least one of the policies can not be simultaneously executed • Conflict example • Policy 1. Any access to WebServer gets silver service • Policy 2. Any use of the network by John gets gold service • Conflict exists when John accesses WebServer
Types of Conflict User A gets 512kbps User PC Network Element A Network Element B Int1 Int2 Int3 Int4 Lan Lan Lan User A gets 64kbps • Global conflict • Conflict exists in the policies on different devices along a flow • Local conflict • Multiple policies want to install conflicting configurations on a given device Policy 1 (srcIPaddr = 192.168.2.3) drop Policy 2 (srcIPsubnet = 192.168.2.0/24) pass
The Advantage of the PBNM • Unlike point-to-point management where devices are configured one by one across the network to attain the right security level, policy-based management closely follows business practices and requirements by establishing rules and relations between network entities such as users or networks. • Offers three essential benefits • Centralized response to network events and attacks • Consistent, end-to-end, network security • Lower cost of ongoing maintenance.
Policy Rule規劃 希望藉由Policy-based 網路管理架構,直接將企業領導者所制定的政策目標以網路管理政策方式來表現。
網管系統功能設計-組態自動設定 • 加強網管系統跨異質網路的管理能力 一般ISP企業內部網路有各種不同廠牌或型號及老舊設備存在的問題,為了能加強此一網管系統跨異質網路的能力所以改用CLI。 • 增加網管系統的彈性與可擴充性 因為所有的網路設備皆支援標準Command Line Interface (CLI)模式,可直接使用telnet來將所有的組態指令,以剪貼的方式,將資料傳送到設備上。 CLI telnet script SNMP get / trap PEP (agent)
網管系統功能設計-錯誤與品質監控 • 網路設備品質與錯誤監控 網路設備CPU Loading 網路設備Memory Utilization 網路設備Uplink Port Status 網路設備Reachable 網路設備介面Packet Drop 網路設備介面Packets/sec • 網路線路品質與錯誤監控 斷線(透過Trap) Error (reliability) Delay time/Packet Loss Traffic Load • 告警通知方式 Web display status SMS / Email CLI telnet script SNMP get / trap PEP (agent)
Conclusions • 達成網路資源集中管理,網路政策分散執行的目標 希望就直接透過網路進行設備的設定與管理,減少管理者須親臨 設備現場工作的成本。 • 具有較好的可擴展性 可根據網路設備變化,而靈活的調整框架規模的大小,為網管部門 提供了經濟、有效的管理手段。
Conclusions • 對多廠商設備的管理,提供介面一致化 • 通過簡單的 GUI輸入策略,對不同網路屬性,進行設置和管理,而不必去關心設備來自不同的廠家。 • 一體適用於管理不同設備平台,達成所謂跨設備的共通化。 • 管理資料抽象化,簡化管理過程 • 使網路管理人員由傳統的以網路和設備為中心的管理模式轉化為以業務為中心的管理模式。 • 將許多設定、管理的細節予以抽象化成管理策略(Policy),簡化管理決策流程。 • 減輕管理者對特定領域的專業知識(如Security、QoS)的需求,同時也減少企業對網管人員技術培訓的開銷。 • 管理工作自動化