190 likes | 286 Views
Policy-Based Management MIB. Steve Waldbusser Jon Saperia Thippanna Hongal. PolicyFilter. PolicyAction. ifType == FastEthernet && roleString == trunk. fullDuplexMode = ON. ifType == Ethernet && roleString == GOLD. Set QOS parameters to provide EF PHB. Infrastructure. Policy Table.
E N D
Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal
PolicyFilter PolicyAction ifType == FastEthernet&& roleString == trunk fullDuplexMode = ON ifType == Ethernet&& roleString == GOLD Set QOS parametersto provide EF PHB Infrastructure Policy Table SNMP MIBs
PolicyFilter PolicyAction ifType == FastEthernet&& roleString == trunk fullDuplexMode = ON ifType == Ethernet&& roleString == GOLD Set QOS parametersto provide EF PHB Infrastructure Policy Table Role Table Capabilities Table Time Objects SNMP MIBs
PolicyTable PmPolicyEntry ::= SEQUENCE { pmPolicyIndex Integer32, pmPolicyFilter OCTET STRING, pmPolicyAction OCTET STRING, pmPolicyDescription SnmpAdminString, pmPolicyMatches Gauge32, pmPolicyStatus RowStatus }
Policy Filter Expressions • Need to define a way to express a filter • Probably a parenthesized logical and arithmetic expression • Probably doesn’t need iteration • Strong preference for simplicity and “obviousness”
Expression Details • Implicit SNMP retrievals • e.g.: if (ifType == ethernet) then (…) • Wildcarding • Self-defeating filter: ifType.7 == ethernet • Need wildcarding • Maybe: if (ifType.$1 == ethernet) then (ifAdminStatus.$1 = on) • Accessors • Function calls that retrieve data in a convenient way • e.g.: roleMatch(“gold”) • Searches for any matching role for this element • Expect from 3 to 10 accessors to be defined
Role Table Purpose: • Writable table that allows strings to be downloaded to agent: • Multiple strings can be assigned to any element PmRoleESTable element string status gold ifIndex.1 active access ifIndex.1 active active headquarters ifIndex.1 trunk ifIndex.99 active
Role Table PmRoleESEntry ::= SEQUENCE { pmRoleESElement OBJECT IDENTIFIER, pmRoleESString SnmpAdminString, pmRoleESStatus RowStatus } PmRoleSEEntry ::= SEQUENCE { pmRoleSEString SnmpAdminString, pmRoleSEElement OBJECT IDENTIFIER }
Role Table • Accessor Function: • Need an accessor function for use in policyFilter • Something like roleMatch(“argument”) • Returns true if the element has that role string defined
CapabilitiesTable Purpose: • We want policies to be executed only on devices that have certain capabilities • Need those capabilities to be in a MIB so that policy servers can determine which policies to download • Values for type are assigned by the working group • Values for subType are assignable by the implementor index type subType 1 WFQ AcmeWFQ 2 Pentium 3 RoundRobinQ
Capabilities Table • Accessor Function: • Need an accessor function for use in policyFilter • Something like capMatch(“argument”) • Returns true if the element has that capability • NOTE: • capabilitiesTable not referenced by element • Only used to determine which filters to download • On the other hand, capMatch has a per-element resolution • It must apply policies to only the proper elements
Time • We want policies to be executed only at certain times • Need time to be in a MIB so that filters can read them • Needs to provide two views of time • Globally consistent (i.e., UTCTime) • Local “Business Time” (i.e., M-F 9-5 local time)
Time Three choices: • policyCalendarPtr - points to rfc2591 • Accessor Function • Like: If (dayOfWeek(“MTWTF”)) then (policyAction) • Three mib objects • timeOfDay • dayofWeek • dayOfMonth • ... • if (timeOfDay.0 > 9 && timeOfDay.0 < 17)
Operational Requirements • Policy Creation • Need to allow an engineer to “debug” a policy • policyActions can be debugged in a lab • Debugging of policyFilters consists of ensuring that the filter selects the intended set of elements (not more, not less) • Need to see where a policy would be executed • Table that shows where a policy is executed • For debugging, set policyAction to no-op
pmPolicyDebugPETable PEPolicyIndex PEElement PEStatus 1 ifIndex.4 ON 1 ifIndex.8 ON 1 ifIndex.9 ON 2 ifIndex.4 ON 2 ifIndex.8 ON
Operational Requirements • Troubleshooting in Field • Engineers will occasionally find that a device is misconfigured due to policy • Need to find out which policy is causing the misconfiguration • Need to see where policies are bound • Table that shows what policies are executed here • Ad-hoc disabling of a policy binding • Granularity: 1 policy on 1 element • Turn status off in pmPolicyDebugEPTable • Need to provide facility so that this is documented in policyServer
pmPolicyDebugEPTable PEPolicyIndex PEElement PEStatus ifIndex.4 ON 1 ifIndex.4 2 ON ifIndex.8 1 ON ifIndex.8 2 ON ifIndex.9 1 ON
Advantages of the Approach • Built with existing infrastructure and tools • Leverages existing MIBs • Flexibility • Complete Architecture • Includes operational tools