© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Network Configuration Change Management Dirk Anteunis March 2008
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Network Configuration
Change M
anagement
Dirk Anteunis
March 2008
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Agenda
�Stable Infrastructure vs. Changing Demands
�What is Network M
anagement ?
�The C
FO’s view
�NCM Product Overview
�Visibility
�Questions are welcome
�Mobile
phone ringtonesare not
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Where would you prefer to walk ?
First : Stable Infrastructure
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Infrastucture
=
++IO
S 12.4(19)
r1#sh run
...
router bgp12
no synchronization
bgplog-neighbor-changes
network 137.1.200.0 mask 255.255.255.0
neighbor 137.1.200.2 remote-as 12
no auto-summary
...
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Stable Network Infrastructure =
�Relia
ble hardware
�Relia
ble O
S
�Well-known configuration
�Efficient processes
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Situation Analysis
Automate configuration and change m
anagement operations
to keep the network functional and compliant 24x7
Automate configuration and change m
anagement operations
to keep the network functional and compliant 24x7
•How do I set up and configure
equipment for a new remote
location?
•What policies should apply to a new
location and new configuration?
•How do I give access to tools and
devices for people to m
anage new
netw
ork elements? W
ho can m
ake
different kinds of changes?
•How do I know the intended
configurations were rolled out and
the correct perm
issions set up?
•How can I replicate changes
easily and quickly again?
•How do I comply to a new
internal policy for accessing
inform
ation?
•Who is m
aking changes to data
access perm
issions?
•How do I report on who has
access and what changes to
entitlement may have taken
place?
•How do I analyze netw
ork
integrity
•How can I perform
an IOS upgrade
with m
inim
um downtime and with
consistency throughout the
netw
ork?
•How do I ensure that an upgrade
which is correct for an element in
one part of the netw
ork will also be
correct for a sim
ilar element in a
different part of the netw
ork?
•How do I audit after deployment to
ensure compliance?
•How do I validate and report on the
netw
ork’s compliance to best
practices?
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Multi-faceted Demands
Compliance
Netw
ork
expansion
VoIP Video
Critical business
application
Intelligent inform
ation
netw
ork
QoS, HA
Netw
ork applications
Web services
Productivity increase
requirements
Scarce CCIE
expertise in NOC
Regulatory standards
Corporate/IT policies
Technology rules
Growth
Complexity
Expertise
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
What is
Network M
anagement ?
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
What is Network Management ?
�Sim
ilar to a doctor treating a patient, sim
ilar to m
anaging national
health
�Because somebody wants to achieve a goal
�Steps:
1) Observe or Monitor
2) Interfere; i.e. change the behaviour
3) Measure; sim
ilar to M
onitor, but more precise data
4) Report; produce intelligible info for others
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
The CFO’s view
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Why NMS ?
�Why Network M
anagement Systems?
�Enable owners of (C
isco) Kit to save on spending €€while
managing the kit
-€€
NMS
-€€
Manual mgmt
IT assisted m
gmt
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Why Use aNCCM tool?
47% of changes are unauthorized or not accounted
60% of network downtime is due to human error
60% of network downtime is due to human error
Configuration
Is Still Manual
Configuration
Is Still Manual
Extreme Control
Measures Are
Often Used
Extreme Control
Measures Are
Often Used
Even Small Errors
Can Cause Large
Issues
Even Small Errors
Can Cause Large
Issues
“Process”Often
Limited to Paper
Flow Diagrams
“Process”Often
Limited to Paper
Flow Diagrams
Most Problems
Detected After
Deployment
Most Problems
Detected After
Deployment
Compliance Is
Usually Poorly
Understood
Compliance Is
Usually Poorly
Understood
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
About OSS
�Operations Support Systems help Service Providers to
make €€from (Cisco) Kit
�Some non-networking issues are taken care of also + €€
OSS
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Customer statement
“
”
"Cisco, Alcatel, it doesn’t m
atter. What
matters is how quickly you can offer new
services. VPN, voice, you can only do it
once the [OSS] systems are in place."
Hans Rietkerk, Managing Director BB-Ned
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
NCM
Product Overview
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Network Compliance Manager (NCM)
Tools Manager
Network Architect
Network Manager
Security Engineers
Network Engineers
NOC Operators
IT Staff
Automate complex netw
ork
management tasks through
multi-threaded event-driven
automation engine
Control and standardize
across infrastructure in a
central, secure location
Auditor
Manager
Director
Netw
ork
Management
Tools
Track all activity down to the
very operator keystrokes
Prevent errors & enforce
process through centralized
point of control
Netw
ork
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
CiscoWorks NCM Objectives
Software used by
organizations to automate change m
anagement
and compliance of netw
ork devices
Immediate Benefits
�Automated config. mgmt
�Im
proved visibility
�Ensure complia
nce
�Im
prove security
�Im
prove network uptime
Generate Massive
Efficiency & Quality Gains
�Im
proved productivity (network
device : engineer ratios)
�Operational standardization
�Im
proved quality
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
How do we achieve the objectives?
�Track
�Control
�Automate
�Prevent
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
NCM Functional Overview
•Device provisioning
•Configuration
•Scripting
•OS image updates
Change &
Configuration
Management
•Netw
ork audits
•Best practices enforcement
•SOX, VISA CISP, HIPAA,
GLBA, ITIL, CobiT, COSO
Audit &
Compliance
Policy-Based or Ad Hoc
Integration Connectors
Central Data
Repository
Member of
Federated CMDB
•Netw
ork compliance
•Deployed assets
•Change history
Reporting
CiscoWorks Netw
ork
Compliance Manager
•Sequencing
•Scheduling
•Process m
odel
•Change approvals
Workflows &
Approvals
Other Netw
ork
Management
Systems
Automated
Discovery &
Inventory Import
•Individual devices (e.g.,
from CiscoWorks DCR)
•Netw
ork topology
•Detailed asset inventory
•OS images
CiscoWorks
or 3rdparty
applications
Network
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
CiscoWorks NCM
Extensive, Multi-Vendor Device Support
Supports over 500 device m
odels across Cisco and other vendors
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Advanced W
orkflow and Approvals
�Model complex projects
Combine automated and m
anual activities
�Define custom approval policies
Require approval based on user, activity
and/or device affected
Require approvals for manual or
automated activities
Grant perm
ission for approval overrides
Integrate with external workflow and
process systems
�Daily activity calendar
�Conflict alerts
�Flexible reporting & notification
Change reporting dashboard
Email /other notifications
Close the change loop with real-time process enforcement
Change Approval
Rules
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
NCM Alert Center
Security Alerts–vendor security alerts translated into
NCM software policies
Shared Product Extensions –
leverage scripts,
packages and policies
Functionality Updates–new capabilities available
outside the release cycle
What is it?
Optionalsubscription service that provides N
CM users
with ongoing updates of security alerts and automation
packs
Benefits:
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
NCM Alert Center –Security Alerts
�Automatically downloads and continuously updates
Netw
ork Vulnerability Alerts
�Based on industry leading alert service
�NCM translates alerts into Software Complia
nce
Policies
�NCM server securely downloads new alerts (approx.
~3-5 per week)
�Users can review and activate desired policies in their
environment
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
NCM Architectural Overview R
obust Security M
odel
Device-level access per user
Task-level access per user
Sensitive Data Masking and Encryption
Directory Services &
AAA Integration
LDAP / Active Directory
RADIUS / TACACS
SecureID
High Availability Configurations
High Availability Replication
Satellite Off-loading
Microsoft and Veritas(Solaris) Clustering
Extensibility
APIs (Perl, Java, Web Services (XML)
Open database schema
Integration with CiscoWorks and 3rdparty NMS
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
CiscoWorks NCM
High Availability Features
Active/Active M
anagement via High Availability Database Replication
Remote
Office
NCM Satellite
Management of remote offices & duplicate
IP addressed space
Meshed to work around network failures
NCM Core
NCM HA
Real-time synchronization between all NCM cores
Enables remote m
anagement, disaster recovery and
global visibility
Replicated database, software, user directory & routes
commands to correct locations
Key Elements
Key Attributes
Core
HA
Satellite
Secure, scalable
No single point of failure
Remotely m
anage any device—including
duplicate addressed networks
NCM Core
Managed Network
NCM Core
Managed Network
Managed Network
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Visibility
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Configuration Change Management
�Centralized software &
configuration deployment
�Real-time change detection
�Visual configurations
comparisons
�Configuration templates
�Pre-deployment validation
of changes & pro-active
policy enforcement
�Secure device access
�Historical configuration
archive
Maxim
ized uptime during change m
anagement
Visual Difference
Comparisons
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Diagram, Visualization &
Troubleshooting
The Challenge
�Creating network diagrams is labor intensive
process
�Diagrams often out of date with current state of
the network causing increased downtime and
less effective troubleshooting
NCM Solution
�Applies deep network understanding to generate
real-time, accurate topology diagrams
�Provides integrated server & network diagrams
for complete picture of the IT infrastructure
Benefits
�Elim
inate 99% of the tim
e spent building
diagrams
�Facilitates troubleshooting
�Allows server/network dependencies to be
mapped
Annotate diagrams
with configuration and
asset inform
ation
Leverages netw
ork knowledge to create real-time topology diagrams
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Layer 2 Modeling
The Challenge
�No visibility into network <-> server
dependencies
�Arm
ed with the M
AC address of a
server, users are unable to complete
the puzzle
what the IP Address of the
server?
which network switch is that
server attached to?
NCM Solution
�Capture and store L2 inform
ation for
managed devices and attached
nodes
�Calculate L2 topology from device
configurations and diagnostics
�MAC –
port –
switch –
interface –
router mapping tool
Immediately locate
device & port M
AC
address is seen
Provides layer 2 netw
orking intelligence
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
VLAN Management
The Challenge
�Distributed VLANs cause complexity
Which switches participate in VLAN
101?
�Tracking servers to VLAN segments
Which servers are in Finance VLAN?
NCM Solution
�Instantly identify VLAN based on
MAC/port/switch data
�Real-time VLAN reports
Provides VLAN netw
orking intelligence
Produce real-time
reports of VLAN
membership
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Prioritized Triage of Compliance
Violations
The Problem
�Compliance violations are not
all created equal
�No way to filter and triage
hundreds or thousands of
compliance violations besides
manual review
Prioritized Compliance
Rules
�Each violation has a risk rating
�Automated triage based on risk
ratings, such as:
Auto-remediate
Open new trouble ticket
Send email / page
Email daily summary
Prioritize
Compliance Rules
Pushing the m
ost critical violations to the forefront
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Security Management
�Centralized patch m
anagement
�Telnet/SSH Proxy
Single sign-on
Full session logging
Centralized enforcement of
privileges and approval policy
�Advanced ACL m
anagement
View & search current ACLs,
historical ACLs and audit trails
Persistent ACL comments
& handles
Batch ACL edits for rapid
vulnerability response
ACL Templates
Patching, lock-down & centralized ACL m
anagement ACL Change
History
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Reporting
�Report on device inventory
By group, vendor, user
�Change reporting
Who changed what, why & when
�Compliance reporting
Regulatory compliance
Corporate complia
nce
NSA Router best practices
�Network status reports
Policy complia
nce at-a-glance
Identify and address risk factors
Pre-defined and custom reports
Network
Status
Reports
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Take-Away
�Cisco provides a m
ulti-vendor Network
Configuration Change M
anagement tool
�NCM scales to 1000nds and is highly availa
ble
�Analyses the configuration file
for policy
complia
nce, layer 2 topology
�Can be linked to cisco.com
to automatically
download policies
©2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35