Policy-Based Management MIB Steve Waldbusser Jon Saperia Thippanna Hongal

Infrastructure SNMP MIBs PolicyFilterPolicyAction ifType == FastEthernet && roleString == trunk fullDuplexMode = ON ifType == Ethernet && roleString == GOLD Set QOS parameters to provide EF PHB Policy Table

Infrastructure SNMP MIBs PolicyFilterPolicyAction ifType == FastEthernet && roleString == trunk fullDuplexMode = ON ifType == Ethernet && roleString == GOLD Set QOS parameters to provide EF PHB Policy Table Role Table Capabilities Table Time Objects

PolicyTable PmPolicyEntry ::= SEQUENCE { pmPolicyIndex Integer32, pmPolicyFilter OCTET STRING, pmPolicyAction OCTET STRING, pmPolicyCalendar RowPointer, pmPolicyDescription SnmpAdminString, pmPolicyMatches Gauge32, pmPolicyStatus RowStatus }

Policy Expression Language u Derivative of C u Subsetted by a BNF Grammar u Used for both Filters and Actions

policyFilter PseudoCode (is an interface AND is an ethernet AND is an access port AND gets gold or silver service)

policyFilter PseudoCode (!strcmp(ifTable, elementName()) && getint(ifType.$1) == ethernet-csmacd && roleMatch("access") && (roleMatch("gold") || roleMatch("silver")))

policyFilter Code (!strncmp(" ", elementName(), 17) && getint(" $1") == 6 && roleMatch("access") && (roleMatch("gold") || roleMatch("silver")))

policyFilter/Action Example u Filter (!strcmp(ifTable, elementName()) && getint(ifType.$1) == ethernet-csmacd && roleMatch("connected")) u Action setint("ifAdminStatus.$1", 2) OR setint(" $1", 2)

Complex Actions u Compound Statements –setint(OID1, 2); setstring(OID2, “String”); setint(OID3, 5) u Conditional Statements –(!strcmp(getstring(sysDescr.0), “ACME”) ? (setint(AcmeQOSKnob1.$1, 17); setint(AcmeQOSKnob2.$1, 2345)) : (setint(diffServMIBKnob1.$1, 34); setint(diffServMIBKnob2.$1, 754)))

Accessor Functions u getint u getstring u exists u elementName u strcmp u lc_strcmp u roleMatch u capMatch u setint u setstring u setoid

PolicyTable

Role Table elementstring ifIndex.1 gold ifIndex.1 access ifIndex.1 headquarters ifIndex.99 trunk status active PmRoleESTable Purpose: u Writable table that allows strings to be downloaded to agent: u Multiple strings can be assigned to any element

Role Table PmRoleESEntry ::= SEQUENCE { pmRoleESElement OBJECT IDENTIFIER, pmRoleESString SnmpAdminString, pmRoleESStatus RowStatus } PmRoleSEEntry ::= SEQUENCE { pmRoleSEString SnmpAdminString, pmRoleSEElement OBJECT IDENTIFIER }

Role Table u Accessor Function: –Need an accessor function for use in policyFilter –Something like roleMatch(“argument”) –Returns true if the element has that role string defined

CapabilitiesTable index typesubType WFQ Pentium RoundRobinQ AcmeWFQ Purpose: u We want policies to be executed only on devices that have certain capabilities u Need those capabilities to be in a MIB so that policy servers can determine which policies to download u Values for type are assigned by the working group u Values for subType are assignable by the implementor

Capabilities Table u Accessor Function: –Need an accessor function for use in policyFilter –Something like capMatch(“argument”) –Returns true if the element has that capability u NOTE: –capabilitiesTable not referenced by element –Only used to determine which filters to download –On the other hand, capMatch has a per-element resolution –It must apply policies to only the proper elements

Time u We want policies to be executed only at certain times u Need time to be in a MIB so that filters can read them u Needs to provide two views of time –Globally consistent (i.e., UTCTime) –Local “Business Time” (i.e., M-F 9-5 local time)

Time Three choices: u policyCalendarPtr - points to rfc2591 u Accessor Function –Like: If (dayOfWeek(“MTWTF”)) then (policyAction) u Three mib objects –timeOfDay –dayofWeek –dayOfMonth –... –if (timeOfDay.0 > 9 && timeOfDay.0 < 17)

Operational Requirements u Policy Creation –Need to allow an engineer to “debug” a policy –policyActions can be debugged in a lab –Debugging of policyFilters consists of ensuring that the filter selects the intended set of elements (not more, not less) –Need to see where a policy would be executed –Table that shows where a policy is executed For debugging, set policyAction to no-op

pmPolicyDebugPETable PEPolicyIndex PEElementPEStatus ifIndex.4 ifIndex.8 ifIndex.9 ON 2ifIndex.4 ON 2ifIndex.8 ON

Operational Requirements u Troubleshooting in Field –Engineers will occasionally find that a device is misconfigured due to policy –Need to find out which policy is causing the misconfiguration –Need to see where policies are bound Table that shows what policies are executed here u Ad-hoc disabling of a policy binding –Granularity: 1 policy on 1 element –Turn status off in pmPolicyDebugEPTable –Need to provide facility so that this is documented in policyServer

pmPolicyDebugEPTable PEPolicyIndex PEElementPEStatus ifIndex.4 ifIndex.8 ON 2 ifIndex.8 ON 1 ifIndex.9 ON

Advantages of the Approach u Built with existing infrastructure and tools u Leverages existing MIBs u Flexibility u Complete Architecture –Includes operational tools

Architectural Drawings created during meeting

Policy Management MIB PM MIB Instance- Independence Services Instance- Independent Instance- Dependent

QOS Policy MIB Mechanism- Independence Services Mechanism- Independent Mechanism- Dependent

Instance Dependent Mechanism Dependent NMS Managed System QOS Policy MIB PM MIB

NMS Managed System QOS Policy MIB PM MIB Instance Independent Mechanism Dependent

NMS Managed System QOS Policy MIB PM MIB Instance Dependent Mechanism Independent

NMS Managed System QOS Policy MIB PM MIB Instance Independent Mechanism Independent