Q. What is CiscoWorks Network Compliance Manager (NCM), Version 1.0?
A. CiscoWorks NCM, Version 1.0, is the first release of a new Web-based network management application in the CiscoWorks product family. It tracks and regulates configuration and software changes throughout a multivendor network infrastructure. It provides superior visibility into network changes and can track compliance with a broad variety of regulatory, IT, corporate governance, and technology requirements. CiscoWorks NCM helps IT staff identify and correct trends that could lead to problems such as network instability and service interruption.
Q. What enterprise network management problem does CiscoWorks NCM address?
A. Many network managers need comprehensive capabilities to automate the management of device configurations across their entire network from a central location while ensuring compliance with regulatory and business policies, corporate/IT directives, and technology best practices. This problem space is commonly referred to as network configuration and change management (NCCM).
Q. Why is Cisco Systems
® releasing an NCCM product?
A. Many enterprise customers have indicated that they require NCCM functions efficiently integrated with the rest of their Cisco® configuration management tools. CiscoWorks NCM addresses this requirement today while opening the door for increasingly sophisticated integration.
Q. Who should deploy CiscoWorks NCM?
A. Enterprises and service providers requiring scalable NCCM capabilities that include advanced workflow definition, a robust scripting interface, and the ability to maintain a multivendor network in compliance with regulatory policies, corporate IT methodologies, or technology best practices will find great value in CiscoWorks NCM.
Q. How does CiscoWorks NCM help users meet regulatory compliance goals and enforce internal IT best practices?
A. CiscoWorks NCM helps users meet regulatory compliance goals (such as GLBA, CISP/PCI, HIPAA, FERC, FISMA, and SOX) and enforce internal IT best practices (such as ITIL, COSO, or CobiT) in several ways:
• It tracks all changes to the network-configuration, software, and hardware changes-in real time and captures them in a detailed audit trail.
• It screens all changes against authorized policies immediately to ensure that they comply with regulatory requirements or IT best practices.
• It automatically validates new changes against appropriate policies before they are pushed to the network. If the changes are not compliant, CiscoWorks NCM does not allow them to be deployed.
• It automates the change review process, closing the gap between the approval of a change and the actual configuration change that is pushed to the network.
• It allows managers to enforce the approval of a change through a flexible, integrated approval model, using the exact configuration code that will be pushed to the network. Approvers of a change can review the change in the context of the entire device configuration and the business units it will affect. Event notifications are sent to interested parties, giving network staff immediate visibility into unplanned and unauthorized changes.
• It limits network configuration information to users on a need-to-know basis. CiscoWorks NCM uses highly customizable role-based permissions to control what information a user can view, what actions a user can perform on devices, and which devices a user can gain direct access to.
• It ships with regulatory reports for SOX, HIPAA, GLBA, and CISP enabled, providing the detailed metrics required by each of these regulations and providing the network information necessary to prove compliance.
Q. What benefits can I expect from deploying CiscoWorks NCM?
A. CiscoWorks NCM provides the following customer benefits (Table 1):
Table 1. CiscoWorks NCM Benefits
Eliminates manual administration of devices
Configuration and change management
• Increases uptime
• Eases audit of configuration changes
• Improves control of network resources
Audit and compliance management
• Includes expansive modeling of regulatory, corporate, IT, and technology policies
• Provides visibility into network's compliance with policies
• Identifies critical risks and violations
• Prioritizes triage of compliance violations
Integration with CiscoWorks applications
• Includes cross launch capabilities between CiscoWorks NCM and other CiscoWorks applications such as CiscoWorks LAN Management Solution (LMS), Home Page, Device Center, and CiscoView
• Allows user to run scripts to register with CiscoWorks servers
• Ensures consistency of network inventory database using CiscoWorks Device Credential Repository (DCR)-for example, device inventories may be imported into CiscoWorks NCM
• Enables combination of network configuration, change, compliance, and Cisco IOS
® Software and Catalyst
® OS image management
• Enables role-based access control and lock down
• Includes centralized access control list (ACL) management
Advanced workflow and approvals
Enables real-time process enforcement
• Supports thousands of device models or versions from Cisco and 35 other vendors
• Frequent and easy-to-deploy device driver releases
Q. How does CiscoWorks NCM fit within the rest of the Cisco network planning, configuration, and security management product portfolio?
A. CiscoWorks NCM is complementary to other Cisco network planning, configuration, and security management products, such as the Resource Management Essentials (RME) module of CiscoWorks LMS, Cisco Security Manager, Cisco Network Planning Solution (NPS), and Cisco Configuration Assurance Solution (CAS), with minimal overlap.
Q. How does RME complement CiscoWorks NCM?
A. CiscoWorks NCM provides improved scalability, advanced workflows, and multivendor support that is not available in RME. RME provides software image analysis, syslog reporting, and "show " commands not available in CiscoWorks NCM. Used in conjunction, CiscoWorks NCM and RME provide an optimal NCCM solution.
Q. How does CiscoWorks NCM fit with Cisco Security Manager?
A. CiscoWorks NCM helps improve the security of network configurations and control of user access to view, deploy, or change device configurations. Cisco Security Manager provides specialized provisioning for security features, in compliance with security technology best practices (for example, firewall and intrusion prevention rules) for Cisco security appliances and Cisco Catalyst switch service modules.
Q. How does CiscoWorks NCM fit with Cisco NPS and Cisco CAS?
A. CiscoWorks NCM provides the ability to deploy configurations across the enterprise network and is well suited to serve as an up-to-date configuration data source for modeling and simulation purposes. Cisco NPS and Cisco CAS provide sophisticated network model based planning, design, and decision support capabilities to assist network planners in understanding the potential impact of network configuration changes before deployment.
Q. Can CiscoWorks NCM use device inventory data stored in CiscoWorks DCR?
A. Yes. CiscoWorks NCM can automatically discover the devices available in the enterprise network. Additionally, device inventory can be imported into CiscoWorks NCM from CiscoWorks DCR, ensuring consistency between the two CiscoWorks products.
Q. Can CiscoWorks NCM be launched from within another CiscoWorks application?
A. Yes. CiscoWorks NCM can be launched from the CiscoWorks homepage.
Q. Conversely, can CiscoWorks applications be accessed through CiscoWorks NCM?
A. Yes. For example, CiscoWorks Home Page, CiscoWorks Device Center, and CiscoView can be viewed by clicking in the appropriate CiscoWorks NCM menus.
Q. My network is large and will soon exceed a thousand nodes to be managed. How can I ensure that my CiscoWorks NCM deployment is highly available?
A. CiscoWorks NCM is designed for fairly large-scale network deployments (up to tens of thousands of managed nodes) thanks to robust features such as data redundancy and high availability. For customers concerned about high availability due to the critical nature of NCCM, CiscoWorks NCM can be deployed in (optional) high-availability server configurations.
Q. What high-availability deployment options are supported in CiscoWorks NCM?
A. High Availability and Satellite deployment options provide a robust deployment architecture:
• High Availability enables visibility and control across the entire globally distributed network environment, automatically replicating information about the environment to multiple locations and dramatically reducing time to recover from failure by enabling immediate recreation of the environment in a new location. It also allows IT organizations to extend best practices and knowledge across multiple locations and ensure operational consistency across the enterprise.
• Satellite enables central management of network devices in remote locations and enables failover due to network instability across Network Address Translations.
Q. Which types of network devices are supported by CiscoWorks NCM?
A. CiscoWorks NCM supports an extensive range of Cisco equipment plus devices from 35 other vendors. Categories include routers, switches, firewalls, wireless access points, VPN devices, network accelerators, network load balancers, and other appliances that serve dedicated functions such as terminal and proxy servers. CiscoWorks NCM can be easily upgraded to support new devices as they become available or to meet market demand.
Q. How is CiscoWorks NCM licensed?
A. The software is licensed based on the number of nodes to be managed and whether the High Availability and Satellite features are enabled. Customers must purchase a software license for the core server for the desired count of managed nodes plus a license for the High Availability and Satellite features.
Q. What is considered a managed node for licensing purposes?
A. A managed node is a management IP address and the configuration details for the system accessed by the management IP address. In most cases, a single device is equivalent to a single node. In more complex cases, such as a Cisco Catalyst switch in hybrid mode, where the device is running as two separate configurations, each configuration is counted as a managed node. This is because in hybrid mode, the switch has two management IP addresses and two configuration files.
Q. For licensing purposes, are unmanaged nodes counted toward my licensed total node count?
A. No. Nodes that are unmanaged in CiscoWorks NCM are not counted toward the total licensed node count. For example, if your license is for 5000 nodes and you have 5100 nodes in CiscoWorks NCM but 100 nodes are unmanaged, you do not exceed your license limit.
Q. What server operating systems does CiscoWorks NCM support?
A. CiscoWorks NCM is available on the following platforms:
• Microsoft Windows Server 2000 and Microsoft Windows Server 2003
• RedHat Linux AS 3
• SUN Solaris 9
Q. What database management systems does CiscoWorks NCM support?
A. CiscoWorks NCM supports the following database management systems:
• Microsoft SQL Server 2000
• Oracle 9i
• MySQL 3.23
Q. Should CiscoWorks NCM be installed on its own dedicated server?
A. Yes. CiscoWorks NCM should be installed on a dedicated server to avoid port access conflict for HTTP, HTTPS, Telnet, Syslog, and other functions.
Q. How do I prepare my network for the deployment of CiscoWorks NCM?
A. CiscoWorks NCM communicates with devices using a combination of protocols and ports. Please refer to the CiscoWorks NCM installation checklist for detailed information on preparing your network for CiscoWorks NCM deployment.
Q. What kind of administrator reports can I get from CiscoWorks NCM?
A. CiscoWorks NCM offers both default reports that require no input and ad-hoc reports. Default reports include:
• User and system reports
• Network status reports
• Configuration reports
• Device reports
• Software vulnerability reports
• Task/job reports
• Telnet/SSH user session log reports
• Compliance Center reports (SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSO, and more)
Ad-hoc reports may include information such as:
• All Cisco devices running a given version of Cisco IOS Software
• All devices using insecure protocols for configuration management
• All devices with a faulty module
• All configuration changes made over a period of time for a set of devices
• All Telnet/SSH session logs initiated by a specific user
• All device changes that results because of an approval override