CiscoWorks Service Level Manager

Policy Analysis

Cisco - Netsys Frequently Asked Questions

Document ID: 15180

Updated: Oct 01, 2009


Related Information
Related Cisco Support Community Discussions

Q: When creating new policies, how are multiple sources and multiple destinations chosen?

A: There are two ways to select multiple sources and/or multiple destinations while using the Policies -> New option:

  1. Press and hold down the <Control> key, then use the mouse to select several addresses from the list.

  2. To select a range of addresses, select one address, press and hold down the <shift> key, then select a second address. All intermediate addresses will be chosen as well.

The user interface is different for the Policies -> Guided Policy Creation. In this case, press and hold down the <shift> key, then use the mouse to select several addresses from the topology.

Keep in mind that selecting multiple addresses creates a one-to-many or many-to-many relationship, with a policy generated for each ordered pair. For instance, selecting three items from one list and four from the other will generate 12 policies. Large policy lists will quickly impose on system resources; be careful to keep the Policy Sets to a manageable size.

Q: What is the function of the box titled "End System" in the "Add IP Policies" window?

A: This box serves as a filter for the source and destination addresses displayed. Enter the filter in the form of a UNIX wildcard. For example, to find all IP addresses starting with 132.108, enter 132.108*. The selection list will be reduced to display only those addresses that apply.

Q: How does the policy analysis determine end system/host routing behavior when analyzing routing path?

A: As Netsys Service Manager (NSM) cannot recognize a host's default router setting, it attempts to determine the host's next hop by evaluating routers linked to the segment where the host lives. In the case where all linked routers have "null0", NSM reports an erroneous BLOCKED path.

Q: When I click on the "Analysis" button, why does the busy indicator stay on for a long time with no results?

A: If the message "The backend simulator process has unexpectedly terminated" is displayed on the "std out", no "Analysis" can be done. Exit the Connectivity Service Manager.

If you did not receive that message, remember that it can be time-consuming when protocols are reconfigured or the operational status is changed. Typically, this is because too many connectivity policies are being analyzed and the machine is running out of RAM/SWAP space. To avoid this problem and improve performance, it is recommended that you analyze connectivity in several small policies (sequentially), rather than a single, large policy.

Q: How does NSM determine best path selection when doing policy analysis?

A: More explicit paths are favored over summarized paths. Secondary to that, paths with lower administrative-distance values are favored. If administrative-distances are equivalent for two or more paths, the path(s) with lower cost are favored.

All equal "best paths" are displayed by NSM when doing analysis.

Q: What connectivity policies does the QuickPath feature test?

A: The QuickPath feature creates an "allow" ICMP connectivity request between the stated source and destination.

Q: What does the "SECURITY" status mean during Policy Analysis?

A: The SECURITY status means that a "deny" connectivity policy was violated by one or more possible paths between specified end systems. To correct this status, add or modify access lists where you want to block the connectivity. If multiple paths exist and at least one is violated, the security status will be shown. You can see which paths are violated by displaying each path on the topology map.

Q: What does the "ROUTING LOOP" status mean during Policy Analysis?

A: The ROUTING LOOP status means that a "permit" policy was violated because of a routing loop at some point in the path. There are several possible causes for routing loops:

  1. Redistribution misconfigurations.

  2. Incorrectly defined static routes.

  3. Poorly set gateways of last resort.

  4. Summarization of major network addresses (which sends traffic to a subnet that does not know about the destination). At that subnet, a default-network command routes traffic back to the major network

  5. Inappropriate use of the Cisco IOS distance command.

Loading and analyzing the "Redistribution Routing Loops" entry in the Policies window will find the first cause listed above (meaning, redistribution-related IP routing loops) in your network. However, the loops identified may be either persistent ones (that is, loops that would remain under stable conditions) or transient ones (that is, loops that either are initially produced during convergence, but then go away; or ones that periodically appear under stable conditions).

Before the NSM 4.0 release, a distinction was not make between these two types of routing loops; the 4.0 release makes this distinction. The implicit policy does not find all routing loops. For a comprehensive test, you should test "any-to-any" connectivity in small batches.

Q: What does the "BLOCKED" status mean during Policy Analysis?

A: The BLOCKED status means that a "permit" connectivity policy was violated because the source router or the source router interface is in a failed state, or the destination is a ring group and the destination router or destination router interface is in a failed state.

Q: What does the "NO ROUTE" status mean during Policy Analysis?

A: The NO ROUTE status means that a "permit" connectivity policy was violated by a router in the path not having a routing table entry for the source or destination address (depending on the direction of travel.) When a "no route" condition is found, the last device in the displayed path is the router that does not have the required routing table entry.

To diagnose the "no route" condition, the following procedure is recommended:

  1. Determine whether it is even possible to reach the destination. That is, determine whether there is a topological path (entry). If not, it is not possible to correct the "no route" condition without making topological changes to the network.

  2. If a topological path exists, determine which router is causing the problem.

  3. Highlight the "NO ROUTE" policy and select QuickSolver; a brief explanation is given as to which router is causing the problem and why.

Q: What does the "Show Path to All" function do on a LAN?

A: The "Show Path to All" function creates a request for a one-way path from the selected LAN to all reachable LANs in both the IP and IPX views.

Related Information

Updated: Oct 01, 2009
Document ID: 15180