Cisco AON Administration Guide, 3.0
Working with Nodes
Downloads: This chapterpdf (PDF - 315.0KB) The complete bookPDF (PDF - 3.07MB) | Feedback

Working with Nodes

Table Of Contents

Working with Nodes

Managing Nodes

Creating New Nodes

Viewing Network Node Details

Editing Nodes

Deleting Nodes

Replacing Nodes

Managing WCCP Servers

Managing Virtual Clusters

Creating a Virtual Cluster

Changing Nodes Within a Virtual Cluster

Configuring WCCP for Cluster Management

Configuring WCCP for Traffic Redirection

Managing Node States

Configuring ACL/Classifiers

Configuring Recovery

Configuring a Virtual IP Address

VIP Configuration Examples

Configuring a Standalone Node

Sample Configurations

Configuring a Node for Use with TACACS+

Deploying to Nodes

Viewing Logs

Viewing Events

Configuring SNMP

Industry Standard MIBs

Cisco Standard MIBs

AON MIB to Support MIB Metrics

Configuring Syslog


Working with Nodes


Nodes are the devices that perform the actual application-oriented networking in an AON environment. Nodes are primarily managed by AMC, but they also have a command-line interface (CLI) through which some features can be configured. Additionally, nodes have the capability to be configured to operate in standalone mode, enabling third party tools to perform management functions previously reserved for AMC.

This chapter includes the following topics

Managing Nodes

Managing Virtual Clusters

Managing WCCP Servers

Configuring Recovery

Configuring a Virtual IP Address

Configuring a Standalone Node

Configuring a Node for Use with TACACS+

Deploying to Nodes

Viewing Logs

Viewing Events

Configuring SNMP

Configuring Syslog


Note You must have System Administrator or Network Administrator privileges to perform most of the tasks described in this chapter. Deploy and monitor tasks are also visible to some other users. See the "Assigning Roles to Users" section on page 5-3 for further details.


Managing Nodes

Nodes are the individual devices that process messages in an AON environment. After being configured for basic network connectivity, a node must be configured to register with an AMC. On receipt of proper credentials, the AMC assumes control of the node.


Note A node can also be configured to operate in standalone mode. See the "Configuring a Standalone Node" section for details.


From the perspective of the AMC, nodes exist in one of the following states.

Unregistered—Node created in the AMC, but no successful establishment of a trust relationship with AMC.

Registered—Node successfully established a trust relationship with AMC.

Active—Node activated by the administrator. Active nodes are able to receive deployment requests and process messages.

Inactive—Formerly active node that has gone offline.

Replaced—Node replaced by another node. During replacement, the new node assumes all processing responsibilities of the node being replaced. Replaced nodes cannot be activated again, nor can they be further configured by an administrator.

Reachable—AMC can contact the node.

Unreachable—A networking issue is preventing AMC from contacting the node.

Unknown—AMC is unable to determine if the node is reachable.

This section covers the following topics:

Creating New Nodes

Viewing Network Node Details

Viewing Network Node Details

Editing Nodes

Deleting Nodes

Replacing Nodes

Configuring a Standalone Node

Configuring a Node for Use with TACACS+

Creating New Nodes

This section describes the procedure for creating a new AON node. To complete this procedure, you need access to the command-line interface of the node you are adding, and you need administrator access to AMC.

How to Get There

Go to Network > Network Nodes > Manage, then click the New button.

Prerequisites

AMC must be installed and running, and you must have appropriate privileges to create network nodes.

Your node must be configured for basic IP network connectivity.


Step 1 Connect to the command-line interface of the AON node. Use the show version command to obtain the module serial number (highlighted below).

aon-node> show version
CPU Model:                    Pentium III (Coppermine)
CPU Speed (MHz):              498.675
CPU Cache (KByte):            256
Chassis Type:                 C2691
Chassis Serial:               12345678901
Module Type:                  Cisco 2600/3700/ISR AON Module (NM-AON-K9)
Module Serial:                FOC082313YY
AON:                          2.1.0.135
AMA:                          2.1.0.135

Note the sample serial number in bold text above. You will need the serial number from your node to complete Step 3.

Step 2 Log in to AMC and Go to Network > Network Nodes > Manage to load the Manage Network Nodes page. Click the New button to load the New Network Node page.

Step 3 Complete the entries on this page as described in Table 2-1.

Table 2-1 New Network Node Entries

Entry
Description

Name

Name of your choosing for this node.

Serial Number

Enter the serial number obtained in Step 1.

Description

Optional entry.

Enable Node Polling

Enable polling when AMC is operating behind a firewall. Rather than waiting for the node to contact it, AMC will initiate contact with the node. If the polling feature is used, you must also enter the amc polling enable command described in Step 6.

Agent Hostname

Name or IP address of the node.

Agent Port

Port used by node for management traffic.


Step 4 Click Save to create the network node. The new node is in the Unregistered state and remains in this state until you configure the AON module to communicate with the AMC in the next step.

Step 5 In Configuration Terminal mode on the AON module, create an AON configuration. This configuration enables the AON node to register with the AMC.

aon-node> configure terminal
Enter configuration commands, one per line.  End with exit.
aon-node(config)> aon config configuration_id create
aon-node(config)> aon config configuration_id ama host module_IP_address
aon-node(config)> aon config configuration_id amc host AMC_IP_address
aon-node(config)> aon config configuration_id activate

Step 6 If AMC is located behind a firewall and you checked the Enable Node Polling box when adding this node to AMC, use the amc poling enable command to configure the node to wait until AMC establishes contact before attempting to register.

aon-node(config)> amc polling enable

Step 7 Exit Configuration Terminal mode and allow AON to restart.

aon-node(config)> exit
CAUTION!! Configuration changed. Need to restart AON.
Confirm restart[y]? y
graceful restart[y]? n
Start counting down before restart

Step 8 After the module restarts, use the write memory command to save the configuration.

aon-node> write memory

Step 9 In your browser window, click the browser's Reload button to refresh the Manage Network Nodes page. The new node should now be registered.


Tip If your network node remains unregistered, verify that the serial number is entered exactly as described in Step 3. The AMC will not establish trust with a node if this information is incorrect.


Step 10 Click the Manage States link to load the Manage Network Node States page,.

Step 11 Click the radio button for the registered node and then click Activate.

When the state changes to Active, the node is ready for configuration deployment.


Note You can make configuration changes to a node in the registered or unregistered state, however, you cannot deploy those configuration changes until the node becomes active.



Viewing Network Node Details

You can select a node and view details. To view details about a node, click the radio button next to the node name and then click Show.

The Show Network Node Details page appears. Table 2-2 describes the information shown on the Show Network Node Details page.

Table 2-2 Entries on the Show Network Node Details Page.

Entry
Description

Name

The name of the node.

Serial Number

The serial number of the device that is running the node.FOC083849D0

State

The state of the node. Can be Active or Inactive.

Node Health

Indicates whether the node is Reachable or Unreachable

Platform description

The AON platform that is running the node, For example, Cisco 2600/3700/ISR AON Module (NM-AON-K9).

IP Address

The IP address of the node.

AON Agent Service Port

Port number for the AON Agent Service.

AON Agent HTTP Port

HTTP Port.

AON Agent HTTPS Port

HTTPS port used by the AON Agent.

AON Agent SW Version

AON Agent software version running on the node.

AON SW Version

AON software version running on the node.

AON HW Version

AON hardware version running on the node.

Description

Additional descriptive information.

Additional Info

Indicates additional information about the state of the node; for example, if the node has been suspended, indicates that it is suspended.

AMC Database ID

Database ID of the AMC database.

Enable Node Polling

Indicates whether node polling is enabled. The value can be true or false.

Agent Hostname

Name of the host running the AON Agent.

Agent Port

Port number of the port used by the AON Agent.


Editing Nodes

The AMC enables you to edit the name and description of any node. If a node is unregistered, you can also change the serial number.

How to Get There

Go to Network > Network Nodes > Manage then select a node and click the Edit button.

Actions to Take

You can take one of the following actions:

Make changes to the Name or Description. If a node is unregistered, you can also make changes to the serial number.

Click the Save button to preserve your changes.

Click the Cancel button to return to the Manage Network Nodes page.

Deleting Nodes

You can delete any node, regardless of its state. If a node is active, the AMC instructs the node to stop message processing before it is deleted.

How to Get There

Go to Network > Network Nodes > Manage, then select a node and click the Delete button.

Actions to Take

You can take one of the following actions:

Click the Yes button to delete the node.

Click the No button to cancel deletion and return to the Manage Network Nodes page.

Replacing Nodes

You can replace a registered node with another registered node. Active and unregistered nodes cannot be replaced, while active, inactive, and unregistered nodes cannot serve as replacements. After a node has been replaced, you can no longer change its configuration in the AMC, nor can you activate it for message processing. The replacement node inherits the exact configuration of the node being replaced, and you are then able to activate it for message processing.

How to Get There

Go to Network > Network Nodes > Manage. Click the radio button for the node you want to replace, then click the Replace button.

Actions to Take

You can take one of the following actions:

Click the radio button for the node that is to serve as the replacement, then click the Submit button to save your change.

Click the Cancel button to discard your change and return to the Manage Network Nodes page.

Managing WCCP Servers

A WCCP server is a switch or router that redirects traffic to an AON node. A WCCP Server can also be used for load balancing. By configuring a WCCP server, you provide the AMC with the information that it uses to contact the switch or router and configure it for traffic redirection or load balancing.

How to Get There

Go to Network > Network Nodes > WCCP Servers > Define WCCP Servers, then click the New button.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.


Table 2-3. shows the entries available on the New WCCP Server page.

Table 2-3 New WCCP Server Entries  

Entry
Description

IP Address

IP address of the switch or router being configured.

User name

Username required to configure device.

Password

Password required to gain access to device.

Enable password

Enable password required to access privileged EXEC mode.

Access method

If the device is configured for SSH, select secure shell. Otherwise select telnet.



Note AON uses Base64 to mask passwords entered during WCCP configuration.


Managing Virtual Clusters

A virtual cluster is a set of identically configured network nodes. After nodes are added to a virtual cluster, you can update the entire clustered group by changing a single set of configuration parameters. Virtual clusters can be configured for the following:

High availability—Nodes in a cluster can function as a single node. When a node is taken out of service, the other nodes in that virtual cluster assume the messaging processing responsibilities of the missing node.

Load balancing—Nodes in a cluster can share workload, meaning no single node becomes overloaded with network traffic.


Note If you are configuring a virtual cluster for use in retrieving JMS topic messages, topic retrieval is not load-balanced across multiple nodes. Only one node retrieves topics in this configuration, however, another node will assume this task should the first node fail.


This section covers the following topics:

Creating a Virtual Cluster

Changing Nodes Within a Virtual Cluster

Configuring WCCP for Cluster Management

Creating a Virtual Cluster

A virtual cluster consists of two or more AON nodes that are configured to share workload and ensure redundancy. The first node you choose for a cluster is called the master node. Other nodes that you add to the cluster will receive duplicate configurations to that of the master node. After the virtual cluster has been created, all nodes are equal, meaning no node is a master node.

If you create a virtual cluster that consists of nodes assigned to one or more projects, the following occurs:

If a node is to become the master node of the virtual cluster, it is removed from any projects to which it is assigned. The new virtual cluster is automatically assigned to those projects.

If the node is not the master node, it is automatically removed from any projects to which it is assigned. The new virtual cluster is not assigned to those projects.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.


Prerequisites

You need at least two nodes. The master node can be in the registered or active state. Other nodes must be in the registered state.

All nodes in a cluster must be running on the same type of hardware. You cannot, for example, combine an AON-SM and AON-NM into a virtual cluster.


Step 1 Go to Network > Network Nodes > Virtual Clusters > Create. This loads the Create Virtual Cluster page.

Step 2 Select a master node (the node whose configuration will be duplicated on the other nodes in the cluster) and click the Next button. This loads the Create Virtual Cluster page.

Step 3 Complete the entries as appropriate for your network and select the other nodes to be added to the cluster.

Step 4 Click the Finish button to save your changes. A dialog is displayed giving you a final opportunity to create the virtual cluster or cancel the operation.

Step 5 Go to Network > Network Nodes > Virtual Clusters > Manage to verify that the cluster was configured.

Step 6 Go to Network Nodes > Activate/Deactivate to make the nodes in the cluster Active.


Changing Nodes Within a Virtual Cluster

After a virtual cluster is configured, you can perform any of the following actions:

Add Nodes—When you add additional nodes, the new nodes receive identical configuration to that of the existing nodes in the cluster. If you add a node that is assigned to one or more projects, that node is removed from those projects. The virtual cluster is not assigned to those projects

Remove Nodes—If you remove a node from a cluster, it is returned to the registered state. Remaining nodes in the cluster continue to operate in the absence of the removed node. The configuration of a node that is removed from a cluster is restored to the factory default when that node is activated outside of the cluster. Nodes removed from a virtual cluster are not assigned to any project.

Delete—If you delete a cluster, all member nodes are returned to the registered state, and their configurations are restored to the factory default. After a cluster is deleted, the member nodes are not assigned to any project.

Configuring WCCP for Cluster Management

AON nodes use WCCP to detect when a member of a cluster goes offline. If this happens, other members of the cluster assume the missing node's message processing workload.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.


Prerequisites

You must have a WCCP server available to add to the virtual cluster before beginning this configuration. See the "Managing WCCP Servers" section to configure a WCCP server.

Table 2-4 shows the entries available on the New WCCP Service Group page.

Table 2-4 New WCCP Service Group Entries

Entry
Description

Service group ID

Unique number for each service group. Range is 51 - 99.

Multicast address

IP address to be used by members of this service group.

Authentication password

Password by members of this service group for authentication.



Step 1 After completing the entries, click the Add Servers button. This loads the a page that lists available WCCP servers.

Step 2 Choose one or more servers, then click the Add button. The servers are added to the WCCP service group.

Step 3 Click the Configure Interfaces button to specify the interface to be used by the WCCP server. This loads the Server Interfaces page.

Step 4 Enter the names, such as Service-Engine1/0, of the interfaces to be used by members of the service group, then click the Save button. After you are returned to the New WCCP Service Group page, click the Save button to save the entire service group configuration.


Configuring WCCP for Traffic Redirection

AON nodes use WCCP to for traffic redirection and load balancing. You can configure nodes to redirect messages based on the IP address or port.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.


How to Get There

Go to Network > Network Nodes > Configure, then select a node and click the WCCP for Traffic Redirection button.

Prerequisite

If traffic redirection is to be based on source or destination IP addresses, you must configure an ACL/Classifier for the cluster. See the "Configuring ACL/Classifiers" section to specify IP address parameters for traffic redirection.

Table 2-5. shows the entries available on the New WCCP Service Group page.

Table 2-5 New WCCP Service Group Entries  

Entry
Description

Service group ID

Unique number for each service group. Range is 51 - 99.

Multicast address

IP address to be used by members of this service group. Address range is 224.0.0.0 to 239.255.255.255 (RFC 3171).

Authentication password

Password by members of this service group for authentication.

Port map

Comma-delimited string of destination ports to be redirected. Up to eight distinct ports can be entered.

Listener port

The port at which an adapter is listening for traffic.

Protocol

Choose TCP or UDP from the drop-down list.

Note You must configure the protocol on AMC. AON nodes do not support the use of the command-line interface to configure the protocol.



Step 1 Complete the entries as appropriate for your network, then click the Add Servers button. This loads a page that lists available WCCP servers.

Step 2 Choose one or more servers, then click the Add button. The servers are added to the WCCP service group.

Step 3 Click the Configure Interfaces button to specify the interface to be used by the WCCP server. This loads the Server Interfaces page. On this page you specify the following interfaces:

Redirect in interface—this is the interface on which traffic to be processed by WCCP will arrive. Examples include FastEthernet 1/0 and Gigabit Ethernet 2.

Group listen interface—this is the interface that receives the redirected traffic. Examples include AON-Engine 1/0 and Integrated Services-Engine 1/0.

Enter the name of the interfaces to be used by members of the service group, then click the Save button.

Step 4 After you are returned to the New WCCP Service Group page, click the ACL/Classifier button. On the next page, click the Add Entries button to load the page that lists the available ACL/Classifiers.

Step 5 Choose an ACL/Classifier, then click the Select button to associate it with the WCCP service group.

Step 6 Click the Save button to save your changes and return to the New Service Group page. From there click the Save button to complete the configuration.


Managing Node States

You can manage the state of the nodes associated with the AMC. You can activate and deactivate nodes. A node must be registered in order to be activated. When you deactivate a node, it stops all message processing and returns to the registered state. You can also suspend a network node.

To activate a node, click Activate.

To deactivate a node, click Deactivate.

To suspend a node, click Suspend.

When you click Suspend, the Suspend Network Node Confirmation screen appears and prompts you to confirm the action. To continue and suspend the node, click Yes. To keep the node active, click No.

When you suspend a node, the node's state is temporarily changed from Active to Inactive. The global deployment operation will continue to deploy configuration changes to Active nodes, but will bypass all Inactive nodes. This is useful if a node loses network connectivity.

If a node loses network connectivity, the network administrator must take action to restore connectivity and then restart the node using the CLI. When the node is restarted, its state changes back to Active.

Configuring ACL/Classifiers

An ACL/Classifier contains an ordered list of access control entries. Each entry contains a source and destination IP address that are matched against the contents of a packet to determine if messages are to be redirected by WCCP.

ACL/Classifiers can also be used for message classification. After an ACL/classifier is created, users of ADS can bind the classifier to a message type so that messages can be subjected to additional processing.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.



Step 1 Use one of the following navigation paths:

For network nodes; Network > Network Nodes > Configure. Select a node, then click the ACL/Classifier button.

For virtual clusters: Network > Virtual Clusters > Configure. Select a cluster, then click the ACL/Classifier button.

This loads the New ACL/Classifier Entry page.

Step 2 Complete the entries as required by your environment.

Step 3 Click the Save button to save your changes.


Configuring Recovery

The AMC enables you to control the recovery parameters of network nodes and virtual clusters. Watchdog is a process that runs on an AON node and verifies that the AON application on that node is operating normally. When watchdog detects a failure, it can attempt to restart AON and WCCP.

How to Get There

Network node: Go to Network > Network Nodes > Configure. Select a node and click the Recovery button.

Virtual cluster: Go to Network Nodes> Virtual Clusters > Configure. Select a node and click the Recovery button.


Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.


Table 2-6. shows the entries available on the Recovery page.

Table 2-6 Recovery Entries

Entry
Description

AON Heartbeat Interval

Rate at which the AON process sends heartbeats to the watchdog process.

AON Startup Delay

Number of seconds watchdog waits for the AON process to start up before attempting to restart.

Watchdog Recovery Action

Action to be taken when a watchdog timer expires.

Watchdog Failure Wait Retry Interval (Times):

An integer that specifies the number of Watchdog Failure Detection retries before the watchdog signals that AON is down.

WCCP "Here I Am" Interval

Interval at which WCCP clients send the "Here I Am" message.

Enable Watchdog

Drop-down list to select if watchdog is enabled or disabled.

Watchdog Failure Detection Interval

Time that will elapse before watchdog detects that AON is down.


Configuring a Virtual IP Address

A virtual IP (VIP) address is an IP address that is not assigned to a single device. Instead the VIP address is shared among a set of nodes. Nodes that are to use VIP are first assigned to a virtual cluster, and they use WCCP for cluster management.

Prerequisites

Ensure that each node to be used in this procedure is properly configured and registered with AMC. Do not activate the nodes. See Managing Nodes.

Ensure that WCCP servers are configured for the switches or routers hosting AON nodes that are to use VIP. See Managing WCCP Servers.

Obtain an IP address for the VIP. This address must be on the same subnet as the nodes that are to use VIP.


Step 1 Create an ACL/classifier for the traffic that you want to divert to the VIP. Use the VIP as the destination address in the ACL. See Configuring ACL/Classifiers.

Step 2 Add the nodes that are to share a VIP to a virtual cluster. See Creating a Virtual Cluster.

Step 3 Configure WCCP to manage the VIP traffic. The following are key fields in a VIP configuration:

Multicast address—an IP address from 224.0.0.0 to 239.255.255.255 (see RFC 3171) to be used exclusively by the devices in this VIP configuration.

Redirect in interfaces—the interfaces on the host switches and routers that will receive traffic directed to the VIP. An example is FastEthernet 0/0.

Group listen interfaces—the AON node interfaces to which VIP traffic is to be forwarded. An example is AON-Engine 1/0.

See Configuring WCCP for Traffic Redirection.

Step 4 Deploy all configuration changes to the affected nodes. See Deploying to Nodes.

Step 5 Establish a session with each node and enter configuration terminal mode. Use the aon node-address command to specify the VIP to be used by the virtual cluster.

aon-node> configure terminal
Enter configuration commands, one per line.  End with exit.
aon-node(config)> aon node-address 10.94.0.135
aon-node(config)> exit
aon-node> write memory

Step 6 If the router is on the same subnet as the VIP, you must add the IP address to the router's configuration. If the router is on a different subnet, you can skip this step.

Establish a session to each switch or router and add the VIP as a secondary address to the appropriate interface. The example that follows shows a VIP address being mapped to the FastEthernet interface of a router.

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface FastEthernet0/0 
Router(config-if)# ip address 10.94.0.135 255.255.255.0 secondary

Step 7 Restart each node to activate the VIP configuration.


VIP Configuration Examples

The following examples show pertinent excerpts from the output of the show configuration command from a router and from an AON node.

Example 2-1 Router WCCP Configuration

This example shows WCCP group 51 is using the multicast address of 239.51.51.239. It is using an ACL/classifier named cisco-aon-wccp-acl-51. This configuration is added to the router when you properly configure a WCCP server in AMC.

ip wccp 51 group-address 239.51.51.239 redirect-list cisco-aon-wccp-acl-51

Example 2-2 Router Interface Configuration

This example shows the WCCP configuration applied to the interface of the router. The VIP is configured as a secondary IP address.

interface FastEthernet0/0
 ip address 10.94.0.135 255.255.255.0 secondary
 ip address 10.94.0.131 255.255.255.0
 ip wccp 51 redirect in
 ip pim sparse-dense-mode
 duplex auto
 speed auto

Example 2-3 AON Node VIP Configuration

This example shows the VIP address of 10.94.0.135 configured on the node.

aon config test create
aon config test ama host 10.94.0.133
aon config test amc host 10.94.0.47
aon config test activate
aon node-address 10.94.0.135

Example 2-4 AON Node WCCP Configuration

This example shows the WCCP configuration of the AON node.

wccp 51 
 group 239.51.51.239
 load 1
 map 80:8080 5555
 no shutdown
 end wccp

Configuring a Standalone Node

In environments where a third-party management application, such as AlterPoint, will manage AON nodes, each node must be configured to operate in standalone mode. This mode enables a node to operate without the AON Management Console, and it enables the node to receive all required configuration input from the command-line interface (CLI).

A node configured for standalone mode cannot communicate with an AMC. You must disable standalone mode before AMC can manage the node.

This feature also provides the ability to use the CLI to configure four different adapters (http, aonp, jms, and pmode). Previously these adapters required AMC's web interface for configuration.


Note If you install adapter extensions on a standalone node, they will be lost during subsequent upgrades of AON software. You must reinstall the adapter extensions after the upgrade.


Sample Configurations

The following example shows a node being configured for standalone mode. It also shows the commands to configure the promiscuous mode (Pmode) adapter.

aon-sm-1(config)> aon standalone 
aon-sm-1(config)> adapter pmode
aon-sm-1(config-adapter)>  domain PmodeAdapter
aon-sm-1(config-adapter-domain)>   propertyset default
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination IP" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Interval" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Duration" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Mode" "false"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination Port" "10001"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> $exit domain
aon-sm-1(config-adapter)> $exit adapter


The following example shows the installation and configuration of a Pmode adapter extension:

aon-sm-1 aon install extension url http://10.0.0.1/RdfAdapterExtPackage.jar
aon-sm-1 configuration terminal
aon-sm-1(config)> adapter pmode
aon-sm-1(config-adapter)> domain PmodeAdapter
aon-sm-1(config-adapter-domain)> propertyset default
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination IP" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Interval" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Duration" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Mode" "false"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination Port" "10001"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1(config-adapter)> domain PmodeAdapterExtension
aon-sm-1(config-adapter-domain)> propertyset rdflink
aon-sm-1(config-adapter-domain-propertyset)> set "ExtensionLink" "RDF-FRAMING-EXTN-1"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1(config-adapter)> domain RdfExtension
aon-sm-1(config-adapter-domain)> propertyset rdftraffi
aon-sm-1(config-adapter-domain-propertyset)> extension RDF-FRAMING-EXTN-1
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorPort" "10002"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "AdapterExtPolicyLink" "rdflink"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorMask" "255.255.255.255"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorAddress" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset-extension)>exit extension
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1{config)> exit adapter

Configuring a Node for Use with TACACS+

When a TACACS+ server is configured, a node provides the following functionality:

Users authenticated against the TACACS+ server when they log in.

The node will verify each command entered by a user before executing it. If a user does not have permission to use a command, the command is not executed.

The user named "admin" is a local user. This user can successfully log in when the TACACS+ server is unavailable. The "admin" user has access to all commands on the node.

You can enter up to three TACACS+ servers. If the first server is not found, the node will contact the second server. If the first two servers are not found, the node will contact the third server. If the first server denies authentication to the user, the node does not contact the other two servers.

You can use the tacacs-server key command to enter an encryption key. The default for this optional command is unencrypted communication with the TACACS+ server.

You can use the tacacs-server port command to specify the port used by the TACACS+ server. The default for this optional command is port 49.

You can use the tacacs-server timeout command to specify the number of seconds the node is to wait for response from the TACACS+ server. The default for this optional command is 5 seconds.


Note This feature is supported on the AON Appliance, AON-SM, and AON-NME. The AON-NM does not support TACACS+.


The following example shows the configuration of a three TACACS+ servers on an AON node. Note that in this example, only the first command is required to configure TACACS+. The remaining commands are optional.

aon-sm-1(config)> tacacs-server host 10.10.10.1
aon-sm-1(config)> tacacs-server host 10.10.10.2
aon-sm-1(config)> tacacs-server host 10.10.10.3
aon-sm-1(config)> tacacs-server key encryption-key
aon-sm-1(config)> tacacs-server port port-number
aon-sm-1(config)> tacacs-server timeout seconds
aon-sm-1(config)> exit


The following example shows a sample configuration on a TACACS+ server for a user named "user123." In this example, the user can use only the "show" commands. Use of any other commands by this user yields an "Authorization Failure" error.

user = user123 {
  login = cleartext "user123"
    cmd = show {
     permit version
    }
}

Deploying to Nodes

Changes made to the configuration of an AON node must be explicitly deployed to the node. These changes include those made in AMC and those uploaded from the AON Development Studio. Whenever a configuration change is made, it appears in a deployment request (DR). There are two types of deployment requests:

Global Deployment Request—contains changes, such as a global properties, that apply to all nodes in a project.

Node Deployment Request—contains changes, such a new PEPs or message types, that apply to an individual node.

To deploy changes to nodes, perform the following steps:


Step 1 Go to Deployment > Manage Staging to view the deployment requests waiting in the Open and Staged state.

Step 2 Click the radio button for the deployment request, then click the Stage button. This changes the state to Staged, which is the last stop before deployment.

Step 3 Click the Manage Deployment link, which loads the Manage Deployment page.

Step 4 Click the radio button for the deployment request, then click the Deploy button. The AMC deploys the request to the AON node.

Step 5 Click the Summary Link to verify that the request was successfully deployed.


Viewing Logs

After configuring the Message Log Domain Policy at Properties > Application > Node > Message Log Domain, you can retrieve these logs.

How to Get There

Go to Monitor > Logs, then select a node and click the View Logs button.

Viewing Events

After configuring the Monitoring Policy at Properties > Monitoring, you can retrieve these events.

How to Get There

Go to Monitor > Events, then select a node and click the View Events button.

Configuring SNMP

SNMP is a well-established industry standard that provides a network management framework. To enhance the manageability of AON, several industry-standard MIBs and CISCO standards MIBs are supported. In AON 3.0, support for AON MIB CISCO-AON-STATUS-MIB has been added. This MIB provides AON node health, as well as node metrics information. SNMP traps for several AON internal events (for example, AonUp, AonDown, and so on) also have been added. Additionally, ability to generate user defined notification based on message content or context has been added with the new Notify Bladelet. These notifications are generated only if SNMP traps are enabled on the node.

For information on the Notify Bladelet, see "Notify" in chapter 3 of the Cisco AON Development Studio User Guide, 3.0, "ADS Bladelets Reference."

The following table lists the commands for configuring SNMP on AON.

Command
Description

snmp-server community string [ro | rw]

Enables SNMP and sets the community string. Use ro to specify read-only access for management stations; use rw to specify read-write access.

snmp-server contact text

Sets the system contact (sysContact) string.

snmp-server host ip-address community-string

Specifies the host that will receive SNMP messages.

snmp-server location text

Sets the system location string (sysLocation).

snmp-server enable traps [notification_type]

Enables the AON SNMP traps. The optional notification_type parameter specifies one of the following traps:

aon-down—caonDown trap.

aon-up—caonUp trap.

custom-notification—caonCustomNotification trap.

delivery-failure—caonMessageDeliveryFailed trap.

new-pep-deployed—caonNewPepDeployed

send-threshold-exceeded—caonSendResponseThresholdExceeded

syslog—syslog trap.

If you do not specify the notification_type parameter, then all of the traps are enabled.

no snmp-server enable traps [notification_type]

Disables the AON SNMP traps. The optional notification_type parameter disables a specified trap that has been enabled using the snmp-server enable traps command. If you do not include the notification_type parameter, then all of the traps are disabled.

show snmp configuration

Displays the current SNMP configuration for the node.


The sections that follow list the MIBs supported by AON:

Industry Standard MIBs

Cisco Standard MIBs

To translate MIBs, use the Cisco SNMP Object Translator.

Industry Standard MIBs

SNMPv2-MIB

Entire MIB, including coldStart trap

IF-MIB

ifTable

IP-MIB

ip objects

ipAddrTable

SYSAPPL-MIB

sysApplInstalledPkgTable

sysApplRunTable

HOST RESOURCES-MIB

hrSystemNumUsers

hrSystemProcesses

hrMemorySize

hrStorageTable

hrStorageDescr

hrStorageAllocationUnits

hrStorageSize

hrStorageUsed


Note In AON, hrStorageTable contains two entries. The first entry denotes the RAM in the system, and the second entry denotes the disk partition.


Cisco Standard MIBs

CISCO-PROCESS-MIB

cpmCpuTotalTable

cpmProcessTable

CISCO-SYSLOG-MIB

AON MIB to Support MIB Metrics

CISCO-AON-STATUS-MIB

Cisco AON 3.0 includes support for a new AON MIB—the CISCO-AON-STATUS-MIB, which provides AON metrics information.

You can access the CISCO-AON-STATUS MIB online at the following location:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

The information available through this MIB includes:

AON node state i.e., whether the AON node is unregistered, registered, active, or inactive.

Node metrics information when a node is in the active state. The node metrics information includes the number of messages received by the node, number of PEPs deployed, and number of messages received by a PEP, as well as information about the endpoints that the messages are delivered to. The metrics are reset when the AON process is restarted.

By setting up the AON metrics using the AMC, the AON node can be configured to capture node metrics, PEP metrics, and endpoint metrics.For information on configuring the MIB metrics property, see AON Metrics Property, page 3-2.

Table 2-7 lists the MIB attributes.

Table 2-7 CISCO-AON STATUS-MIB MIB Attributes 

MIB Attribute Name
Syntax
Access
Description

caonNodeState

Integer { unregistered(1), registered (2) active(3), inactive (4)}

ro

The node status can be:

unregistered—AON is not yet registered with AMC.

registered—AON has registered with AMC but is not yet activated.

active— AON is active and ready to process messages.

inactive—AON has been activated from AMC but AON process is down

caonAonBootTime

DateAndTime

ro

The value of sysUpTime at the time when AON process was bootstrapped successfully.

caonLastActivateTime

TimeStamp

ro

The local time at the node when AON was last activated from AMC.

caonReceivedMessages

Counter32

ro

Aggregate count of messages received by the node.

caonAmcIpAddressType

InetAddressType

ro

Indicates the type of IP address by which the AMC for the node is reachable.

caonAmcIpAddress

IPAddress

ro

IP Address of the AMC for this node.

caonPepCount

Gauge32

ro

The total number of PEPs that are currently deployed within the node.

caonPepTable

SEQUENCE of caonPepEntry

not-accessible

Table of descriptive and status information about the deployed PEPs on the node.

caonPepEntry

caonPepEntry

not-accessible

An entry in the PEP table, containing information about a single PEP. When AON data plane bootstraps, an entry is created for each PEP that has been deployed on the AON node. When PEPs are deployed from AMC to AON node after AON data plane bootstraps, an entry for each PEP is added to the table. An entry is deleted from the table when the PEP is deleted from AMC.

caonPepIndex

Unsigned32

ro

An integer uniquely identifying the PEP for which this entry contains information.

caonPepName

SnmpAdminString

ro

Specifies the PEP name

caonPepStyle

INTEGER

ro

This object indicates the PEP interaction style commonly known as the MEP. The possible values are:

oneWay— Response is not expected from the receiving endpoint. AON does not wait for a response message in this case.

requestResponse—Response is expected from the receiving endpoint. AON waits for the response from the receiving end point.

However, the PEP interaction style can be overridden by the Send Bladelet interaction style. If the user specifies the interaction style to be oneWay in the Send Bladelet, it overrides the PEP level interaction style and AON does not wait for a response from the receiving end point.

caonPepReceivedMessages

Counter32

ro

A counter to count the number of messages that were received by the PEP

caonPePpFailures

Counter32

ro

A counter to count the times the PEP was forced to execute exception flow. This count includes both the counts when an exception flow is present and when it is not

caonPepSecurityFailures

Counter32

ro

A counter to count the authentication and certificate validation failures encountered during PEP execution

caonPepEndPointTable

SEQUENCE of caonPepEndPointEntry

not -accessible

Table of endpoints that the messages were delivered to for the PEP.

caonPepEndPointEntry

caonPepEndPointEntry

not-accessible

An entry in the PEP EndPoint table, containing information about a single PEP EndPoint

caonPepPEndPointIndex

Unsigned32

not-accessible

An integer that uniquely identifies the PEP End point for which this entry contains information.

caonPepEndPointUrl

CiscoURLString

ro

URL of the end point. This URL does not include the query parameters.

caonEndPointAttempedtMessages

Counter32

ro

The number of message delivery attempts to the end point.

caonOneWayDeliveredMessages

Counter32

ro

The number of messages successfully delivered to the next hop. This count includes only those messages that do not require a response from the end point.

caonOneWayFailedMessages

Counter32

ro

The number of messages failed delivery. This count includes only those messages that do not require a response from the end point

caonReqResponseDeliveredMessages

Counter32

ro

The number of messages successfully delivered to the end point. The count includes only those messages for which a response is received successfully from the end point.

caonReqResponseFailedMessages

Counter32

ro

The number of messages failed delivery. This count includes only those messages for which a response message was expected from the end point.

caonEndPointMinResponseTime

TimeTicks

ro

The minimum response time to receive a response message from the Endpoint

caonEndPointMaxResponseTime

TimeTicks

ro

The maximum response time to receive a response message from the Endpoint

caonEndPointAvgResponseTime

TimeTicks

ro

The average response time e experienced by the PEP to receive a response from the endpoint.

caonCounterDiscontinuityTime

TimeStamp

ro

The value of sysUpTime at the most recent occasion at which one or more of the counters suffered a discontinuity. The relevant counters are the specific instances associated with any Counter32 or Counter64 object in the MIB. If no such discontinuities have occurred since the last initialization of the local management subsystem, then this object contains a zero value.


The caonNotifEnableIndicators MIB Object

The caonNotifEnableIndicators MIB object is a bit mask that specifies whether the SNMP notifications will be sent. If a bit in the bit mask is set, then the specified SNMP notification will be sent. If the bit is not set, the notification will not be sent.

Table 2-8 lists the bit mask values that specify whether SNMP traps are enabled or disabled. Please note that these are read-only attributes. These attributes will reflect if the notification will be sent or not.

Table 2-8 Values for the caonNotifEnableIndicators MIB Object Bit Mask

MIB Attribute Name
Syntax
Access
Description

caonUpNotifEnabled

TruthValue

ro

Specifies whether aonUP notifications are sent when AON processes bootstrap successfully. If this bit is set, then caonUp notification will be sent when the AON data plane bootstraps successfully. If the bit is not set, the caonUp notification will not be sent.

caonDownNotifEnabled

TruthValue

ro

Specifies whether aonDown notifications are sent when AON processes goes down.

caonNewPepDeployedNotifEnabled

TruthValue

ro

Specifies whether newPEPDeployed notifications are sent when a new PEP is deployed after AON bootstraps successfully.

caonMessageDeliveryFailedNotifEnabled

TruthValue

ro

Specifies whether messageDeliveryFailed notifications are sent when a message cannot be delivered to the end point.

caonSendResponseThresholdExceededNotifEnabled

TruthValue

ro

Specifies whether sendResponseThresholdExceeded notifications are sent when the end point response time exceeds the threshold value specified in the Send Bladelet.

caonCustomAONNotifEnabled

TruthValue

ro

Specifies whether customAONNotification notifications are sent when a notification is generated during PEP execution based on rules specified in the PEP.


SNMP Traps for AON Internal Events

In addition to the traps used to send metrics information, the CISCO-AON-STATUS MIB also defines several traps for AON internal events. Table 2-9 lists the traps for AON internal events.

Table 2-9 Traps for AON Internal Events 

SNMP Trap Name
Varbind
Description

caonUp

none

The caonUp notification is sent when AON data plane is bootstrapped successfully and AON is ready to process messages.

caonDown

none

The caonDown notification is sent when an AON data plane goes down. The AON data plane might be down as a result of an administrative command i.e., stopping AON via a CLI command or deactivating the node from AMC or due to abnormal termination of AON data plane. If there is a hardware failure on the AON box then the notification might not be triggered.

caonNewPepDeployed

caonPepName

This notification is sent if a new PEP is deployed after AON has bootstrapped successfully. caonPepName identifies the name of the new PEP.

caonMessageDeliveryFailed

Varbinds:

caonPepEndPointUrl,

caonMessageSrcUri

caonMessageSrcIpAddressType

caonMessageSrcIpAddress

caonMessageSrcPort

This notification is sent if a message cannot be delivered to the end point.caonMessageEndPointURL identifies the end point to which the message was being delivered to.The message source is either identified by caonMessageSrcUri or (caonMessageSrcIpAddr and caonMessageSrcPort).

caonSendResponseThresholdExceeded

Varbinds:

caonPepEndPointUrl

caonSendResponseThreshold

This notification is sent if the destination endpoint response time exceeds the threshold value specified in the Send Bladelet.

The caonPepEndPointUrl varbind identifies the URI of the end point the message was being delivered to The caonSendResponseThreshold varbind identifies the end point response time threshold value configured in the Send bladelet.

caonCustomNotification

Varbinds:

caonNotificationName

caonNotificationText

This notification might be triggered during PEP execution.Currently this is triggered from the Notify Bladelet if the customer-specified condition evaluates to TRUE and the notification type selected is SNMP.

This provides a way to extend the AON platform to generate customer-defined notifications based on customer specified conditions. For information on configuring the Notify bladelet, see the Cisco AON ADS User Guide, 3.0.

The caonNotificationName varbind identifies the name of the customer-defined notification type. The caonNotificationText varbind identifies the notification text for the custom notification.


Configuring Syslog

AON nodes include the capability to forward log messages to syslog servers. Up to four syslog servers can be configured for each AON node, and each host can use a unique priority and rate-level setting.

The table that follows lists the commands supported by the AON SNMP feature.

Command
Description

logging host ip-address priority priority-level [rate-limit bytes-per-second]

Configures the IP address of the recipient of syslog message and one of the following priority levels:

alert—immediate action needed

critical—critical conditions

emergency—system is unusable

error—error conditions

info—informational messages

notice—normal, but significant conditions

warning—warning conditions

The default priority level is warning.

To control the bandwidth used for syslog messages, use the rate-limit keyword to specify the bytes per second. The default rate-limit is 0.

[no] enablesyslog aon

Instructs the AON process to start or stop logging events to syslog.

syslog aon level <level>

Specifies logging of AON messages of the specified level and higher (more severe) level to syslog. The level parameter can have the following values:

debug—Debug messages

info—Informational messages

notice—Notice conditions

warning—Warning conditions

errors—Error conditions

show logging

Displays current logging and syslog server configuration for the node.