Cisco IP Solution Center Security User Guide, 3.0
Provisioning Services
Downloads: This chapterpdf (PDF - 426.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

Provisioning Services

Table Of Contents

Provisioning Services

Deploying Service Requests

Viewing the Service Request State

Modifying Service Requests

Viewing Service Request Details

Auditing Service Requests

Config Audit

Certificate Enrollment Audit

IPsec Functional Audits

Viewing Task Logs

Decommissioning a Service Request


Provisioning Services


In ISC you provision services through service requests. This chapter explains how to deploy, change, audit, and decommission service requests. This chapter contains the following sections:

Deploying Service Requests

Viewing the Service Request State

Modifying Service Requests

Viewing Service Request Details

Auditing Service Requests

Viewing Task Logs

Decommissioning a Service Request


Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each target device as a CPE device.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you define at least one public (outside) and one private (inside) interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.


Deploying Service Requests

After a service request has been defined, you can deploy it. To deploy the service request, perform the following the steps:


Step 1 Click Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.

Figure 7-1 The Service Request Page Populated with Service Requests

Step 2 Check the box next to the service request you want to deploy.

Step 3 Click Deploy.

Step 4 Choose Deploy or Force Deploy from the Deploy drop-down list. Use Deploy for new service requests, and Force Deploy for service requests to which you have made modifications and want to redeploy. Force Deploy freshly downloads the latest configuration in the service request to all CPE devices in the service request, even if the service request is already in the Deployed state. Also, use Force Deploy when a device configuration is lost or when you replace or change equipment in a CPE device definition.

Step 5 The Deploy Service Requests page appears.

Figure 7-2 The Deploy Service Requests Page

Step 6 Choose when you would like the service request to deploy.

Step 7 If you want to deploy the service request now, accept the default value and click Save.


Viewing the Service Request State

The status of a service request is displayed in its state, which may be Requested, Pending, Closed, Wait Deploy, Deployed, Failed Audit, Failed Deploy, Invalid, Lost, Broken, or Functional, as described in Table 7-1. For example, when you create a service request, it is in a REQUESTED state. Once you deploy the service request, the state moves to PENDING and, if successfully deployed, to DEPLOYED.

The possible relationships between the service request states are illustrated in Figure 7-3. You can view the service request state on the Service Requests page in the State column. (Click Service Inventory > Inventory and Connection Manager > Service Requests to reach the Service Requests page.)

Figure 7-3 Service Request States

Table 7-1 Service Request States 

Service Request Type
Description

Broken

The router is correctly configured but the service is unavailable (due to a broken cable or Layer 2 problem, for example).

An MPLS service request moves to Broken if the auditor finds the routing and forwarding tables for this service, but they do not match the service intent.

An IPsec service request moves to Broken if a ping fails for all the remote peers of the current device.

Closed

A service request moves to Closed if the service request should no longer be used during the provisioning or auditing process. A service request moves to the Closed state only upon successful audit of a decommission service request. ISC does not remove a service request from the database to allow for extended auditing. Only a specific administrator purge action results in service requests being removed.

Deployed

A service request moves to Deployed if the intention of the service request is found in the router configuration file. Deployed indicates that the configuration file has been downloaded to the router, and the intent of the request has been verified at the configuration level. That is, ISC downloaded the configlets to the routers and the service request passed the audit process.

Failed Audit

This state indicates that ISC downloaded the configlet to the router successfully, but the service request did not pass the audit. Therefore, the service did not move to the Deployed state. The Failed Audit state is initiated from the Pending state. Once a service request is deployed successfully, it cannot re-enter the Failed Audit state (except if the service request is redeployed).

Failed Deploy

The cause for a Failed Deploy status is that DCS reports that either the upload of the initial configuration file from the routers failed or the download of the configuration update to the routers failed (due to lost connection, faulty password, and so on).

Functional

An MPLS service request moves to Functional when the auditor finds the VPN routing and forwarding tables (VRF) for this service and they match with the service intent. This state requires that both the configuration file audit and the routing audit are successful.

An IPsec service request moves to Functional when the auditor finds that the router is configured properly and the IPsec traffic is flowing (ping is used to determine if IPsec traffic is flowing).

Invalid

Invalid indicates that the service request information is incorrect in some way. A service request moves to Invalid if the request was either internally inconsistent or not consistent with the rest of the existing network/router configurations (for example, no more interfaces were available on the router). The Provisioning Driver cannot generate configuration updates to service this request.

Lost

A service request moves to Lost when the Auditor cannot find a configuration-level verification of intent in the router configuration files. The service request was in the Deployed state, but now some or all router configuration information is missing. A service request can move to the Lost state only when the service request had been Deployed.

Pending

A service request moves to Pending when the Provisioning Driver determines that the request looks consistent and was able to generate the required configuration updates for this request. Pending indicates that the service request has generated the configuration updates and the configuration updates are successfully downloaded to the routers.

The Auditor regards pending service requests as new requests and begins the audit. If the service has been freshly provisioned and not yet audited, it is not an error (pending audit). However, if an audit is performed and the service is still pending, it is in an error state.

Requested

If the service is newly entered and not yet deployed, it is not an error. However, if a Deploy is done and it remains Requested, the service is in an error state.

Wait Deployed

This service request state pertains only when downloading configlets to a Cisco CNS-CE server, such as a Cisco CNS IE2100 appliance. Wait Deployed indicates that the configlet has been generated, but it has not been downloaded to the Cisco CNS-CE server because the device is not currently online. The configlet is staged in the repository until such time as the Cisco CNS-CE server notifies ISC that it is up. Configlets in the Wait Deployed state are then downloaded to the Cisco CNS-CE server.


Modifying Service Requests

To make configuration changes, you need to modify the service request and then redeploy it. To modify a service request, perform the following steps:


Step 1 Click Service Inventory > Inventory and Connection Manager > Service Requests to reach the Service Requests page.

Step 2 Check the box of the service request you want to modify and click Edit.

Step 3 Make your changes and click Save to modify the service request, or click Cancel to exit without modifying the service request.

Step 4 Clicking Save puts the service request into a REQUEST state and the Operation Type column changes to MODIFY as shown in Figure 7-4.

Figure 7-4 Service Request MODIFY Operation Type

Step 5 Click Deploy > Deploy or Force Deploy to redeploy the service request. If you change the parameters of a policy or AAA server service request used in a deployed service request, then use Force Deploy to redeploy the modified service request.


Viewing Service Request Details

The view the details of a service request, perform the following steps:


Step 1 Click Service Inventory > Inventory and Connection Manager > Service Requests.

Step 2 Put a check mark next to the service request for which you want to view the details.

Step 3 Click Details. The Service Request Details page appears. From the Service Request Details page, you can view the history of the service request, audit reports, and the configlets generated by the service request as well as the VPN tunnel details.

Figure 7-5 The Service Request Details Page

Step 4 Click History to view the history report. The Service Request History Report page appears. This page shows you the history of the service request state.

Figure 7-6 Service Request History Report

Step 5 Click OK when done.

Step 6 Click Audit to view service request audit information.

Step 7 Click Configlets to view configlets generated by the service request. The Service Request Configlets page appears.

Figure 7-7 Service Request Configlets

Step 8 Choose the device for which you want to see the configlet and click View Configlet. The Configlet for Device page appears.

Figure 7-8 Configlet for Device

Step 9 Click OK to exit.


Auditing Service Requests

From time to time, you may want to run audit tasks to check if the configurations on the devices in your network match the configlets generated by a deployed service request. In ISC, you can run an audit task to do this. The auditing features in ISC are located under Home > Monitoring > Task Manager > Tasks. Additionally, you can set audit tasks to run once or at a later time, or schedule them to run periodically. For more details on how to run audit tasks in general, refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0.

To view an audit report, go to the "Viewing Service Request Details" section.

Config Audit

When you deploy a service request, ISC checks the configlet that it deployed against the configuration on the CPE device (this is called a Config Audit). If both configlets are the same, the audit is successful.

To manually run a Config Audit, click Home > Monitoring > Task Manager > Tasks and refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0 for instructions on how to start Task Manager and create a Config Audit task.

Certificate Enrollment Audit

Certificate enrollment audits can be performed for site-to-site and remote access service requests only.


Step 1 To run a certificate enrollment audit, click Home > Monitoring > Task Manager > Tasks. The Tasks page appears as shown in Figure 7-16.

Figure 7-9 The Tasks Page

Step 2 Click Create. The Create Task page appears as shown in Figure 7-17.

Figure 7-10 The Create Task Page With Certificate Enrollment Audit Selected

Step 3 Select Certificate Enrollment Audit from the Type drop-down list.

Step 4 Click Next. The Task Service Requests page appears as shown in Figure 7-18.

Figure 7-11 The Tasks Service Request Page

Step 5 Click Add. The Service Request for Task dialog box appears as shown in Figure 7-19.


Note Only site-to-site and remote access service requests are available for certificate enrollment audits so, if present, they are the only service requests displayed in the Service Request for Task dialog box.


Figure 7-12 Service Request for Task Dialog Box

Step 6 Check the service request you want to audit and click Select to return to the Tasks Service Request page. The service request you checked now appears on the Tasks Service Request page.

Step 7 Click Next. The Task Schedules page appears as shown in Figure 7-20.

Figure 7-13 The Task Schedules Page

Step 8 Click Create. The Task Schedules page appears with the scheduling options displayed as shown in Figure 7-21.

Figure 7-14 The Task Schedules With Scheduling Options Displayed

Step 9 Select when you would like the update to occur and click OK to continue.

Step 10 Click Next.

Figure 7-15 Certificate Enrollment Audit Task Summary Page

Step 11 Click Finish when done.

Step 12 To view the results of the tasks you create, click Home > Monitoring > Task Manager > Logs and refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0 for information on logging options.


IPsec Functional Audits

An IPsec functional audit can be used after you deploy a service request to check the status of the VPN tunnels. The IPsec functional audit pings all the nodes of the VPN to check connectivity and ensure the tunnels are up.

IPsec functional audits can be performed for site-to-site and IPsec-to-MPLS service requests only.


Step 1 To run an IPsec functional audit, click Home > Monitoring > Task Manager > Tasks. The Tasks page appears as shown in Figure 7-16.

Figure 7-16 The Tasks Page

Step 2 Click Create. The Create Task page appears as shown in Figure 7-17.

Figure 7-17 The Create Task Page With IPsec Functional Audit Selected

Step 3 Select IPsec Functional Audit from the Type drop-down list.

Step 4 Click Next. The Task Service Requests page appears as shown in Figure 7-18.

Figure 7-18 The Tasks Service Request Page

Step 5 Click Add. The Service Request for Task dialog box appears as shown in Figure 7-19.

Figure 7-19 Service Request for Task Dialog Box

Step 6 Check the service request you want to audit and click Select to return to the Tasks Service Request page. The service request you checked now appears on the Tasks Service Request page.

Step 7 Click Next. The Task Schedules page appears as shown in Figure 7-20.

Figure 7-20 The Task Schedules Page

Step 8 Click Create. The Task Schedules page appears with the scheduling options displayed as shown in Figure 7-21.

Figure 7-21 The Task Schedules With Scheduling Options Displayed

Step 9 Select when you would like the update to occur and click OK to continue.

Step 10 Click Next. The IPsec Functional Audit Task Summary page appears as shown in Figure 7-22.

Figure 7-22 The IPsec Functional Audit Task Summary Page

Step 11 Click Finish when done.

Step 12 To view the results of the tasks you create, click Home > Monitoring > Task Manager > Logs and refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0 for information on logging options.


Viewing Task Logs

If more details are needed to troubleshoot a service request, view the task logs. To view the logs generated by the tasks you create, click Home > Monitoring > Task Manager > Logs. Please refer to the "Monitoring" chapter of the Cisco IP Solution Center: Infrastructure Reference, 3.0 for more information on task logs.

Decommissioning a Service Request

Decommissioning a service request removes the security service from all CPE devices in the service request. To remove a security service, perform the following steps:


Step 1 Click Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.

Step 2 Put a check mark next to the service request you want to decommission.

Step 3 Click Decommission. The Confirm Request page appears.

Figure 7-23 The Confirm Request Page

Step 4 Click OK to confirm and decommission the service request, or click Cancel to return to the Service Requests page without decommissioning the service request.


Note Notice on the Service Requests page, Figure 7-24, the service request state is at REQUESTED. Also, in the Operation Type column, it is set to DELETE. The previous steps did not remove the service request; they only tagged it for deletion. To delete the service request, perform the steps below.


Figure 7-24 The Service Requests Page with a Service Request

Pending Deletion

Step 5 Put a check mark next to the service request with Operation Type DELETE.

Step 6 Click Deploy.

Step 7 Specify when you want ISC to remove the service request in the Deploy Service Requests page.

Step 8 Click Save. ISC creates the necessary removal configuration to delete the security service from the device(s). As part of the decommission process, ISC audits the configuration to ensure that the service is removed completely. Once audited, the service request state changes to a CLOSED state.

To release CPE devices and policies from the database, use the Purge option on the Service Requests page.