Cisco Network Module Enhanced Application Performance Assurance User Guide, Rel 2.0.0 - Managing Users [Cisco Application Networking Services Modules]

Table Of Contents

Managing Users

Information About Users

What is a User?

User Modes in Enterprise Solutions

Aging Users

Anonymous Groups and User Templates

Information About User Files

User Files

User Default CSV File Format

User Anonymous Groups CSV File Format

Importing and Exporting User Information

Importing User Information

Exporting User Information

Importing User Templates

Exporting User Templates

Removing Users and Templates

Removing a Specific User

Removing All Introduced Users

Removing a Specific Anonymous User Group

Removing All Anonymous User Groups

Removing All Anonymous Users

Removing All User Templates

Importing and Exporting Anonymous Groups

Importing Anonymous Groups

Exporting Anonymous Groups

Monitoring Users

Monitoring the User Database

Displaying the User Database Counters

Clearing the User Database Counters

Displaying Users

Displaying Users: All Current User Names

Displaying Users: By User Property or Prefix

Display Users By Mapping: IP Address, VPN, or VLAN ID

Displaying User Information

Displaying a List of User Properties

Displaying Complete Information for a Specific User

Displaying Values of User Properties for a Specific User

Displaying Mappings for a Specific User

Displaying OS Counters for a Specific User

Displaying Anonymous User Information

Displaying Currently Configured Anonymous Groups

Displaying Currently Configured Templates for Anonymous Groups

Displaying Current Configuration for a Specific Anonymous Group

Displaying Users in a Specific Anonymous Group

Displaying all Users Currently in Anonymous Groups

Display the Number of Users in a Specified Anonymous Group

Display the Total Number of Users in all Anonymous Groups

Configuring User Aging

Enabling Aging for Anonymous Group Users

Enabling Aging for Introduced Users

Disabling Aging for Anonymous Group Users

Disabling Aging for Introduced Users

Setting the Aging Timeout Period for Anonymous Group Users

Setting the Aging Timeout Period for Introduced Users

Displaying Aging for Anonymous Group Users

Displaying Aging for Introduced Users

Managing Users

The NME-APA module is user aware, that is, it can relate traffic and usage to specific customers. This ability to map between IP flows and a specific user allows the system to do the following:

•Maintain the state of each user transmitting traffic through the platform

•Provide usage information for specific users

•Enforce the appropriate policy on user traffic (each user can have a different policy)

This module contains the following sections:

•Information About Users

•Importing and Exporting User Information

•Removing Users and Templates

•Importing and Exporting Anonymous Groups

•Monitoring Users

•Configuring User Aging

Information About Users

•What is a User?

•User Modes in Enterprise Solutions

•Aging Users

•Anonymous Groups and User Templates

•Information About User Files

What is a User?

In an enterprise, a user is usually perceived as a group of end stations belonging to a specific department such as "Financial Department users", "HR", "Engineering", etc. Such a user may be characterized by a set of discrete IP addresses, IP range, any combination of IP addresses and IP ranges, or a VLAN ID.

User Modes in Enterprise Solutions

Enterprise solutions support several modes of handling users:

•User-less mode

•Anonymous user mode

•Static user aware mode

The most basic mode is user-less mode. In this mode, there is no notion of an individual user in the system, and the entire link where the NME-APA module is deployed is treated as a single user. Global Application level analysis (such as total P2P, browsing) can be conducted, as well as global control (such as limiting total P2P to a specified percentage). From a configuration stand point, this is a turnkey system and there is no need to integrate or configure the system from a user perspective.

In anonymous user mode, analysis is performed on an incoming network ID (IP address, VLAN, or VPN ID), as the NME-APA module creates an 'anonymous on-the-fly' record for each user. This permits analyzing traffic at an individual network ID level (for example, to identify or monitor what a particular 'user' IP is currently doing) as well as control at this level (for example, to limit each user's bandwidth to a specified amount or to redirect). Anonymous-user allows quick visibility into application and protocol usage without OSS integration, and permits the application of a uniform control scheme using predefined templates.

In static user aware mode, the user IDs and currently used network IDs are provisioned into the NME-APA module. The NME-APA module can then bind use to a particular user, and enforce per-user policies on the traffic. Named reports are supported (such as top users with the OSS IDs), quota-tracking (such as tracking a user-quota over time even when network IDs change) as well as dynamic binding of policies to users. In this mode, the network IDs are static. The system supports the definition of static-users directly to the NME-APA module. This is achieved by using the NME-APA module CLI, and defining the list of users, their network IDs and policy information using interactive configuration or import and export operations.

Aging Users

Users can be aged automatically by the NME-APA module. `Aging' is the automatic removal of a user, performed when no traffic sessions assigned to it have been detected for a certain amount of time. The most common use for aging is for anonymous users, since this is the easiest way to ensure that anonymous users that have logged-out of the network are removed from the NME-APA module and are no longer occupying resources. Aging time can be configured individually for introduced users and for anonymous users.

Introduced user aging is not supported when using VPN-based users.

Anonymous Groups and User Templates

An anonymous group is a specified IP range, possibly assigned a user template. When an anonymous group is configured, the NME-APA module generates anonymous users for that group when it detects traffic with an IP address that is in the specified IP range. If a user template has been assigned to the group, the anonymous users generated have properties as defined by that template. If no user template has been assigned, the default template is used.

The NME-APA module can support a maximum of 50 anonymous groups. User templates are identified by a number from 0-199.

User templates 1-199 are defined in comma separated value (CSV) formatted user template files. However, template number 0 cannot change; it always contains the default values.

If an anonymous group is not explicitly assigned a template, the group uses template number 0.

Information About User Files

•User Files

•User Default CSV File Format

•User Anonymous Groups CSV File Format

User Files

Note VPN-based users cannot be defined, imported, or exported by a user file.

Individual users, anonymous groups, and user templates may all be defined in CSV files. Microsoft Excel™ can be used to view and create such files. The user data is imported into the system using the appropriate CLI command. The NME-APA module can also export the currently configured users, user templates and anonymous groups to csv-formatted files.

User CSV files and user template CSV files are application-specific. Refer to the relevant application documentation for the definition of the file format.

Each line in a CSV file should contain either a comment (beginning with the character `#'), or a list of comma-separated fields.

User CSV files are application-specific, but a default format is defined by the NME-APA, which is used when the application does not choose to over-ride it. The application might over-ride the format when additional data is desired for each user or user template. Refer to the relevant Service Control Application documentation to see if the application defines a different format.

User template CSV files are application-specific. Refer to the relevant Service Control Application documentation for the file format.

Anonymous groups CSV files are not application specific. Their format is described below.

User Default CSV File Format

Each line in the default user CSV file has the following structure:

name, mappings, packageId

•Name—The user name

•Mappings—Contains one or more mappings, specifying the IP addresses mapped to this user. Multiple mappings are separated by semi-colon. IP address/range cannot be specified for the same user. The following mapping formats are supported:

–IP address—In dotted decimal notation. Example: 10.3.4.5

–IP address range—Dotted decimal, followed by the number of significant bits. Note that the nonsignificant bits (as determined by the mask) must be set to zero. For example: 10.3.0.0/16. The following example is a bad range: 10.1.1.1/24, and instead should be 10.1.1.0/24.

•packageId—The ID of the package to which the user is assigned

The following is an example of a user CSV file in the default format:
# A comment line 
sub7, 10.1.7.0/24, 1 
sub8, 10.1.12.32, 1 
sub9, 5, 2 
sub10, 13-17, 2 
sub11, 39;41, 1 
sub12, 10.1.11.90; 10.3.0.0/16, 2
User Anonymous Groups CSV File Format

Each line in the anonymous groups CSV file has the following structure:

name, IP-range, template-index, manager-name(optional)

•name—The anonymous group name

•IP-range—Dotted decimal, followed by the amount of significant bits. For example: 10.3.0.0/16

•template-index—The index of the user template to be used by users belonging to this anonymous group.

•manager-name (optional)—The name of the SCMP peer.

The following is an example of an anonymous groups CSV file:
# Yet another comment line 
anon1, 10.1.1.0/24, 1, SCMP1 
anon2, 10.1.2.0/24, 2, SCMP2 
anon3, 10.1.3.0/32, 3, SCMP3 
anon4, 10.1.4.0/24, 3, SCMP3
Importing and Exporting User Information

•Options

•Importing User Information

•Exporting User Information

•Importing User Templates

•Exporting User Templates

Use the following commands to import user data from CSV files and to export user data to these files:

•user import csv-file

•user export csv-file

•user anonymous-group import csv-file

•user anonymous-group export csv-file

•user template import csv-file

•user template export csv-file

These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode.

Note VPN-based users cannot be defined, imported, or exported by a user file.

Options

The following option is available:

•filename—The name of the csv file.

Importing User Information

Step 1 From the NME-APA(config if)# prompt, type user import csv-file filename and press Enter.

Imports the user information from the specified file.

Imported user information is added to the existing user information. It does not overwrite the existing data.

If the information in the imported file is not valid, the command fails during the verification process before it is actually applied.

Exporting User Information

Step 1 From the NME-APA(config if)# prompt, type user export csv-file filename and press Enter.

Exports the user information to the specified file.

Importing User Templates

Step 1 From the NME-APA(config if)# prompt, type user template import csv-file filename and press Enter.

Imports the user template from the specified file.

Exporting User Templates

Step 1 From the NME-APA(config if)# prompt, type user template export csv-file filename and press Enter.

Exports the user template to the specified file.

Removing Users and Templates

•Removing a Specific User

•Removing All Introduced Users

•Removing a Specific Anonymous User Group

•Removing All Anonymous User Groups

•Removing All Anonymous Users

•Removing All User Templates

Use the following commands to remove all users, anonymous groups, or user templates from the system.

•no user all

•no user anonymous-group all

•default user template all

Use the following commands to remove a specific user or anonymous group from the system.

•no user name

•no user anonymous-group name

These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode, and that the NME-APA(config if)# prompt appears in the command line.

Removing a Specific User

Options

The following option is available:

•user-name—The name of the user to be removed

Step 1 From the NME-APA(config if)# prompt, type no user name user-name and press Enter.

Removes the specified user.

Removing All Introduced Users

Step 1 From the NME-APA(config if)# prompt, type no user all and press Enter.

Removes all introduced users.

Removing a Specific Anonymous User Group

Options

The following option is available:

•group-name—The name of the anonymous user group to be removed

Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group name group-name and press Enter.

Removes the specified anonymous user group.

Removing All Anonymous User Groups

Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group all and press Enter.

Removes all anonymous user groups.

Removing All Anonymous Users

Step 1 From the NME-APA# prompt, type clear interface linecard 0 user anonymous all and press Enter.

Removes all anonymous users.

Note The clear user anonymous command is a Privileged Exec command.

Removing All User Templates

Step 1 From the NME-APA(config if)# prompt, type default user template all and press Enter.

Removes all user templates.

All anonymous users will be assigned to the default user template.

Importing and Exporting Anonymous Groups

•Importing Anonymous Groups

•Exporting Anonymous Groups

Importing Anonymous Groups

Options

The following option is available:

•filename—Name of the CSV file.

Step 1 From the NME-APA(config if)# prompt, type user anonymous-group import csv-file filename and press Enter.

Creates anonymous groups by importing anonymous users from the specified CSV file.

Imported anonymous user information is added to the existing anonymous user information. It does not overwrite the existing data.

The NME-APA module can support a maximum of 1000 anonymous groups.

Exporting Anonymous Groups

Options

The following option is available:

•filename—Name of the CSV file.

Step 1 From the NME-APA(config if)# prompt, type user anonymous-group export csv-file filename and press Enter.

Exports all existing anonymous groups to the specified CSV file.

Monitoring Users

•Monitoring the User Database

•Displaying Users

•Displaying User Information

•Displaying Anonymous User Information

The CLI provides several commands that allow you to monitor users. These commands can be used to display information regarding the following:

•User Database

•All users meeting various criteria

•Individual user information, such as properties and mappings

•Anonymous users

Users may be introduced to the NME-APA module through the NME-APA module CLI or through the User Manager. The monitoring commands may be used to monitor all users and user information, regardless of how the users were introduced to the system.

Note that these commands are all in Viewer mode. Make sure that you are in the proper mode and that the NME-APA> prompt appears in the command line. Note also that you must specify `linecard 0' in these commands.

Monitoring the User Database

•Displaying the User Database Counters

•Clearing the User Database Counters

Use the following commands to display statistics about the user database, and to clear the "total" and "maximum" counters.

•show interface linecard 0 user db counters

The following counters are displayed:

–Current number of users

–Current number of introduced users

–Current number of anonymous users

–Current number of active users (with active traffic sessions)

–Current number of users with mappings

–Current number of IP mappings

–Current number of vlan mappings

–Max number of users that can be introduced

–Max number of users with mappings

–Max number of users with mappings date / time

–Total aggregated number introduced

–Total number of aged users

–Total number of pull events

–Number of traffic sessions currently assigned to the default user

•clear interface linecard 0 user db counters

Displaying the User Database Counters

Step 1 From the NME-APA# prompt, type show interface linecard 0 user db counters and press Enter.

Displays the user database counters.

Example

The following example shows the output from this command.
NME-APA#show interface linecard 0 user db counters 
Current values: 
=============== 
Users: 2 used out of 499 max.  
Introduced users: 2. 
Anonymous users: 0. 
Users with mappings: 2 used out of 999 max.  
IP mappings: 0 used 
VLAN Entries: 0 used 
Users with TIR mappings: 0. 
Sessions mapped to the default user: 0.  
Peak values: 
============ 
Peak number of users with mappings: 2 
Peak number occurred at: 14:56:55 ISR MON June 9 2007 
Peak number cleared at: 15:29:39 ISR MON June 9 2007  
Event counters: 
=============== 
User introduced: 2. 
User pulled: 0. 
User aged: 0. 
Pull-request notifications sent: 0. 
State notifications sent: 0. 
Logout notifications sent: 0. 
User mapping TIR contradictions: 0
Clearing the User Database Counters

Step 1 From the NME-APA# prompt, type clear interface linecard 0 user db counters and press Enter.

Clears the "total" and "maximum" counters.

Displaying Users

You can display the names of all users.

You can also display specific user name(s) that meet various criteria:

•A user property is equal to, larger than, or smaller than a specified value.

•User name matches a specific prefix or suffix.

•Mapped to a specified IP address range (may be within a specified VPN).

•Mapped to a specified VLAN ID.

•Mapped to a specified VPN.

Use the following commands to display users:

•show interface linecard 0 user all-names

•show interface linecard 0 user [amount] [prefix `prefix'] [property `propertyname' equals|greater-than|less-than `property-val']

•show interface linecard 0 user [amount] prefix `prefix'

•show interface linecard 0 user [amount] suffix `suffix'

•show interface linecard 0 user mapping IP `iprange' [VPN 'vpn-name']

•show interface linecard 0 user [amount] mapping intersecting IP `iprange' [VPN 'vpn-name']

•show interface linecard 0 user mapping VLANid `vlanid'

•show interface linecard 0 user mapping MPLS-VPN PE-ID 'pe-id' BGP-label 'bgp-label'

Displaying Users: All Current User Names

You can display the names of all users currently in the NME-APA user database.

Step 1 From the NME-APA> prompt, type show interface linecard 0 user all-names and press Enter.

Displays the names of all users currently in the NME-APA user database.

Displaying Users: By User Property or Prefix

You can search for all users that match a specified value of one of the user properties, or are greater than or less than the specified value. You can also search for all users that match a specified prefix. You can also find out how many users match any one of these criteria, rather than displaying all the actual user names.

•Displaying Users that Match a Specified Value of a User Property

•Displaying Users that are Greater Than or Less Than a Specified Value of a User Property

•Displaying Users that Match a Specified Prefix

•Displaying Users that Match a Specified Suffix

•Displaying the Number of Users that Match a Specified Value of a User Property

•Displaying the Number of Users that are Greater Than or Less Than a Specified Value of a User Property

•Displaying the Number of Users that Match a Specified Prefix

Displaying Users that Match a Specified Value of a User Property

Options

The following options are available:

•propertyname—Name of the user property to match

•property-val—Value of that user property to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user property propertyname equals property-val and press Enter.

Displaying Users that are Greater Than or Less Than a Specified Value of a User Property

Options

The following options are available:

•propertyname—Name of the user property to match

•property-val—Value of that user property to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user property propertyname greater-than|less-than property-val and press Enter.

Displaying Users that Match a Specified Prefix

Options

The following options are available:

•prefix—User prefix to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user prefix prefix and press Enter.

Displaying Users that Match a Specified Suffix

Options

The following options are available:

•suffix—User suffix to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user suffix suffix and press Enter.

Displaying the Number of Users that Match a Specified Value of a User Property

Options

The following options are available:

•propertyname—Name of the user property to match

•property-val—Value of that user property to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount property propertyname equals property-val and press Enter.

Displaying the Number of Users that are Greater Than or Less Than a Specified Value of a User Property

Options

The following options are available:

•propertyname—Name of the user property to match

•property-val—Value of that user property to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount property propertyname greater-than|less-than property-val and press Enter.

Displaying the Number of Users that Match a Specified Prefix

Options

The following options are available:

•prefix—User prefix to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount prefix prefix and press Enter.

Display Users By Mapping: IP Address, VPN, or VLAN ID

You can display the users who are mapped to any of the following:

•A specified IP address, or range of IP addresses (may be within a specified VPN)

•IP addresses intersecting a given IP address or IP range (may be within a specified VPN)

•A specified VLAN ID

•A specified VPN

•no mapping

You can also display just the number of users with a specified mapping, rather than listing the actual users.

Displaying Users that are Mapped to a Specified IP Address or Range of IP Addresses

Options

The following options are available:

•ip-range—IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match

•vpn-name (optional)—The name of the VPN in which to search for the IP address

Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping IP ip-range [VPN vpn-name] and press Enter.

Displaying Users that are Mapped to IP Addresses that are Included in a Given IP Address or IP Range

Options

The following options are available:

•ip-range—IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match

•vpn-name (optional)—The name of the VPN in which to search for the IP address

Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping included-in IP ip-range [VPN vpn-name] and press Enter.

Displaying Users that are Mapped to a Specified VLAN ID

Options

The following options are available:

•vlanid—VLAN ID to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping VLAN-id vlanid and press Enter.

Displaying Users that are Mapped to a Specified VPN

Options

The following options are available:

•pe-id—Loopback IP address of the relevant PE router

•bgp-label—Label of the relevant BGP LEG

Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping VPN PE-ID pe-id bgp-label BGP-label and press Enter.

Displaying Users with no Mapping

Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping none and press Enter.

Displaying the Number of Users that are Mapped to a Specific VLAN ID

Options

The following options are available:

•vlanid—VLAN ID to match

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount mapping VLAN-id vlanid and press Enter.

Displaying the Number of Users with No Mapping

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount mapping none and press Enter.

Displaying User Information

You can display the following information about a specified user:

•values of the various user properties

•mappings (IP address, VLAN-ID or VPN)

•OS counters:

–current number of flows

–bandwidth

Use the following commands to display user information:

•show interface linecard 0 user properties

•show interface linecard 0 user name `name'

•show interface linecard 0 user name `name' mappings

•show interface linecard 0 user name `name' counters

•show interface linecard 0 user name `name' properties

•show interface linecard 0 user name `name' vas-servers

Displaying a List of User Properties

Step 1 From the NME-APA> prompt, type show interface linecard 0 user properties and press Enter.

Displaying Complete Information for a Specific User

Use this command to display complete information for a specific user, including all values of user properties and mappings.

Options

The following options are available:

•name—User name

Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name and press Enter.

Displaying Values of User Properties for a Specific User

Options

The following options are available:

•name—User name

Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name properties and press Enter.

Displaying Mappings for a Specific User

Options

The following options are available:

•name—User name

Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name mappings and press Enter.

Displaying OS Counters for a Specific User

Options

The following options are available:

•name—User name

Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name counters and press Enter.

Displaying Anonymous User Information

You can display the following information regarding the anonymous user groups:

•aging (see Displaying Aging for Anonymous Group Users )

•currently configured anonymous groups

•currently configured user templates

•configuration of a specified anonymous group

•number of users in a specified anonymous group, or in all anonymous groups

Use the following commands to display anonymous user information:

•show interface linecard 0 user templates [index]

•show interface linecard 0 user anonymous-group [all] [name `groupname']

•show interface linecard 0 user amount anonymous [name `groupname']

•show interface linecard 0 user anonymous [name `groupname']

Displaying Currently Configured Anonymous Groups

Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous-group all and press Enter.

Displaying Currently Configured Templates for Anonymous Groups

Step 1 From the NME-APA> prompt, type show interface linecard 0 user templates and press Enter.

Displaying Current Configuration for a Specific Anonymous Group

Options

The following options are available:

•group-name—Name of the anonymous user group

Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous-group name group-name and press Enter.

Displaying Users in a Specific Anonymous Group

Options

The following options are available:

•group-name—Name of the anonymous user group

Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous name group-name and press Enter.

Displaying all Users Currently in Anonymous Groups

Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous and press Enter.

Display the Number of Users in a Specified Anonymous Group

Options

The following options are available:

•group-name—Name of the anonymous user group

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount anonymous name group-name and press Enter.

Display the Total Number of Users in all Anonymous Groups

Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount anonymous and press Enter.

Configuring User Aging

Aging is the automatic removal of a user when no traffic sessions assigned to it have been detected for a certain amount of time. Aging may be enabled or disabled, and the aging timeout period (in minutes) can be specified.

Aging can be configured separately for introduced users and for anonymous users.

Use the following commands to configure and monitor aging.

•[no] user aging

•user aging timeout

•show interface linecard 0 user aging

Enabling Aging for Anonymous Group Users

Step 1 From the NME-APA(config if)# prompt, type user aging anonymous and press Enter.

Enabling Aging for Introduced Users

Note Introduced user aging is not supported when using VPN-based users.

Step 1 From the NME-APA(config if)# prompt, type user aging introduced and press Enter.

Disabling Aging for Anonymous Group Users

Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous and press Enter.

Disabling Aging for Introduced Users

Step 1 From the NME-APA(config if)# prompt, type no user aging introduced and press Enter.

Setting the Aging Timeout Period for Anonymous Group Users

Options

The following option is available:

•aging-time—The time interval, in minutes, after which an inactive user sill be aged.

Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous timeout aging-time and press Enter.

Setting the Aging Timeout Period for Introduced Users

Options

The following option is available:

•aging-time—The time interval, in minutes, after which an inactive user sill be aged.

Step 1 From the NME-APA(config if)# prompt, type no user aging introduced timeout aging-time and press Enter.

Displaying Aging for Anonymous Group Users

Step 1 From the NME-APA> prompt, type show interface linecard 0 user aging anonymous and press Enter.

Displaying Aging for Introduced Users

Step 1 From the NME-APA> prompt, type show interface linecard 0 user aging introduced and press Enter.

	Cisco Network Module Enhanced Application Performance Assurance User Guide, Rel 2.0.0
	Managing Users
Cisco Network Module Enhanced Application Performance Assurance User Guide, Rel 2.0.0 About this Guide Cisco Application Performance Assurance Overview Getting Started with Application Performance Assurance Command Line Interface Operations Utility Commands Configuring Security Configuring the Line Interface Failure Recovery Raw Data Formatting: The RDR Formatter Managing Users Monitoring NME-APA Module Utilization MIB Reference NetFlow Records: Formats and Field Contents Interoperability Examples	Download this chapter Managing Users Download the complete book Cisco Network Module Enhanced Application Performance Assurance User Guide (PDF - 2 MB) Table Of Contents Managing Users Information About Users What is a User? User Modes in Enterprise Solutions Aging Users Anonymous Groups and User Templates Information About User Files User Files User Default CSV File Format User Anonymous Groups CSV File Format Importing and Exporting User Information Importing User Information Exporting User Information Importing User Templates Exporting User Templates Removing Users and Templates Removing a Specific User Removing All Introduced Users Removing a Specific Anonymous User Group Removing All Anonymous User Groups Removing All Anonymous Users Removing All User Templates Importing and Exporting Anonymous Groups Importing Anonymous Groups Exporting Anonymous Groups Monitoring Users Monitoring the User Database Displaying the User Database Counters Clearing the User Database Counters Displaying Users Displaying Users: All Current User Names Displaying Users: By User Property or Prefix Display Users By Mapping: IP Address, VPN, or VLAN ID Displaying User Information Displaying a List of User Properties Displaying Complete Information for a Specific User Displaying Values of User Properties for a Specific User Displaying Mappings for a Specific User Displaying OS Counters for a Specific User Displaying Anonymous User Information Displaying Currently Configured Anonymous Groups Displaying Currently Configured Templates for Anonymous Groups Displaying Current Configuration for a Specific Anonymous Group Displaying Users in a Specific Anonymous Group Displaying all Users Currently in Anonymous Groups Display the Number of Users in a Specified Anonymous Group Display the Total Number of Users in all Anonymous Groups Configuring User Aging Enabling Aging for Anonymous Group Users Enabling Aging for Introduced Users Disabling Aging for Anonymous Group Users Disabling Aging for Introduced Users Setting the Aging Timeout Period for Anonymous Group Users Setting the Aging Timeout Period for Introduced Users Displaying Aging for Anonymous Group Users Displaying Aging for Introduced Users Managing Users The NME-APA module is user aware, that is, it can relate traffic and usage to specific customers. This ability to map between IP flows and a specific user allows the system to do the following: •Maintain the state of each user transmitting traffic through the platform •Provide usage information for specific users •Enforce the appropriate policy on user traffic (each user can have a different policy) This module contains the following sections: •Information About Users •Importing and Exporting User Information •Removing Users and Templates •Importing and Exporting Anonymous Groups •Monitoring Users •Configuring User Aging Information About Users •What is a User? •User Modes in Enterprise Solutions •Aging Users •Anonymous Groups and User Templates •Information About User Files What is a User? In an enterprise, a user is usually perceived as a group of end stations belonging to a specific department such as "Financial Department users", "HR", "Engineering", etc. Such a user may be characterized by a set of discrete IP addresses, IP range, any combination of IP addresses and IP ranges, or a VLAN ID. User Modes in Enterprise Solutions Enterprise solutions support several modes of handling users: •User-less mode •Anonymous user mode •Static user aware mode The most basic mode is user-less mode. In this mode, there is no notion of an individual user in the system, and the entire link where the NME-APA module is deployed is treated as a single user. Global Application level analysis (such as total P2P, browsing) can be conducted, as well as global control (such as limiting total P2P to a specified percentage). From a configuration stand point, this is a turnkey system and there is no need to integrate or configure the system from a user perspective. In anonymous user mode, analysis is performed on an incoming network ID (IP address, VLAN, or VPN ID), as the NME-APA module creates an 'anonymous on-the-fly' record for each user. This permits analyzing traffic at an individual network ID level (for example, to identify or monitor what a particular 'user' IP is currently doing) as well as control at this level (for example, to limit each user's bandwidth to a specified amount or to redirect). Anonymous-user allows quick visibility into application and protocol usage without OSS integration, and permits the application of a uniform control scheme using predefined templates. In static user aware mode, the user IDs and currently used network IDs are provisioned into the NME-APA module. The NME-APA module can then bind use to a particular user, and enforce per-user policies on the traffic. Named reports are supported (such as top users with the OSS IDs), quota-tracking (such as tracking a user-quota over time even when network IDs change) as well as dynamic binding of policies to users. In this mode, the network IDs are static. The system supports the definition of static-users directly to the NME-APA module. This is achieved by using the NME-APA module CLI, and defining the list of users, their network IDs and policy information using interactive configuration or import and export operations. Aging Users Users can be aged automatically by the NME-APA module. `Aging' is the automatic removal of a user, performed when no traffic sessions assigned to it have been detected for a certain amount of time. The most common use for aging is for anonymous users, since this is the easiest way to ensure that anonymous users that have logged-out of the network are removed from the NME-APA module and are no longer occupying resources. Aging time can be configured individually for introduced users and for anonymous users. Introduced user aging is not supported when using VPN-based users. Anonymous Groups and User Templates An anonymous group is a specified IP range, possibly assigned a user template. When an anonymous group is configured, the NME-APA module generates anonymous users for that group when it detects traffic with an IP address that is in the specified IP range. If a user template has been assigned to the group, the anonymous users generated have properties as defined by that template. If no user template has been assigned, the default template is used. The NME-APA module can support a maximum of 50 anonymous groups. User templates are identified by a number from 0-199. User templates 1-199 are defined in comma separated value (CSV) formatted user template files. However, template number 0 cannot change; it always contains the default values. If an anonymous group is not explicitly assigned a template, the group uses template number 0. Information About User Files •User Files •User Default CSV File Format •User Anonymous Groups CSV File Format User Files Note VPN-based users cannot be defined, imported, or exported by a user file. Individual users, anonymous groups, and user templates may all be defined in CSV files. Microsoft Excel™ can be used to view and create such files. The user data is imported into the system using the appropriate CLI command. The NME-APA module can also export the currently configured users, user templates and anonymous groups to csv-formatted files. User CSV files and user template CSV files are application-specific. Refer to the relevant application documentation for the definition of the file format. Each line in a CSV file should contain either a comment (beginning with the character `#'), or a list of comma-separated fields. User CSV files are application-specific, but a default format is defined by the NME-APA, which is used when the application does not choose to over-ride it. The application might over-ride the format when additional data is desired for each user or user template. Refer to the relevant Service Control Application documentation to see if the application defines a different format. User template CSV files are application-specific. Refer to the relevant Service Control Application documentation for the file format. Anonymous groups CSV files are not application specific. Their format is described below. User Default CSV File Format Each line in the default user CSV file has the following structure: name, mappings, packageId •Name—The user name •Mappings—Contains one or more mappings, specifying the IP addresses mapped to this user. Multiple mappings are separated by semi-colon. IP address/range cannot be specified for the same user. The following mapping formats are supported: –IP address—In dotted decimal notation. Example: 10.3.4.5 –IP address range—Dotted decimal, followed by the number of significant bits. Note that the nonsignificant bits (as determined by the mask) must be set to zero. For example: 10.3.0.0/16. The following example is a bad range: 10.1.1.1/24, and instead should be 10.1.1.0/24. •packageId—The ID of the package to which the user is assigned The following is an example of a user CSV file in the default format: # A comment line sub7, 10.1.7.0/24, 1 sub8, 10.1.12.32, 1 sub9, 5, 2 sub10, 13-17, 2 sub11, 39;41, 1 sub12, 10.1.11.90; 10.3.0.0/16, 2 User Anonymous Groups CSV File Format Each line in the anonymous groups CSV file has the following structure: name, IP-range, template-index, manager-name(optional) •name—The anonymous group name •IP-range—Dotted decimal, followed by the amount of significant bits. For example: 10.3.0.0/16 •template-index—The index of the user template to be used by users belonging to this anonymous group. •manager-name (optional)—The name of the SCMP peer. The following is an example of an anonymous groups CSV file: # Yet another comment line anon1, 10.1.1.0/24, 1, SCMP1 anon2, 10.1.2.0/24, 2, SCMP2 anon3, 10.1.3.0/32, 3, SCMP3 anon4, 10.1.4.0/24, 3, SCMP3 Importing and Exporting User Information •Options •Importing User Information •Exporting User Information •Importing User Templates •Exporting User Templates Use the following commands to import user data from CSV files and to export user data to these files: •user import csv-file •user export csv-file •user anonymous-group import csv-file •user anonymous-group export csv-file •user template import csv-file •user template export csv-file These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode. Note VPN-based users cannot be defined, imported, or exported by a user file. Options The following option is available: •filename—The name of the csv file. Importing User Information Step 1 From the NME-APA(config if)# prompt, type user import csv-file filename and press Enter. Imports the user information from the specified file. Imported user information is added to the existing user information. It does not overwrite the existing data. If the information in the imported file is not valid, the command fails during the verification process before it is actually applied. Exporting User Information Step 1 From the NME-APA(config if)# prompt, type user export csv-file filename and press Enter. Exports the user information to the specified file. Importing User Templates Step 1 From the NME-APA(config if)# prompt, type user template import csv-file filename and press Enter. Imports the user template from the specified file. Exporting User Templates Step 1 From the NME-APA(config if)# prompt, type user template export csv-file filename and press Enter. Exports the user template to the specified file. Removing Users and Templates •Removing a Specific User •Removing All Introduced Users •Removing a Specific Anonymous User Group •Removing All Anonymous User Groups •Removing All Anonymous Users •Removing All User Templates Use the following commands to remove all users, anonymous groups, or user templates from the system. •no user all •no user anonymous-group all •default user template all Use the following commands to remove a specific user or anonymous group from the system. •no user name •no user anonymous-group name These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode, and that the NME-APA(config if)# prompt appears in the command line. Removing a Specific User Options The following option is available: •user-name—The name of the user to be removed Step 1 From the NME-APA(config if)# prompt, type no user name user-name and press Enter. Removes the specified user. Removing All Introduced Users Step 1 From the NME-APA(config if)# prompt, type no user all and press Enter. Removes all introduced users. Removing a Specific Anonymous User Group Options The following option is available: •group-name—The name of the anonymous user group to be removed Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group name group-name and press Enter. Removes the specified anonymous user group. Removing All Anonymous User Groups Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group all and press Enter. Removes all anonymous user groups. Removing All Anonymous Users Step 1 From the NME-APA# prompt, type clear interface linecard 0 user anonymous all and press Enter. Removes all anonymous users. Note The clear user anonymous command is a Privileged Exec command. Removing All User Templates Step 1 From the NME-APA(config if)# prompt, type default user template all and press Enter. Removes all user templates. All anonymous users will be assigned to the default user template. Importing and Exporting Anonymous Groups •Importing Anonymous Groups •Exporting Anonymous Groups Importing Anonymous Groups Options The following option is available: •filename—Name of the CSV file. Step 1 From the NME-APA(config if)# prompt, type user anonymous-group import csv-file filename and press Enter. Creates anonymous groups by importing anonymous users from the specified CSV file. Imported anonymous user information is added to the existing anonymous user information. It does not overwrite the existing data. The NME-APA module can support a maximum of 1000 anonymous groups. Exporting Anonymous Groups Options The following option is available: •filename—Name of the CSV file. Step 1 From the NME-APA(config if)# prompt, type user anonymous-group export csv-file filename and press Enter. Exports all existing anonymous groups to the specified CSV file. Monitoring Users •Monitoring the User Database •Displaying Users •Displaying User Information •Displaying Anonymous User Information The CLI provides several commands that allow you to monitor users. These commands can be used to display information regarding the following: •User Database •All users meeting various criteria •Individual user information, such as properties and mappings •Anonymous users Users may be introduced to the NME-APA module through the NME-APA module CLI or through the User Manager. The monitoring commands may be used to monitor all users and user information, regardless of how the users were introduced to the system. Note that these commands are all in Viewer mode. Make sure that you are in the proper mode and that the NME-APA> prompt appears in the command line. Note also that you must specify `linecard 0' in these commands. Monitoring the User Database •Displaying the User Database Counters •Clearing the User Database Counters Use the following commands to display statistics about the user database, and to clear the "total" and "maximum" counters. •show interface linecard 0 user db counters The following counters are displayed: –Current number of users –Current number of introduced users –Current number of anonymous users –Current number of active users (with active traffic sessions) –Current number of users with mappings –Current number of IP mappings –Current number of vlan mappings –Max number of users that can be introduced –Max number of users with mappings –Max number of users with mappings date / time –Total aggregated number introduced –Total number of aged users –Total number of pull events –Number of traffic sessions currently assigned to the default user •clear interface linecard 0 user db counters Displaying the User Database Counters Step 1 From the NME-APA# prompt, type show interface linecard 0 user db counters and press Enter. Displays the user database counters. Example The following example shows the output from this command. NME-APA#show interface linecard 0 user db counters Current values: =============== Users: 2 used out of 499 max. Introduced users: 2. Anonymous users: 0. Users with mappings: 2 used out of 999 max. IP mappings: 0 used VLAN Entries: 0 used Users with TIR mappings: 0. Sessions mapped to the default user: 0. Peak values: ============ Peak number of users with mappings: 2 Peak number occurred at: 14:56:55 ISR MON June 9 2007 Peak number cleared at: 15:29:39 ISR MON June 9 2007 Event counters: =============== User introduced: 2. User pulled: 0. User aged: 0. Pull-request notifications sent: 0. State notifications sent: 0. Logout notifications sent: 0. User mapping TIR contradictions: 0 Clearing the User Database Counters Step 1 From the NME-APA# prompt, type clear interface linecard 0 user db counters and press Enter. Clears the "total" and "maximum" counters. Displaying Users You can display the names of all users. You can also display specific user name(s) that meet various criteria: •A user property is equal to, larger than, or smaller than a specified value. •User name matches a specific prefix or suffix. •Mapped to a specified IP address range (may be within a specified VPN). •Mapped to a specified VLAN ID. •Mapped to a specified VPN. Use the following commands to display users: •show interface linecard 0 user all-names •show interface linecard 0 user [amount] [prefix `prefix'] [property `propertyname' equals\|greater-than\|less-than `property-val'] •show interface linecard 0 user [amount] prefix `prefix' •show interface linecard 0 user [amount] suffix `suffix' •show interface linecard 0 user mapping IP `iprange' [VPN 'vpn-name'] •show interface linecard 0 user [amount] mapping intersecting IP `iprange' [VPN 'vpn-name'] •show interface linecard 0 user mapping VLANid `vlanid' •show interface linecard 0 user mapping MPLS-VPN PE-ID 'pe-id' BGP-label 'bgp-label' Displaying Users: All Current User Names You can display the names of all users currently in the NME-APA user database. Step 1 From the NME-APA> prompt, type show interface linecard 0 user all-names and press Enter. Displays the names of all users currently in the NME-APA user database. Displaying Users: By User Property or Prefix You can search for all users that match a specified value of one of the user properties, or are greater than or less than the specified value. You can also search for all users that match a specified prefix. You can also find out how many users match any one of these criteria, rather than displaying all the actual user names. •Displaying Users that Match a Specified Value of a User Property •Displaying Users that are Greater Than or Less Than a Specified Value of a User Property •Displaying Users that Match a Specified Prefix •Displaying Users that Match a Specified Suffix •Displaying the Number of Users that Match a Specified Value of a User Property •Displaying the Number of Users that are Greater Than or Less Than a Specified Value of a User Property •Displaying the Number of Users that Match a Specified Prefix Displaying Users that Match a Specified Value of a User Property Options The following options are available: •propertyname—Name of the user property to match •property-val—Value of that user property to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user property propertyname equals property-val and press Enter. Displaying Users that are Greater Than or Less Than a Specified Value of a User Property Options The following options are available: •propertyname—Name of the user property to match •property-val—Value of that user property to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user property propertyname greater-than\|less-than property-val and press Enter. Displaying Users that Match a Specified Prefix Options The following options are available: •prefix—User prefix to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user prefix prefix and press Enter. Displaying Users that Match a Specified Suffix Options The following options are available: •suffix—User suffix to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user suffix suffix and press Enter. Displaying the Number of Users that Match a Specified Value of a User Property Options The following options are available: •propertyname—Name of the user property to match •property-val—Value of that user property to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount property propertyname equals property-val and press Enter. Displaying the Number of Users that are Greater Than or Less Than a Specified Value of a User Property Options The following options are available: •propertyname—Name of the user property to match •property-val—Value of that user property to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount property propertyname greater-than\|less-than property-val and press Enter. Displaying the Number of Users that Match a Specified Prefix Options The following options are available: •prefix—User prefix to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount prefix prefix and press Enter. Display Users By Mapping: IP Address, VPN, or VLAN ID You can display the users who are mapped to any of the following: •A specified IP address, or range of IP addresses (may be within a specified VPN) •IP addresses intersecting a given IP address or IP range (may be within a specified VPN) •A specified VLAN ID •A specified VPN •no mapping You can also display just the number of users with a specified mapping, rather than listing the actual users. Displaying Users that are Mapped to a Specified IP Address or Range of IP Addresses Options The following options are available: •ip-range—IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match •vpn-name (optional)—The name of the VPN in which to search for the IP address Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping IP ip-range [VPN vpn-name] and press Enter. Displaying Users that are Mapped to IP Addresses that are Included in a Given IP Address or IP Range Options The following options are available: •ip-range—IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match •vpn-name (optional)—The name of the VPN in which to search for the IP address Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping included-in IP ip-range [VPN vpn-name] and press Enter. Displaying Users that are Mapped to a Specified VLAN ID Options The following options are available: •vlanid—VLAN ID to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping VLAN-id vlanid and press Enter. Displaying Users that are Mapped to a Specified VPN Options The following options are available: •pe-id—Loopback IP address of the relevant PE router •bgp-label—Label of the relevant BGP LEG Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping VPN PE-ID pe-id bgp-label BGP-label and press Enter. Displaying Users with no Mapping Step 1 From the NME-APA> prompt, type show interface linecard 0 user mapping none and press Enter. Displaying the Number of Users that are Mapped to a Specific VLAN ID Options The following options are available: •vlanid—VLAN ID to match Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount mapping VLAN-id vlanid and press Enter. Displaying the Number of Users with No Mapping Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount mapping none and press Enter. Displaying User Information You can display the following information about a specified user: •values of the various user properties •mappings (IP address, VLAN-ID or VPN) •OS counters: –current number of flows –bandwidth Use the following commands to display user information: •show interface linecard 0 user properties •show interface linecard 0 user name `name' •show interface linecard 0 user name `name' mappings •show interface linecard 0 user name `name' counters •show interface linecard 0 user name `name' properties •show interface linecard 0 user name `name' vas-servers Displaying a List of User Properties Step 1 From the NME-APA> prompt, type show interface linecard 0 user properties and press Enter. Displaying Complete Information for a Specific User Use this command to display complete information for a specific user, including all values of user properties and mappings. Options The following options are available: •name—User name Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name and press Enter. Displaying Values of User Properties for a Specific User Options The following options are available: •name—User name Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name properties and press Enter. Displaying Mappings for a Specific User Options The following options are available: •name—User name Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name mappings and press Enter. Displaying OS Counters for a Specific User Options The following options are available: •name—User name Step 1 From the NME-APA> prompt, type show interface linecard 0 user name name counters and press Enter. Displaying Anonymous User Information You can display the following information regarding the anonymous user groups: •aging (see Displaying Aging for Anonymous Group Users ) •currently configured anonymous groups •currently configured user templates •configuration of a specified anonymous group •number of users in a specified anonymous group, or in all anonymous groups Use the following commands to display anonymous user information: •show interface linecard 0 user templates [index] •show interface linecard 0 user anonymous-group [all] [name `groupname'] •show interface linecard 0 user amount anonymous [name `groupname'] •show interface linecard 0 user anonymous [name `groupname'] Displaying Currently Configured Anonymous Groups Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous-group all and press Enter. Displaying Currently Configured Templates for Anonymous Groups Step 1 From the NME-APA> prompt, type show interface linecard 0 user templates and press Enter. Displaying Current Configuration for a Specific Anonymous Group Options The following options are available: •group-name—Name of the anonymous user group Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous-group name group-name and press Enter. Displaying Users in a Specific Anonymous Group Options The following options are available: •group-name—Name of the anonymous user group Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous name group-name and press Enter. Displaying all Users Currently in Anonymous Groups Step 1 From the NME-APA> prompt, type show interface linecard 0 user anonymous and press Enter. Display the Number of Users in a Specified Anonymous Group Options The following options are available: •group-name—Name of the anonymous user group Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount anonymous name group-name and press Enter. Display the Total Number of Users in all Anonymous Groups Step 1 From the NME-APA> prompt, type show interface linecard 0 user amount anonymous and press Enter. Configuring User Aging Aging is the automatic removal of a user when no traffic sessions assigned to it have been detected for a certain amount of time. Aging may be enabled or disabled, and the aging timeout period (in minutes) can be specified. Aging can be configured separately for introduced users and for anonymous users. Use the following commands to configure and monitor aging. •[no] user aging •user aging timeout •show interface linecard 0 user aging Enabling Aging for Anonymous Group Users Step 1 From the NME-APA(config if)# prompt, type user aging anonymous and press Enter. Enabling Aging for Introduced Users Note Introduced user aging is not supported when using VPN-based users. Step 1 From the NME-APA(config if)# prompt, type user aging introduced and press Enter. Disabling Aging for Anonymous Group Users Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous and press Enter. Disabling Aging for Introduced Users Step 1 From the NME-APA(config if)# prompt, type no user aging introduced and press Enter. Setting the Aging Timeout Period for Anonymous Group Users Options The following option is available: •aging-time—The time interval, in minutes, after which an inactive user sill be aged. Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous timeout aging-time and press Enter. Setting the Aging Timeout Period for Introduced Users Options The following option is available: •aging-time—The time interval, in minutes, after which an inactive user sill be aged. Step 1 From the NME-APA(config if)# prompt, type no user aging introduced timeout aging-time and press Enter. Displaying Aging for Anonymous Group Users Step 1 From the NME-APA> prompt, type show interface linecard 0 user aging anonymous and press Enter. Displaying Aging for Introduced Users Step 1 From the NME-APA> prompt, type show interface linecard 0 user aging introduced and press Enter.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.