Cisco Network Module Enhanced Application Performance Assurance User Guide - Managing Users [Cisco Application Networking Services Modules]

Table Of Contents

Managing Users

Information About Users

What is a User?

User Modes in Enterprise Solutions

Aging Users

Anonymous Groups and User Templates

Information About User Files

User Files

User default csv file format

User anonymous groups csv file format

How to Import and Export User Information

Options

How to Import User Information

How to Export User Information

How to Import a User Template

How to Export a User Template

How to Remove Users and Templates

How to Remove a Specific User

Options

How to Remove All Introduced Users

How to Remove a Specific Anonymous User

Options

How to Remove All Anonymous User Groups

How to Remove All Anonymous Users

How to Remove All User Templates

How to Import and Export Anonymous Groups

How to Import Anonymous Groups

Options

How to Export Anonymous Groups

Options

How to Monitor Users

How to Monitor the User Database

How to Display the User Database Counters

Clearing the User Database Counters

How to Display Users

Displaying Users: All Current User Names

Displaying Users: By User Property or Prefix

How to Display Users: By Mapping (IP Address, VPN, or VLAN ID)

How to Display User Information

How to display a listing of user properties

How to display complete information for a specified user

How to display values of user properties for a specified user

How to display mappings for a specified user

How to display OS counters for a specified user

How to Display Anonymous User Information

How to display currently configured anonymous groups

How to display currently configured templates for anonymous groups

How to display current configuration for a specified anonymous group

How to display users in a specified anonymous group

How to display all users currently in anonymous groups

How to display the number of users in a specified anonymous group

How to display the total number of users in all anonymous groups

How to Configure User Aging

How to Enable Aging for Anonymous Group Users

How to Enable Aging for Introduced Users

How to Disable Aging for Anonymous Group Users

How to Disable Aging for Introduced Users

How to Set the Aging Timeout Period for Anonymous Group Users

Options

How to Set the Aging Timeout Period for Introduced Users

Options

How to Display Aging for Anonymous Group Users

How to Display Aging for Introduced Users

Managing Users

The NME-APA module is user aware, that is, it can relate traffic and usage to specific customers. This ability to map between IP flows and a specific user allows the system to do the following:

•Maintain the state of each user transmitting traffic through the platform

•Provide usage information for specific users

•Enforce the appropriate policy on user traffic (each user can have a different policy)

•Information About Users

•How to Import and Export User Information

•How to Remove Users and Templates

•How to Import and Export Anonymous Groups

•How to Monitor Users

•How to Configure User Aging

Information About Users

•What is a User?

•User Modes in Enterprise Solutions

•Aging Users

•Anonymous Groups and User Templates

•Information About User Files

What is a User?

In an enterprise, a user is usually perceived as a group of end stations belonging to a specific department such as "Financial Department users", "HR", "Engineering" etc. Such a user may be characterized by a set of discrete IP addresses, IP range, any combination of IP addresses and IP ranges, or a VLAN ID.

User Modes in Enterprise Solutions

Enterprise solutions support several modes of handling users:

•User-less mode

•Anonymous user mode

•Static user aware mode

The most basic mode is User-less mode. In this mode, there is no notion of an individual user in the system, and the entire link where the NME-APA module is deployed is treated as a single user. Global Application level analysis (such as total p2p, browsing) can be conducted, as well as global control (such as limiting total p2p to a specified percentage). From a configuration stand point, this is a turnkey system and there is no need to integrate or configure the system from a user perspective.

In Anonymous user mode, analysis is performed on an incoming network ID (IP address, VLAN, or VPN ID), as the NME-APA module creates an 'anonymous/on-the-fly' record for each user. This permits analyzing traffic at an individual network ID level (for example, to identify/monitor what a particular 'user' IP is currently doing) as well as control at this level (for example, to limit each user's bandwidth to a specified amount or to redirect). Anonymous-user allows quick visibility into application and protocol usage without OSS integration, and permits the application of a uniform control scheme using predefined templates.

In Static user aware mode, the user IDs and currently used network IDs are provisioned into the NME-APA module. The NME-APA module can then bind usage to a particular user, and enforce per-user policies on the traffic. Named reports are supported (such as top users with the OSS IDs), quota-tracking (such as tracking a user-quota over time even when network IDs change) as well as dynamic binding of packages to users. In this mode, the network IDs are static. The system supports the definition of static-users directly to the NME-APA module. This is achieved by using the NME-APA module CLI, and defining the list of users, their network IDs and policy information using interactive configuration or import/export operations.

Aging Users

Users can be aged automatically by the NME-APA module. `Aging' is the automatic removal of a user, performed when no traffic sessions assigned to it have been detected for a certain amount of time. The most common usage for aging is for anonymous users, since this is the easiest way to ensure that anonymous users that have logged-out of the network are removed from the NME-APA module and are no longer occupying resources. Aging time can be configured individually for introduced users and for anonymous users.

Introduced user aging is not supported when using VPN-based users.

Anonymous Groups and User Templates

An anonymous group is a specified IP range, possibly assigned a user template. When an anonymous group is configured, the NME-APA module generates anonymous users for that group when it detects traffic with an IP address that is in the specified IP range. If a user template has been assigned to the group, the anonymous users generated have properties as defined by that template. If no user template has been assigned, the default template is used.

The NME-APA module can support a maximum of 500 anonymous groups. User templates are identified by a number from 0-199.

User templates 1-199 are defined in csv formatted user template files. However, template #0 cannot change; it always contains the default values.

If an anonymous group is not explicitly assigned a template, the group uses template #0.

Information About User Files

•User Files

•User default csv file format

•User anonymous groups csv file format

User Files

Note VPN-based users cannot be defined, imported, or exported by a user file.

Individual users, anonymous groups, and user templates may all be defined in csv files. A csv file is a text file in a comma-separated-values format. Microsoft Excel™ can be used to view and create such files. The user data is imported into the system using the appropriate CLI command. The NME-APA module can also export the currently configured users, user templates and anonymous groups to csv-formatted files.

User csv files and user template csv files are application-specific. Refer to the relevant application documentation for the definition of the file format.

Each line in a csv file should contain either a comment (beginning with the character `#'), or a list of comma-separated fields.

User csv files are application-specific, but a default format is defined by the NME-APA, which is used when the application does not choose to over-ride it. The application might over-ride the format when additional data is desired for each user or user template. Refer to the relevant Service Control Application documentation to see if the application defines a different format.

User template csv files are application-specific. Refer to the relevant Service Control Application documentation of the file format.

Anonymous groups csv files are not application specific. Their format is described below.

User default csv file format

Each line has the following structure:

name, mappings, packageId

•Name —The user name

•Mappings —Contains one or more mappings, specifying the IP addresses mapped to this user. Multiple mappings are separated by semi-colon. IP address/range cannot be specified for the same user. The following mapping formats are supported:

–IP address—In dotted decimal notation. Example: 10.3.4.5

–IP address range—Dotted decimal, followed by the amount of significant bits. Note that the non-significant bits (As determined by the mask) must be set to zero. Example: 10.3.0.0/16. Example for a bad range: 10.1.1.1/24 (Should be 10.1.1.0/24).

•packageId —The ID of the package to which the user is assigned

Here is an example of a user csv file in the default format:
# A comment line 
sub7, 10.1.7.0/24, 1 
sub8, 10.1.12.32, 1 
sub9, 5, 2 
sub10, 13-17, 2 
sub11, 39;41, 1 
sub12, 10.1.11.90; 10.3.0.0/16, 2
User anonymous groups csv file format

Each line has the following structure:

name, IP-range, template-index, manager-name(optional)

•name —The anonymous group name

•IP-range —Dotted decimal, followed by the amount of significant bits. Example: 10.3.0.0/16

•template-index —The index of the user template to be used by users belonging to this anonymous group.

•manager-name (optional)—The name of the SCMP peer.

Here is an example of an anonymous groups csv file:
# Yet another comment line 
anon1, 10.1.1.0/24, 1, SCMP1 
anon2, 10.1.2.0/24, 2, SCMP2 
anon3, 10.1.3.0/32, 3, SCMP3 
anon4, 10.1.4.0/24, 3, SCMP3
How to Import and Export User Information

•Options

•How to Import User Information

•How to Export User Information

•How to Import a User Template

•How to Export a User Template

Use the following commands to import user data from csv files and to export user data to these files:

•user import csv-file

•user export csv-file

•user anonymous-group import csv-file

•user anonymous-group export csv-file

•user template import csv-file

•user template export csv-file

These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode.

Note VPN-based users cannot be defined, imported, or exported by a user file.

Options

The following option is available:

•filename —The name of the csv file.

How to Import User Information

Step 1 From the NME-APA(config if)# prompt, type user import csv-file filename and press Enter.

Imports the user information from the specified file.

Imported user information is added to the existing user information. It does not overwrite the existing data.

If the information in the imported file is not valid, the command will fail during the verification process before it is actually applied.

How to Export User Information

Step 1 From the NME-APA(config if)# prompt, type user export csv-file filenameand press Enter.

Exports the user information to the specified file.

How to Import a User Template

Step 1 From the NME-APA(config if)# prompt, type user template import csv-file filenameand press Enter.

Imports the user template from the specified file.

How to Export a User Template

Step 1 From the NME-APA(config if)# prompt, type user template export csv-file filenameand press Enter.

Exports the user template to the specified file.

How to Remove Users and Templates

•How to Remove a Specific User

•How to Remove All Introduced Users

•How to Remove a Specific Anonymous User

•How to Remove All Anonymous User Groups

•How to Remove All Anonymous Users

•How to Remove All User Templates

Use the following commands to remove all users, anonymous groups, or user templates from the system.

•no user all

•no user anonymous-group all

•default user template all

Use the following commands to remove a specific user or anonymous group from the system.

•no user name

•no user anonymous-group name

These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode, and that the NME-APA(config if)# prompt appears in the command line.

How to Remove a Specific User

Options

The following option is available:

•user-name —The name of the user to be removed

Step 1 From the NME-APA(config if)# prompt, type no user name user-nameand press Enter.

Removes the specified user.

How to Remove All Introduced Users

Step 1 From the NME-APA(config if)# prompt, type no user all and press Enter.

Removes all introduced users.

How to Remove a Specific Anonymous User

Options

The following option is available:

•group-name —The name of the anonymous user group to be removed

Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group name group-nameand press Enter.

Removes the specified anonymous user group.

How to Remove All Anonymous User Groups

Step 1 From the NME-APA(config if)# prompt, type no user anonymous-group all and press Enter.

Removes all anonymous user groups.

How to Remove All Anonymous Users

Step 1 From the NME-APA# prompt, type clear interface linecard 0 user anonymous all and press Enter.

Removes all anonymous users.

Note The clear user anonymous command is a Privileged Exec command.

How to Remove All User Templates

Step 1 From the NME-APA(config if)# prompt, type default user template all and press Enter.

Removes all user templates.

All anonymous users will be assigned to the default user template.

How to Import and Export Anonymous Groups

•How to Import Anonymous Groups

•How to Export Anonymous Groups

How to Import Anonymous Groups

Options

The following option is available:

•filename —Name of the csv file.

Step 1 From the NME-APA(config if)# prompt, type user anonymous-group import csv-file filename and press Enter.

Creates anonymous groups by importing anonymous users from the specified csv file.

Imported anonymous user information is added to the existing anonymous user information. It does not overwrite the existing data.

The NME-APA module can support a maximum of 1000 anonymous groups.

How to Export Anonymous Groups

Options

The following option is available:

•filename —Name of the csv file.

Step 1 From the NME-APA(config if)# prompt, type user anonymous-group export csv-file filename and press Enter.

Exports all existing anonymous groups to the specified csv file.

How to Monitor Users

•How to Monitor the User Database

•How to Display Users

•How to Display User Information

•How to Display Anonymous User Information

The CLI provides several commands that allow you to monitor users. These commands can be used to display information regarding the following:

•User Database

•All users meeting various criteria

•Individual user information, such as properties and mappings

•Anonymous users

Users may be introduced to the NME-APA module via the NME-APA module CLI or via the User Manager. The monitoring commands may be used to monitor all users and user information, regardless of how the users were introduced to the system.

Note that these commands are all in Viewer mode. Make sure that you are in the proper mode and that the NME-APA>prompt appears in the command line. Note also that you must specify `linecard 0' in these commands.

How to Monitor the User Database

•How to Display the User Database Counters

•Clearing the User Database Counters

Use the following commands to display statistics about the user database, and to clear the " total " and " maximum " counters.

•show interface linecard 0 user db counters

The following counters are displayed:

–Current number of users

–Current number of introduced users

–Current number of anonymous users

–Current number of active users (with active traffic sessions)

–Current number of users with mappings

–Current number of IP mappings

–Current number of vlan mappings

–Max number of users that can be introduced

–Max number of users with mappings

–Max number of users with mappings date / time

–Total aggregated number introduced

–Total number of aged users

–Total number of pull events

–Number of traffic sessions currently assigned to the default user

•clear interface linecard 0 user db counters

How to Display the User Database Counters

Step 1 From the NME-APA# prompt, type show interface linecard 0 user db counters and press Enter.

Displays the user database counters.

Monitoring the User Database: Example

The following example shows the output from this command.
NME-APA#show interface linecard 0 user db counters 
Current values: 
=============== 
Users: 2 used out of 499 max.  
Introduced users: 2. 
Anonymous users: 0. 
Users with mappings: 2 used out of 999 max.  
IP mappings: 0 used 
VLAN Entries: 0 used 
Users with TIR mappings: 0. 
Sessions mapped to the default user: 0.  
Peak values: 
============ 
Peak number of users with mappings: 2 
Peak number occurred at: 14:56:55 ISR MON June 9 2007 
Peak number cleared at: 15:29:39 ISR MON June 9 2007  
Event counters: 
=============== 
User introduced: 2. 
User pulled: 0. 
User aged: 0. 
Pull-request notifications sent: 0. 
State notifications sent: 0. 
Logout notifications sent: 0. 
User mapping TIR contradictions: 0
Clearing the User Database Counters

Step 1 From the NME-APA# prompt, type clear interface linecard 0 user db counters and press Enter.

Clears the " total " and " maximum " counters..

How to Display Users

You can display the names of all users.

You can also display specific user name(s) that meet various criteria:

•A user property is equal to, larger than, or smaller than a specified value.

•User name matches a specific prefix or suffix.

•Mapped to a specified IP address range (may be within a specified VPN).

•Mapped to a specified VLAN ID.

•Mapped to a specified VPN.

Use the following commands to display users:

•show interface linecard 0 user all-names

•show interface linecard 0 user [amount] [prefix `prefix'] [property `propertyname' equals|greater-than|less-than `property-val']

•show interface linecard 0 user [amount] prefix `prefix'

•show interface linecard 0 user [amount] suffix `suffix'

•show interface linecard 0 user mapping IP `iprange' [VPN 'vpn-name']

•show interface linecard 0 user [amount] mapping intersecting IP `iprange' [VPN 'vpn-name']

•show interface linecard 0 user mapping VLANid `vlanid'

•show interface linecard 0 user mapping MPLS-VPN PE-ID 'pe-id' BGP-label 'bgp-label'

Displaying Users: All Current User Names

You can display the names of all users currently in the NME-APA user database.

Step 1 From the NME-APA>prompt, type show interface linecard 0 user all-names and press Enter.

Displays the names of all users currently in the NME-APA user database.

Displaying Users: By User Property or Prefix

You can search for all users that match a specified value of one of the user properties, or are greater than or less than the specified value. You can also search for all users that match a specified prefix. You can also find out how many users match any one of these criteria, rather than displaying all the actual user names.

•How to display users that match a specified value of a user property

•How to display users that are greater than or less than a specified value of a user property

•How to display users that match a specified prefix

•How to display users that match a specified suffix

•How to display the number of users that match a specified value of a user property

•How to display the number of users that are greater than or less than a specified value of a user property

•How to display the number of users that match a specified prefix

How to display users that match a specified value of a user property

Options

The following options are available:

•propertyname —Name of the user property to match

•property-val —Value of that user property to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user property propertyname equals property-val and press Enter.

How to display users that are greater than or less than a specified value of a user property

Options

The following options are available:

•propertyname —Name of the user property to match

•property-val —Value of that user property to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user property propertyname greater-than|less-than property-val and press Enter.

How to display users that match a specified prefix

Options

The following options are available:

•prefix —User prefix to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user prefix prefix and press Enter.

How to display users that match a specified suffix

Options

The following options are available:

•suffix —User suffix to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user suffix suffix and press Enter.

How to display the number of users that match a specified value of a user property

Options

The following options are available:

•propertyname —Name of the user property to match

•property-val —Value of that user property to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount property propertyname equals property-val and press Enter.

How to display the number of users that are greater than or less than a specified value of a user property

Options

The following options are available:

•propertyname —Name of the user property to match

•property-val —Value of that user property to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount property propertyname greater-than|less-than property-val and press Enter.

How to display the number of users that match a specified prefix

Options

The following options are available:

•prefix —User prefix to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount prefix prefix and press Enter.

How to Display Users: By Mapping (IP Address, VPN, or VLAN ID)

You can display the users who are mapped to any of the following:

•A specified IP address, or range of IP addresses (may be within a specified VPN)

•IP addresses intersecting a given IP address or IP range (may be within a specified VPN)

•A specified VLAN ID

•A specified VPN

•no mapping

You can also display just the number of users with a specified mapping, rather than listing the actual users.

How to display users that are mapped to a specified IP address, or range of IP addresses

Options

The following options are available:

•ip-range —IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match

•vpn-name (optional)—The name of the VPN in which to search for the IP address

Step 1 From the NME-APA>prompt, type show interface linecard 0 user mapping IP ip-range[VPN vpn-name] and press Enter.

How to display users that are mapped to IP addresses that are included in a given IP address or IP range

Options

The following options are available:

•ip-range —IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match

•vpn-name (optional)—The name of the VPN in which to search for the IP address

Step 1 From the NME-APA>prompt, type show interface linecard 0 user mapping included-in IP ip-range[VPN vpn-name] and press Enter.

How to display users that are mapped to a specified VLAN ID

Options

The following options are available:

•vlanid —VLAN ID to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user mapping VLAN-id vlanidand press Enter.

How to display users that are mapped to a specified VPN

Options

The following options are available:

•pe-id —Loopback IP address of the relevant PE router

•bgp-label —Label of the relevant BGP LEG

Step 1 From the NME-APA>prompt, type show interface linecard 0 user mapping VPN PE-ID pe-idbgp-label BGP-label and press Enter.

How to display users with no mapping

Step 1 From the NME-APA>prompt, type show interface linecard 0 user mapping none and press Enter.

How to display the number of users that are mapped to a specified VLAN ID

Options

The following options are available:

•vlanid —VLAN ID to match

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount mapping VLAN-id vlanidand press Enter.

How to display the number of users with no mapping

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount mapping none and press Enter.

How to Display User Information

You can display the following information about a specified user:

•values of the various user properties

•mappings (IP address, VLAN-ID or VPN)

•OS counters:

–current number of flows

–bandwidth

Use the following commands to display user information:

•show interface linecard 0 user properties

•show interface linecard 0 user name `name'

•show interface linecard 0 user name `name' mappings

•show interface linecard 0 user name `name' counters

•show interface linecard 0 user name `name' properties

•show interface linecard 0 user name `name' vas-servers

How to display a listing of user properties

Step 1 From the NME-APA>prompt, type show interface linecard 0 user properties and press Enter.

How to display complete information for a specified user

Use this command to display complete information for a specified user, including all values of user properties and mappings.

Options

The following options are available:

•name —User name

Step 1 From the NME-APA>prompt, type show interface linecard 0 user name nameand press Enter.

How to display values of user properties for a specified user

Options

The following options are available:

•name —User name

Step 1 From the NME-APA>prompt, type show interface linecard 0 user name name properties and press Enter.

How to display mappings for a specified user

Options

The following options are available:

•name —User name

Step 1 From the NME-APA>prompt, type show interface linecard 0 user name name mappings and press Enter.

How to display OS counters for a specified user

Options

The following options are available:

•name —User name

Step 1 From the NME-APA>prompt, type show interface linecard 0 user name name counters and press Enter.

How to Display Anonymous User Information

You can display the following information regarding the anonymous user groups:

•aging (see How to Display Aging for Anonymous Group Users )

•currently configured anonymous groups

•currently configured user templates

•configuration of a specified anonymous group

•number of users in a specified anonymous group, or in all anonymous groups

Use the following commands to display anonymous user information:

•show interface linecard 0 user templates [index]

•show interface linecard 0 user anonymous-group [all] [name `groupname']

•show interface linecard 0 user amount anonymous [name `groupname']

•show interface linecard 0 user anonymous [name `groupname']

How to display currently configured anonymous groups

Step 1 From the NME-APA>prompt, type show interface linecard 0 user anonymous-group all and press Enter.

How to display currently configured templates for anonymous groups

Step 1 From the NME-APA>prompt, type show interface linecard 0 user templates and press Enter.

How to display current configuration for a specified anonymous group

Options

The following options are available:

•group-name —Name of the anonymous user group

Step 1 From the NME-APA>prompt, type show interface linecard 0 user anonymous-group name group-name and press Enter.

How to display users in a specified anonymous group

Options

The following options are available:

•group-name —Name of the anonymous user group

Step 1 From the NME-APA>prompt, type show interface linecard 0 user anonymous name group-name and press Enter.

How to display all users currently in anonymous groups

Step 1 From the NME-APA>prompt, type show interface linecard 0 user anonymous and press Enter.

How to display the number of users in a specified anonymous group

Options

The following options are available:

•group-name —Name of the anonymous user group

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount anonymous name group-nameand press Enter.

How to display the total number of users in all anonymous groups

Step 1 From the NME-APA>prompt, type show interface linecard 0 user amount anonymous and press Enter.

How to Configure User Aging

As explained previously ( Aging Users, aging is the automatic removal of a user when no traffic sessions assigned to it have been detected for a certain amount of time. Aging may be enabled or disabled, and the aging timeout period (in minutes) can be specified.

Aging can be configured separately for introduced users and for anonymous users.

Use the following commands to configure and monitor aging.

•[no] user aging

•user aging timeout

•show interface linecard 0 user aging

How to Enable Aging for Anonymous Group Users

Step 1 From the NME-APA(config if)# prompt, type user aging anonymous and press Enter.

How to Enable Aging for Introduced Users

Note Introduced user aging is not supported when using VPN-based users

Step 1 From the NME-APA(config if)# prompt, type user aging introduced and press Enter.

How to Disable Aging for Anonymous Group Users

Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous and press Enter.

How to Disable Aging for Introduced Users

Step 1 From the NME-APA(config if)# prompt, type no user aging introduced and press Enter.

How to Set the Aging Timeout Period for Anonymous Group Users

Options

The following option is available:

•aging-time —The time interval, in minutes, after which an inactive user sill be aged.

Step 1 From the NME-APA(config if)# prompt, type no user aging anonymous timeout aging-time and press Enter.

How to Set the Aging Timeout Period for Introduced Users

Options

The following option is available:

•aging-time —The time interval, in minutes, after which an inactive user sill be aged.

Step 1 From the NME-APA(config if)# prompt, type no user aging introduced timeout aging-time and press Enter.

How to Display Aging for Anonymous Group Users

Step 1 From the NME-APA>prompt, type show interface linecard 0 user aging anonymous and press Enter.

How to Display Aging for Introduced Users

Step 1 From the NME-APA>prompt, type show interface linecard 0 user aging introduced and press Enter.

	Cisco Network Module Enhanced Application Performance Assurance User Guide
	Managing Users
Cisco Network Module Enhanced Application Performance Assurance User Guide About this Guide General Overview Getting Started with Application Performance Assurance Command Line Interface Operations Utilities Configuring Security Configuring the Line Interface Failure Recovery Raw Data Formatting: The RDR Formatter Managing Users Monitoring NME-APA Module Utilization MIB Reference	Download this chapter Managing Users Download the complete book Cisco Network Module Enhanced Application Performance Assurance User Guide (PDF - 2 MB) Table Of Contents Managing Users Information About Users What is a User? User Modes in Enterprise Solutions Aging Users Anonymous Groups and User Templates Information About User Files User Files User default csv file format User anonymous groups csv file format How to Import and Export User Information Options How to Import User Information How to Export User Information How to Import a User Template How to Export a User Template How to Remove Users and Templates How to Remove a Specific User Options How to Remove All Introduced Users How to Remove a Specific Anonymous User Options How to Remove All Anonymous User Groups How to Remove All Anonymous Users How to Remove All User Templates How to Import and Export Anonymous Groups How to Import Anonymous Groups Options How to Export Anonymous Groups Options How to Monitor Users How to Monitor the User Database How to Display the User Database Counters Clearing the User Database Counters How to Display Users Displaying Users: All Current User Names Displaying Users: By User Property or Prefix How to Display Users: By Mapping (IP Address, VPN, or VLAN ID) How to Display User Information How to display a listing of user properties How to display complete information for a specified user How to display values of user properties for a specified user How to display mappings for a specified user How to display OS counters for a specified user How to Display Anonymous User Information How to display currently configured anonymous groups How to display currently configured templates for anonymous groups How to display current configuration for a specified anonymous group How to display users in a specified anonymous group How to display all users currently in anonymous groups How to display the number of users in a specified anonymous group How to display the total number of users in all anonymous groups How to Configure User Aging How to Enable Aging for Anonymous Group Users How to Enable Aging for Introduced Users How to Disable Aging for Anonymous Group Users How to Disable Aging for Introduced Users How to Set the Aging Timeout Period for Anonymous Group Users Options How to Set the Aging Timeout Period for Introduced Users Options How to Display Aging for Anonymous Group Users How to Display Aging for Introduced Users Managing Users The NME-APA module is user aware, that is, it can relate traffic and usage to specific customers. This ability to map between IP flows and a specific user allows the system to do the following: •Maintain the state of each user transmitting traffic through the platform •Provide usage information for specific users •Enforce the appropriate policy on user traffic (each user can have a different policy) •Information About Users •How to Import and Export User Information •How to Remove Users and Templates •How to Import and Export Anonymous Groups •How to Monitor Users •How to Configure User Aging Information About Users •What is a User? •User Modes in Enterprise Solutions •Aging Users •Anonymous Groups and User Templates •Information About User Files What is a User? In an enterprise, a user is usually perceived as a group of end stations belonging to a specific department such as "Financial Department users", "HR", "Engineering" etc. Such a user may be characterized by a set of discrete IP addresses, IP range, any combination of IP addresses and IP ranges, or a VLAN ID. User Modes in Enterprise Solutions Enterprise solutions support several modes of handling users: •User-less mode •Anonymous user mode •Static user aware mode The most basic mode is User-less mode. In this mode, there is no notion of an individual user in the system, and the entire link where the NME-APA module is deployed is treated as a single user. Global Application level analysis (such as total p2p, browsing) can be conducted, as well as global control (such as limiting total p2p to a specified percentage). From a configuration stand point, this is a turnkey system and there is no need to integrate or configure the system from a user perspective. In Anonymous user mode, analysis is performed on an incoming network ID (IP address, VLAN, or VPN ID), as the NME-APA module creates an 'anonymous/on-the-fly' record for each user. This permits analyzing traffic at an individual network ID level (for example, to identify/monitor what a particular 'user' IP is currently doing) as well as control at this level (for example, to limit each user's bandwidth to a specified amount or to redirect). Anonymous-user allows quick visibility into application and protocol usage without OSS integration, and permits the application of a uniform control scheme using predefined templates. In Static user aware mode, the user IDs and currently used network IDs are provisioned into the NME-APA module. The NME-APA module can then bind usage to a particular user, and enforce per-user policies on the traffic. Named reports are supported (such as top users with the OSS IDs), quota-tracking (such as tracking a user-quota over time even when network IDs change) as well as dynamic binding of packages to users. In this mode, the network IDs are static. The system supports the definition of static-users directly to the NME-APA module. This is achieved by using the NME-APA module CLI, and defining the list of users, their network IDs and policy information using interactive configuration or import/export operations. Aging Users Users can be aged automatically by the NME-APA module. `Aging' is the automatic removal of a user, performed when no traffic sessions assigned to it have been detected for a certain amount of time. The most common usage for aging is for anonymous users, since this is the easiest way to ensure that anonymous users that have logged-out of the network are removed from the NME-APA module and are no longer occupying resources. Aging time can be configured individually for introduced users and for anonymous users. Introduced user aging is not supported when using VPN-based users. Anonymous Groups and User Templates An anonymous group is a specified IP range, possibly assigned a user template. When an anonymous group is configured, the NME-APA module generates anonymous users for that group when it detects traffic with an IP address that is in the specified IP range. If a user template has been assigned to the group, the anonymous users generated have properties as defined by that template. If no user template has been assigned, the default template is used. The NME-APA module can support a maximum of 500 anonymous groups. User templates are identified by a number from 0-199. User templates 1-199 are defined in csv formatted user template files. However, template #0 cannot change; it always contains the default values. If an anonymous group is not explicitly assigned a template, the group uses template #0. Information About User Files •User Files •User default csv file format •User anonymous groups csv file format User Files Note VPN-based users cannot be defined, imported, or exported by a user file. Individual users, anonymous groups, and user templates may all be defined in csv files. A csv file is a text file in a comma-separated-values format. Microsoft Excel™ can be used to view and create such files. The user data is imported into the system using the appropriate CLI command. The NME-APA module can also export the currently configured users, user templates and anonymous groups to csv-formatted files. User csv files and user template csv files are application-specific. Refer to the relevant application documentation for the definition of the file format. Each line in a csv file should contain either a comment (beginning with the character `#'), or a list of comma-separated fields. User csv files are application-specific, but a default format is defined by the NME-APA, which is used when the application does not choose to over-ride it. The application might over-ride the format when additional data is desired for each user or user template. Refer to the relevant Service Control Application documentation to see if the application defines a different format. User template csv files are application-specific. Refer to the relevant Service Control Application documentation of the file format. Anonymous groups csv files are not application specific. Their format is described below. User default csv file format Each line has the following structure: name, mappings, packageId •Name —The user name •Mappings —Contains one or more mappings, specifying the IP addresses mapped to this user. Multiple mappings are separated by semi-colon. IP address/range cannot be specified for the same user. The following mapping formats are supported: –IP address—In dotted decimal notation. Example: 10.3.4.5 –IP address range—Dotted decimal, followed by the amount of significant bits. Note that the non-significant bits (As determined by the mask) must be set to zero. Example: 10.3.0.0/16. Example for a bad range: 10.1.1.1/24 (Should be 10.1.1.0/24). •packageId —The ID of the package to which the user is assigned Here is an example of a user csv file in the default format: # A comment line sub7, 10.1.7.0/24, 1 sub8, 10.1.12.32, 1 sub9, 5, 2 sub10, 13-17, 2 sub11, 39;41, 1 sub12, 10.1.11.90; 10.3.0.0/16, 2 User anonymous groups csv file format Each line has the following structure: name, IP-range, template-index, manager-name(optional) •name —The anonymous group name •IP-range —Dotted decimal, followed by the amount of significant bits. Example: 10.3.0.0/16 •template-index —The index of the user template to be used by users belonging to this anonymous group. •manager-name (optional)—The name of the SCMP peer. Here is an example of an anonymous groups csv file: # Yet another comment line anon1, 10.1.1.0/24, 1, SCMP1 anon2, 10.1.2.0/24, 2, SCMP2 anon3, 10.1.3.0/32, 3, SCMP3 anon4, 10.1.4.0/24, 3, SCMP3 How to Import and Export User Information •Options •How to Import User Information •How to Export User Information •How to Import a User Template •How to Export a User Template Use the following commands to import user data from csv files and to export user data to these files: •user import csv-file •user export csv-file •user anonymous-group import csv-file •user anonymous-group export csv-file •user template import csv-file •user template export csv-file These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode. Note VPN-based users cannot be defined, imported, or exported by a user file. Options The following option is available: •filename —The name of the csv file. How to Import User Information Step 1 From the NME-APA(config if)# prompt, type `user import csv-file` filename and press Enter. Imports the user information from the specified file. Imported user information is added to the existing user information. It does not overwrite the existing data. If the information in the imported file is not valid, the command will fail during the verification process before it is actually applied. How to Export User Information Step 1 From the NME-APA(config if)# prompt, type `user export csv-file` filenameand press Enter. Exports the user information to the specified file. How to Import a User Template Step 1 From the NME-APA(config if)# prompt, type `user template import csv-file` filenameand press Enter. Imports the user template from the specified file. How to Export a User Template Step 1 From the NME-APA(config if)# prompt, type `user template export csv-file` filenameand press Enter. Exports the user template to the specified file. How to Remove Users and Templates •How to Remove a Specific User •How to Remove All Introduced Users •How to Remove a Specific Anonymous User •How to Remove All Anonymous User Groups •How to Remove All Anonymous Users •How to Remove All User Templates Use the following commands to remove all users, anonymous groups, or user templates from the system. •no user all •no user anonymous-group all •default user template all Use the following commands to remove a specific user or anonymous group from the system. •no user name •no user anonymous-group name These user management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode, and that the NME-APA(config if)# prompt appears in the command line. How to Remove a Specific User Options The following option is available: •user-name —The name of the user to be removed Step 1 From the NME-APA(config if)# prompt, type `no user name` user-nameand press Enter. Removes the specified user. How to Remove All Introduced Users Step 1 From the NME-APA(config if)# prompt, type `no user all` and press Enter. Removes all introduced users. How to Remove a Specific Anonymous User Options The following option is available: •group-name —The name of the anonymous user group to be removed Step 1 From the NME-APA(config if)# prompt, type `no user anonymous-group name` group-nameand press Enter. Removes the specified anonymous user group. How to Remove All Anonymous User Groups Step 1 From the NME-APA(config if)# prompt, type `no user anonymous-group all` and press Enter. Removes all anonymous user groups. How to Remove All Anonymous Users Step 1 From the NME-APA# prompt, type `clear interface linecard 0 user anonymous all` and press Enter. Removes all anonymous users. Note The clear user anonymous command is a Privileged Exec command. How to Remove All User Templates Step 1 From the NME-APA(config if)# prompt, type `default user template all` and press Enter. Removes all user templates. All anonymous users will be assigned to the default user template. How to Import and Export Anonymous Groups •How to Import Anonymous Groups •How to Export Anonymous Groups How to Import Anonymous Groups Options The following option is available: •filename —Name of the csv file. Step 1 From the NME-APA(config if)# prompt, type `user anonymous-group import csv-file` filename and press Enter. Creates anonymous groups by importing anonymous users from the specified csv file. Imported anonymous user information is added to the existing anonymous user information. It does not overwrite the existing data. The NME-APA module can support a maximum of 1000 anonymous groups. How to Export Anonymous Groups Options The following option is available: •filename —Name of the csv file. Step 1 From the NME-APA(config if)# prompt, type `user anonymous-group export csv-file` filename and press Enter. Exports all existing anonymous groups to the specified csv file. How to Monitor Users •How to Monitor the User Database •How to Display Users •How to Display User Information •How to Display Anonymous User Information The CLI provides several commands that allow you to monitor users. These commands can be used to display information regarding the following: •User Database •All users meeting various criteria •Individual user information, such as properties and mappings •Anonymous users Users may be introduced to the NME-APA module via the NME-APA module CLI or via the User Manager. The monitoring commands may be used to monitor all users and user information, regardless of how the users were introduced to the system. Note that these commands are all in Viewer mode. Make sure that you are in the proper mode and that the NME-APA>prompt appears in the command line. Note also that you must specify `linecard 0' in these commands. How to Monitor the User Database •How to Display the User Database Counters •Clearing the User Database Counters Use the following commands to display statistics about the user database, and to clear the " total " and " maximum " counters. •show interface linecard 0 user db counters The following counters are displayed: –Current number of users –Current number of introduced users –Current number of anonymous users –Current number of active users (with active traffic sessions) –Current number of users with mappings –Current number of IP mappings –Current number of vlan mappings –Max number of users that can be introduced –Max number of users with mappings –Max number of users with mappings date / time –Total aggregated number introduced –Total number of aged users –Total number of pull events –Number of traffic sessions currently assigned to the default user •clear interface linecard 0 user db counters How to Display the User Database Counters Step 1 From the NME-APA# prompt, type `show interface linecard 0 user db counters` and press Enter. Displays the user database counters. Monitoring the User Database: Example The following example shows the output from this command. NME-APA#show interface linecard 0 user db counters Current values: =============== Users: 2 used out of 499 max. Introduced users: 2. Anonymous users: 0. Users with mappings: 2 used out of 999 max. IP mappings: 0 used VLAN Entries: 0 used Users with TIR mappings: 0. Sessions mapped to the default user: 0. Peak values: ============ Peak number of users with mappings: 2 Peak number occurred at: 14:56:55 ISR MON June 9 2007 Peak number cleared at: 15:29:39 ISR MON June 9 2007 Event counters: =============== User introduced: 2. User pulled: 0. User aged: 0. Pull-request notifications sent: 0. State notifications sent: 0. Logout notifications sent: 0. User mapping TIR contradictions: 0 Clearing the User Database Counters Step 1 From the NME-APA# prompt, type `clear interface linecard 0 user db counters` and press Enter. Clears the " total " and " maximum " counters.. How to Display Users You can display the names of all users. You can also display specific user name(s) that meet various criteria: •A user property is equal to, larger than, or smaller than a specified value. •User name matches a specific prefix or suffix. •Mapped to a specified IP address range (may be within a specified VPN). •Mapped to a specified VLAN ID. •Mapped to a specified VPN. Use the following commands to display users: •show interface linecard 0 user all-names •show interface linecard 0 user [amount] [prefix `prefix'] [property `propertyname' equals\|greater-than\|less-than `property-val'] •show interface linecard 0 user [amount] prefix `prefix' •show interface linecard 0 user [amount] suffix `suffix' •show interface linecard 0 user mapping IP `iprange' [VPN 'vpn-name'] •show interface linecard 0 user [amount] mapping intersecting IP `iprange' [VPN 'vpn-name'] •show interface linecard 0 user mapping VLANid `vlanid' •show interface linecard 0 user mapping MPLS-VPN PE-ID 'pe-id' BGP-label 'bgp-label' Displaying Users: All Current User Names You can display the names of all users currently in the NME-APA user database. Step 1 From the NME-APA>prompt, type `show interface linecard 0 user all-names` and press Enter. Displays the names of all users currently in the NME-APA user database. Displaying Users: By User Property or Prefix You can search for all users that match a specified value of one of the user properties, or are greater than or less than the specified value. You can also search for all users that match a specified prefix. You can also find out how many users match any one of these criteria, rather than displaying all the actual user names. •How to display users that match a specified value of a user property •How to display users that are greater than or less than a specified value of a user property •How to display users that match a specified prefix •How to display users that match a specified suffix •How to display the number of users that match a specified value of a user property •How to display the number of users that are greater than or less than a specified value of a user property •How to display the number of users that match a specified prefix How to display users that match a specified value of a user property Options The following options are available: •propertyname —Name of the user property to match •property-val —Value of that user property to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user property` propertyname equals property-val and press Enter. How to display users that are greater than or less than a specified value of a user property Options The following options are available: •propertyname —Name of the user property to match •property-val —Value of that user property to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user property` propertyname greater-than\|less-than property-val and press Enter. How to display users that match a specified prefix Options The following options are available: •prefix —User prefix to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user prefix` prefix and press Enter. How to display users that match a specified suffix Options The following options are available: •suffix —User suffix to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user suffix` suffix and press Enter. How to display the number of users that match a specified value of a user property Options The following options are available: •propertyname —Name of the user property to match •property-val —Value of that user property to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount property` propertyname equals property-val and press Enter. How to display the number of users that are greater than or less than a specified value of a user property Options The following options are available: •propertyname —Name of the user property to match •property-val —Value of that user property to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount property` propertyname greater-than\|less-than property-val and press Enter. How to display the number of users that match a specified prefix Options The following options are available: •prefix —User prefix to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount prefix` prefix and press Enter. How to Display Users: By Mapping (IP Address, VPN, or VLAN ID) You can display the users who are mapped to any of the following: •A specified IP address, or range of IP addresses (may be within a specified VPN) •IP addresses intersecting a given IP address or IP range (may be within a specified VPN) •A specified VLAN ID •A specified VPN •no mapping You can also display just the number of users with a specified mapping, rather than listing the actual users. How to display users that are mapped to a specified IP address, or range of IP addresses Options The following options are available: •ip-range —IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match •vpn-name (optional)—The name of the VPN in which to search for the IP address Step 1 From the NME-APA>prompt, type `show interface linecard 0 user mapping IP` ip-range[VPN vpn-name] and press Enter. How to display users that are mapped to IP addresses that are included in a given IP address or IP range Options The following options are available: •ip-range —IP address (x.x.x.x) or range of IP addresses (x.x.x.x/y) to match •vpn-name (optional)—The name of the VPN in which to search for the IP address Step 1 From the NME-APA>prompt, type `show interface linecard 0 user mapping included-in IP` ip-range[VPN vpn-name] and press Enter. How to display users that are mapped to a specified VLAN ID Options The following options are available: •vlanid —VLAN ID to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user mapping VLAN-id` vlanidand press Enter. How to display users that are mapped to a specified VPN Options The following options are available: •pe-id —Loopback IP address of the relevant PE router •bgp-label —Label of the relevant BGP LEG Step 1 From the NME-APA>prompt, type `show interface linecard 0 user mapping VPN PE-ID` pe-idbgp-label BGP-label and press Enter. How to display users with no mapping Step 1 From the NME-APA>prompt, type `show interface linecard 0 user mapping none` and press Enter. How to display the number of users that are mapped to a specified VLAN ID Options The following options are available: •vlanid —VLAN ID to match Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount mapping VLAN-id` vlanidand press Enter. How to display the number of users with no mapping Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount mapping none` and press Enter. How to Display User Information You can display the following information about a specified user: •values of the various user properties •mappings (IP address, VLAN-ID or VPN) •OS counters: –current number of flows –bandwidth Use the following commands to display user information: •show interface linecard 0 user properties •show interface linecard 0 user name `name' •show interface linecard 0 user name `name' mappings •show interface linecard 0 user name `name' counters •show interface linecard 0 user name `name' properties •show interface linecard 0 user name `name' vas-servers How to display a listing of user properties Step 1 From the NME-APA>prompt, type `show interface linecard 0 user properties` and press Enter. How to display complete information for a specified user Use this command to display complete information for a specified user, including all values of user properties and mappings. Options The following options are available: •name —User name Step 1 From the NME-APA>prompt, type `show interface linecard 0 user name` nameand press Enter. How to display values of user properties for a specified user Options The following options are available: •name —User name Step 1 From the NME-APA>prompt, type `show interface linecard 0 user name` name properties and press Enter. How to display mappings for a specified user Options The following options are available: •name —User name Step 1 From the NME-APA>prompt, type `show interface linecard 0 user name` name mappings and press Enter. How to display OS counters for a specified user Options The following options are available: •name —User name Step 1 From the NME-APA>prompt, type `show interface linecard 0 user name` name counters and press Enter. How to Display Anonymous User Information You can display the following information regarding the anonymous user groups: •aging (see How to Display Aging for Anonymous Group Users ) •currently configured anonymous groups •currently configured user templates •configuration of a specified anonymous group •number of users in a specified anonymous group, or in all anonymous groups Use the following commands to display anonymous user information: •show interface linecard 0 user templates [index] •show interface linecard 0 user anonymous-group [all] [name `groupname'] •show interface linecard 0 user amount anonymous [name `groupname'] •show interface linecard 0 user anonymous [name `groupname'] How to display currently configured anonymous groups Step 1 From the NME-APA>prompt, type `show interface linecard 0 user anonymous-group all` and press Enter. How to display currently configured templates for anonymous groups Step 1 From the NME-APA>prompt, type `show interface linecard 0 user templates` and press Enter. How to display current configuration for a specified anonymous group Options The following options are available: •group-name —Name of the anonymous user group Step 1 From the NME-APA>prompt, type `show interface linecard 0 user anonymous-group name` group-name and press Enter. How to display users in a specified anonymous group Options The following options are available: •group-name —Name of the anonymous user group Step 1 From the NME-APA>prompt, type `show interface linecard 0 user anonymous name` group-name and press Enter. How to display all users currently in anonymous groups Step 1 From the NME-APA>prompt, type `show interface linecard 0 user anonymous` and press Enter. How to display the number of users in a specified anonymous group Options The following options are available: •group-name —Name of the anonymous user group Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount anonymous name` group-nameand press Enter. How to display the total number of users in all anonymous groups Step 1 From the NME-APA>prompt, type `show interface linecard 0 user amount anonymous` and press Enter. How to Configure User Aging As explained previously ( Aging Users, aging is the automatic removal of a user when no traffic sessions assigned to it have been detected for a certain amount of time. Aging may be enabled or disabled, and the aging timeout period (in minutes) can be specified. Aging can be configured separately for introduced users and for anonymous users. Use the following commands to configure and monitor aging. •[no] user aging •user aging timeout •show interface linecard 0 user aging How to Enable Aging for Anonymous Group Users Step 1 From the NME-APA(config if)# prompt, type `user aging anonymous` and press Enter. How to Enable Aging for Introduced Users Note Introduced user aging is not supported when using VPN-based users Step 1 From the NME-APA(config if)# prompt, type `user aging introduced` and press Enter. How to Disable Aging for Anonymous Group Users Step 1 From the NME-APA(config if)# prompt, type `no user aging anonymous` and press Enter. How to Disable Aging for Introduced Users Step 1 From the NME-APA(config if)# prompt, type `no user aging introduced` and press Enter. How to Set the Aging Timeout Period for Anonymous Group Users Options The following option is available: •aging-time —The time interval, in minutes, after which an inactive user sill be aged. Step 1 From the NME-APA(config if)# prompt, type `no user aging anonymous timeout` aging-time and press Enter. How to Set the Aging Timeout Period for Introduced Users Options The following option is available: •aging-time —The time interval, in minutes, after which an inactive user sill be aged. Step 1 From the NME-APA(config if)# prompt, type `no user aging introduced timeout` aging-time and press Enter. How to Display Aging for Anonymous Group Users Step 1 From the NME-APA>prompt, type `show interface linecard 0 user aging anonymous` and press Enter. How to Display Aging for Introduced Users Step 1 From the NME-APA>prompt, type `show interface linecard 0 user aging introduced` and press Enter.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.