Cisco Active Network Abstraction Administrator Guide, 3.6.5
Managing AVMs and VNEs
Download this chapter
Managing AVMs and VNEsManaging AVMs and VNEs
Download the complete book
PDF of Cisco ANA 3.6.5 Administrator GuidePDF of Cisco ANA 3.6.5 Administrator Guide (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing AVMs and VNEs

Creating AVMs

AVM Status

Admin and Oper Mode AVM Status

Viewing and Editing AVM Properties

Deleting AVMs

Starting and Stopping AVMs

Moving AVMs

Finding an AVM or VNE

Overview of VNEs

VNE Status

Admin and Oper Mode VNE Status

Defining VNEs

General Tab

SNMP Tab

Telnet/SSH Tab

SSHv1 Protocol

SSH Login Sequence

SSHv2 Protocol

SSH Login Sequence

Client Authentication

Supported Algorithms

Server Authentication

Public Key and Private Key File Formats

ICMP Tab

Polling Tab

Defining a Generic SNMP VNE

Polling System Configuration

VNEs and Device Software Updates

Viewing and Editing VNE Properties

Deleting a VNE

Changing VNE States

Moving Multiple and Single VNEs


Managing AVMs and VNEs

This chapter describes defining and managing AVMs and VNEs. It includes the following sections:

Creating AVMs

AVM Status

Viewing and Editing AVM Properties

Deleting AVMs

Starting and Stopping AVMs

Moving AVMs

Finding an AVM or VNE

Overview of VNEs

Defining VNEs

VNEs and Device Software Updates

Viewing and Editing VNE Properties

Deleting a VNE

Changing VNE States

Moving Multiple and Single VNEs

Creating AVMs

Cisco ANA Manage enables you to define AVMs for Cisco ANA unit servers. Every AVM in the Cisco ANA fabric is managed by the watchdog protocol by default. Cisco ANA Manage enables you to define AVMs for units, and enable or disable the watchdog protocol on the AVM.

To define an AVM:

The unit must be installed.

The unit must be connected to the transport network.

The following default AVMs must be running:

AVM 0—The switch AVM

AVM 99—The management AVM

AVM 100—The trap management AVM

Note For more information on the status of AVMs, see AVM Status.

The new AVM must have a unique identifier within the unit.

Note AVM numbers 0-100 are reserved, and cannot be used. In addition, there might be other reserved AVM numbers. Users cannot enter a reserved number.

To create an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch and select the required ANA Servers Entity sub-branch.

Step 3 Open the New AVM dialog box in one of the following ways:

Right-click the required unit, then choose New AVM.

Click New AVM in the toolbar.

Choose File > New AVM.

The following fields are displayed in the New AVM dialog box:

ANA Unit—The IP address of the selected unit.

Note The unit does not have to be up to enable you to create a new AVM.

ID—The name of the AVM as defined in Cisco ANA Manage, and unique to the unit, such as AVM 18.

Note The AVM numbers 0-100 are reserved and cannot be used. You will be unable to enter a reserved number. A message is displayed in the New AVM dialog box, stating that the number is reserved.

Key—A string that uniquely identifies an AVM in the system and across all units, thus enabling a transparent failover scenario in the system. If you does not enter a key, the default key is used, "ID + timestamp."

Allocated Memory—The maximum memory allocated to the AVM.

The following check boxes are displayed in the New AVM dialog box:

Activate on creation—Loads the AVM into the bootstrap of the unit. This changes the administrative status of the AVM to Up and ensures that the AVM is loaded on subsequent restarts of the unit. By default this option is unchecked, and the newly created AVM has an administrative status of Down.

Enable AVM Protection—By default this option is selected, thereby enabling the watchdog protocol on the AVM when high availability is enabled. For more information, see Appendix F, "Using High Availability."

Note We strongly recommended that you do not disable this option if high availability is enabled. If you check or uncheck this option when the AVM is up, you need to restart the AVM for the change to take effect.

Step 4 Define the properties of the AVM.

Step 5 Click OK. The new AVM is added to the selected unit, is displayed in the workspace, and is activated.

Creating a new AVM results in Cisco ANA providing the registry information of the new AVM in the specified unit. The AVM can now host VNEs. For more information, see Defining VNEs.

AVM Status

The status of AVMs and VNEs is affected by Admin and Oper modes. Admin mode is the administrative instructions that are sent to the AVM. Oper mode is the actual operational status of the AVM, such as Up. See Admin and Oper Mode AVM Status.

When moving an AVM (file), its operational status determines whether the file is reloaded (Up) or not (Down). For more information about moving AVMs, see Moving AVMs. For more information about starting and stopping AVMs, see Starting and Stopping AVMs.

An AVM can have only one of the following statuses at a time:

Up—The file (process) is reachable, and was loaded and started. When a Start (command) option is issued, and no problems are encountered, such as an overloaded server, the AVM is running (has been loaded and started), and its status is Up.

Down—The file (process) is reachable, and was stopped. When a Stop (command) option is issued, Cisco ANA issues instructions to shut down all processes. When all processes have stopped, the status of the AVM is Down.

Starting Up—When a Start or upload (command) option is issued and, for example, the server cannot run it because it is busy or overloaded, the status of the AVM is Starting Up.

Shutting Down—When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the AVM is Shutting Down.

Admin and Oper Mode AVM Status

Table 6-1 shows the status of an AVM as it relates to Admin and Oper modes and how it is displayed in the Status column of the AVMs table. The Admin mode is the administrative instructions that are sent to the VNE, while the Oper mode is the actual status of the VNE, such as Up.

Table 6-1 AVM Status 

Status
Admin Mode
Oper Mode

Up

Up

Up

Shutting Down

Down

Up

Down

Down

Down

Starting Up

Up

Down


Viewing and Editing AVM Properties

Cisco ANA Manage enables you to view and edit certain properties of an AVM, such as the key or allocated memory.

To view or edit AVM properties:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch and choose the required AVM sub-branch in the tree pane.

Step 3 Open the Properties dialog box by doing one of the following:

Right-click the desired AVM, then choose Properties.

Choose File > Properties.

In the toolbar, click Properties.

The AVM Properties dialog box is displayed with the details of the selected AVM, including the IP address or key of the unit.

The following field is displayed in the AVM Properties dialog box:

Status—The status of the AVM: Up, Down, or Unreachable. See Admin and Oper Mode AVM Status.

Step 4 Edit the details of the AVM as required.

Note For more information on the other fields displayed in the AVM Properties dialog box, see Creating AVMs.

Step 5 Click OK. The new properties for the AVM are displayed in the workspace.

Deleting AVMs

You can remove an AVM. If the AVM is running, it is stopped before it is removed. This procedure deletes the registry information of the AVM in the specified unit. If VNEs are running in the AVM, an error message is displayed, and you cannot delete the AVM.

Caution You must remove all VNEs before removing their hosting AVM.

For more information, see Deleting a VNE.

Note Reserved AVMs 0-100 cannot be deleted.

To delete an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch in the tree pane.

Step 3 Right-click to display the menu, then choose Delete. A warning message is displayed.

Step 4 Click Yes. A confirmation message is displayed.

Step 5 Click OK. The selected AVM is deleted from the selected unit.

Note Multiple rows can be selected for deletion.

Starting and Stopping AVMs

Cisco ANA Manage enables you to start or stop an AVM.

Note Stopping an AVM process stops all VNEs in the AVM. Any change in status of the AVM can take some time to be applied. For example, when running the Stop command, it might take several minutes before the status changes from Shutting Down to Down.

To start or stop an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM.

Step 3 Start or stop the AVM in one of the following ways:

Right-click the AVM, then choose Actions > Start or Actions > Stop.

In the toolbar, click Start or Stop.

The AVM is started or stopped, and the appropriate status is displayed in the workspace as follows:

Starting Up—The AVM is starting.

Up—The AVM has started.

Shutting Down—The AVM is stopping.

Down—The AVM has stopped.

Note When the AVM status is displayed as Down, the status remains Down and no reload occurs.

Moving AVMs

Cisco ANA Manage enables you to move an entire AVM between units.

Note Reserved AVMs 0-100 cannot be moved.

Cisco ANA Manage automatically checks the status of AVMs and VNEs before they are moved. This information is maintained in the memory.

If the AVM is Up, the AVM is stopped and then moved to the target unit. After the move is completed, the AVM is reloaded according to its status prior to the move, so that the status of the AVM is maintained. For example, if it was Up before the move, it remains Up; if it was Down, it remains Down.

To move an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM.

Step 3 Right-click the AVM, then choose Move AVM. The Move To dialog box is displayed.

The Move To dialog box displays a tree-and-branch representation of the selected Cisco ANA server and its units, excluding the unit in which the AVM is currently located. The highest level of the tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 4 Browse to and select the unit (branch) where you want to move the AVMs.

Step 5 Click OK. The AVMs is moved and now appears beneath the selected unit.

For information about moving VNEs, see Moving Multiple and Single VNEs.

Finding an AVM or VNE

A single search in Cisco ANA Manage can locate AVMs and VNEs among all Cisco ANA servers according to specifically defined search criteria.

To find an AVM or VNE:

Step 1 In the Cisco ANA Manage window, select the unit sub-branch or any sub-branch.

Step 2 Click Find. The Find dialog box is displayed.

The Find field enables you to enter specific search criteria to find the required AVM or VNE. For example, you can search for an AVM using the ID number, or search for a VNE using an IP address.

The Types list enables you to specify whether you are searching for an AVM or VNE by selecting an option from the list. When an option is selected, the Property area is enabled, displaying the properties for the selected option. For example, if AVM is selected from the Types list, the AVM properties are displayed in the Property area, and you can select a specific property for the search.

The Up and Down radio buttons enable you to search up and down (you can also use the F3 key).

The following buttons are displayed in the Find dialog box:

Find—Searches for the AVM or VNE from the selected point in the tree pane, either up or down.

Cancel—Cancels the search, and clears the Find dialog box.

Step 3 Enter the search criteria in the Find field.

When searching for an AVM the following search criteria are displayed:

ID

Status

Key

Loaded patches

When searching for a VNE the following search criteria are displayed:

Key

IP address

Status

Element type

Maintenance

Polling group

Step 4 (Optional) From the Types drop-down list, choose AVM or VNE.

Step 5 (Optional) From the Property area, select a specific property.

Step 6 Select Up or Down for the direction.

Step 7 Click Find. The AVM or VNE matching the search criteria is highlighted in Cisco ANA Manage.

Note Press F3 to view the next AVM or VNE matching the search criteria.

Overview of VNEs

A VNE is designated by its leading IP address and corresponds to a single NE. Typically an NE has only one IP address that is used for management. For such devices, the leading IP address is the single IP address configured for this device.

If an NE has multiple IP addresses, you must choose one of these IP addresses to be used as the leading IP address. The leading IP address serves as an identifier of the VNE that corresponds to the NE and is displayed wherever the IP address of the NE is required.

Note Two VNEs cannot monitor the same NE.

Cisco ANA Manage enables you to create VNEs (replicas of devices) by entering the IP address, SNMP, and polling rate information. This is referred to as element management.

After Cisco ANA Manage installs and runs the process, samples the device, and collects the data, a VNE (managed element) is created. The VNE includes tables and physical inventory, and can be accessed using Cisco ANA NetworkVision.

VNE Status

The status of VNEs is affected by Admin and Oper modes. Admin mode is the administrative instructions that are sent to the VNE, while Oper mode is the actual operational status of the VNE, such as Up. For more information about Admin and Oper modes, see Admin and Oper Mode VNE Status.

When moving a VNE, its status (either Up or Down), determines whether the VNE is reloaded (Up) or not (Down). For more information about moving VNEs, see Moving Multiple and Single VNEs. For more information about starting and stopping VNEs, see Changing VNE States.

A VNE can have only one of the following statuses at a time:

Up—The VNE (process) is reachable, and was loaded and started. When a Start (command) option is issued, and no problems are encountered, such as an overloaded server, the VNE is running (has been loaded and started), and its status is Up.

Down—The VNE (process) is reachable and was stopped. When a Stop (command) option is issued, Cisco ANA issues instructions to shut down all processes. When all processes have stopped, the status of the VNE is Down.

Unreachable—The VNE cannot be managed by Cisco ANA and its status is defined as Unreachable. When an option (command) is issued that cannot be run by Cisco ANA, the status of the VNE is Unreachable.

Starting Up—When a Start or upload (command) option is issued and, for example, when the server cannot run it because it is busy or overloaded, the status of the VNE is Starting Up.

Shutting Down—When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the VNE is Shutting Down.

In addition to the statuses described, a VNE can be placed in maintenance mode. For example, a VNE status can be Up and in maintenance mode. NEs often undergo maintenance operations and planned outages. The Cisco ANA platform supports such maintenance operations without affecting the overall functionality of the active network.

While in maintenance mode (temporary state) a VNE:

Does not change state on its own, unless you explicitly (manually) switch the VNE back to active state.

Never polls the device.

Handles events for correlation flow issues, but does not poll the device.

Does not initiate new service alarms, but does receive events from adjacent VNEs, such as in the case of a link down alarm.

Does not handle syslogs and traps even though the flows are active.

Maintains the status of any existing links.

Does not fail on verification requests.

For more information about maintenance mode, see Changing VNE States.

Admin and Oper Mode VNE Status

Table 6-2 presents the status of a VNE in relation to its Admin and Oper modes, as displayed in the Status column of the VNE table. The Admin mode is the administrative instructions that are sent to the VNE while the Oper mode is the actual status of the VNE, such as Up.

Table 6-2 VNE Status 

Status
Admin Mode
Oper Mode

Up

Up

Up

Shutting Down

Down

Up

Down

Down

Down

Starting Up

Up

Down

Unreachable

Up

Unreachable


For example, if you start a VNE, and the Admin status is Up but the Oper status is Down and has not started yet (because the server is busy), the status is Starting Up. If a VNE is Up and you stop the VNE, the Admin status is Down but, because the process is not terminated immediately, the status is Shutting Down.

Defining VNEs

When you add and define a new VNE, it corresponds to an NE and should only be added to the system once. As the VNE loads, Cisco ANA starts investigating the NE and automatically builds a live model of it, including its physical and logical inventory, its configuration, and its status.

When adding a new VNE, Cisco ANA creates the registry information of the new VNE in the unit. The newly created VNE has an administrative status of Down, and uses the default community strings and polling rates. The VNE inherits these properties from the configuration record that corresponds to the device type.

A VNE must be loaded into the bootstrap of the unit before it starts monitoring its underlying NE. This changes the administrative status of the VNE to Up, and ensures that the VNE is loaded on subsequent restarts of the unit. Loading the VNE also starts the VNE immediately. For more information about the status of VNEs, see Admin and Oper Mode VNE Status.

Before adding a new VNE using Cisco ANA Manage, you must first determine the unit and AVM the new VNE is to be added to.

You can define and manage SNMP, Telnet, SSH, ICMP, and polling information for the appropriate VNEs in the New VNE dialog box.

Note A new VNE cannot be added to the reserved AVMs 0-100.

You can create VNEs that perform reachability testing only through ICMP. This can be done by creating a VNE, selecting the type ICMP, and then defining the details in the ICMP tab. See ICMP Tab.

For information on defining VNE properties in the respective VNE tabs, see:

General Tab

SNMP Tab

Telnet/SSH Tab

SSHv2 Protocol

ICMP Tab

Polling Tab

Defining a Generic SNMP VNE

Polling System Configuration

For details on viewing and editing VNE properties, see Viewing and Editing VNE Properties.

To define the properties of a new VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage.

Step 2 Select the required AVM sub-branch in the tree pane.

Step 3 Open the New VNE dialog box in one of the following ways:

Right-click the AVM sub-branch, then choose New VNE.

Choose File > New VNE.

In the toolbar, click New VNE.

The New VNE dialog box is displayed (see Figure 6-1).

Figure 6-1 New VNE Dialog Box

The New VNE dialog box contains the following tabs:

General Tab—For VNE information in the connected Cisco ANA (mandatory name and IP fields).

SNMP Tab—For polling and accessing devices using SNMPv1, SNMPv2c and SNMPv3.

Telnet/SSH Tab—For selecting Telnet or SSH for device access and configuring the login sequence.

ICMP Tab—For verifying that devices are reachable by sending repetitive ICMP request packets, and testing reachability by defining the polling rate.

Polling Tab—For associating a VNE in the Cisco ANA with a polling group, or defining an instance.

Note The OK button in the New VNE dialog box is enabled only when you have entered the VNE name and IP address in the General tab (mandatory fields).

General Tab

The General tab enables you to manage VNE information in the connected Cisco ANA.

The following VNE identification fields are displayed in the Identification area:

VNE Name—The name of the VNE that is used as a unique key in NetworkVision, Cisco ANA Manage, and EventVision.

Note This name is also used for VNE manipulation commands.

IP Address—The IP address of the device.

Type—Select the VNE Type from the list:

Auto Detect—Automatically detects the device type and loads the relevant VNE.

Note SNMP cannot be disabled if the Auto Detect option is selected. See SNMP Tab.

Generic SNMP—Loads a generic VNE. For more information about defining a generic VNE, see Defining a Generic SNMP VNE.

Cloud—Loads an unmanaged network segment. Specific cloud configuration is provided on a per-project basis.

ICMP—Uses an ICMP-based reachability test to validate communication with the managed device by continuously sending ICMP packets.

Note When this option is selected, only the ICMP tab is enabled and the SNMP, Telnet/SSH, and Polling tabs are disabled.

Scheme—The VNE scheme determines the network element information that is collected by a VNE and populated in its model; that is, it defines the VNE modeling components investigated during the discovery process. Choose a scheme that is based on the device family and on the technologies you want Cisco ANA to manage. This enables you to define different behavior for different devices. For example, some devices poll only with SNMP, while other devices poll with Telnet. Soft properties and activation scripts are also attached to a specific scheme.

The Scheme drop-down list contains the following options:

Default—Sets the scheme to Product.

Product—This scheme is used for all device types in this release except Cisco CRS-1, Cisco XR 12000 series, Cisco 3750ME, and Juniper M-Series devices.

ipcore—This scheme is used only for routers serving as Provider (P) or Provider Edge (PE) devices.

The difference between the two schemes is that ipcore assumes that the device is used as part of an MPLS VPN network containing P and PE devices. Cisco ANA therefore models these VNEs slightly differently. Use Product for all other instances, including customer edge (CE) devices. The Product scheme assumes that no MPLS or VRF configuration exists and thus does not retrieve it.

These schemes provide users with the flexibility to specify the registrations (a registration is how the VNE queries a live device for information) that the VNEs modeling their routers are to use. You can designate a VNE as a core router by setting it to work with the ipcore scheme, or an edge router by setting it to work with the Product scheme.

Product Scheme

The Product scheme is to be used for routers that are not configured to serve as PE and P devices. The Product scheme includes all device types, except Cisco CRS-1, Cisco XR 12000, Cisco 3750ME, and Juniper M-Series devices.

Since the routing entry to the management system can be discovered via Border Gateway Protocol (BGP), one registration supports discovering just that one entry (mc-ip-bgp under the RoutingEntity Device Component).

Beginning with Cisco ANA 3.6 Service Pack 1, the following registrations available in previous releases are not used by the Product scheme:

gre tunnel

lse

martini

mpbgp

mpls interfaces

mpls te tunnels headend creator

tunnel container

vrf interfaces

label switching table

ldp local ip

mpls te tunnels in lse

mpls distribution protocol

mpls te interface attribute

mpls te interface properties

mpls traffic engineering tunnel information

bgp neighbors

bgp-process-state

local bgp as

local bgp identifier

VRF RoutingTable

VrfRoutingTarget

ipcore Scheme

Use the ipcore scheme when you want the VNE to poll for additional data that is typical for PE or P routers, such as VRF or MPLS. The ipcore scheme is applicable for the following device types:

All Cisco router devices of families greater than or equal to 3600.

Cisco CRS-1 (ipcore scheme only).

Cisco 12KXR (ipcore scheme only).

Cisco 3750ME (ipcore scheme only).

Juniper M-Series routers.

In addition to usual registrations in the Product scheme, this scheme also includes the following registrations according to Device Components (DCs) and device queries using registrations:

GenericForwardingInvestigator

gre tunnel

lse

martini

mpbgp

mpls interfaces

mpls te tunnels headend creator

tunnel container

GenericVrfInvestigator

vrf interfaces

LSE

label switching table

ldp local ip

mpls te tunnels in lse

MPLS

mpls distribution protocol

mpls te interface attribute

mpls te interface properties

MplsTETunnel

mpls traffic engineering tunnel information

PTPLayer2MplsTunnel

Details

MPBgp

bgp neighbors

bgp-process-state

local bgp as

local bgp identifier

VRF

RoutingTable

VrfRoutingTarget

The VNE State field is displayed in the initial state area:

Stop—The VNE is not loaded. This is the default state.

Start—The VNE is loaded and starts collecting data.

Maintenance—The VNE is started and moved to maintenance mode. See VNE Status.

The following fields are displayed in the Location area of the General tab:

ANA Unit—The IP address of the unit that hosts the AVM for the VNE.

AVM—The AVM on the unit that hosts the VNE.

SNMP Tab

The SNMP tab enables you to support polling and accessing devices using SNMPv1, SNMPv2, or SNMPv3. Figure 6-2 shows the SNMP tab dialog box.

Figure 6-2 SNMP Tab

Note If a device does not have a unique SNMP Engine ID, Cisco ANA generates Device unreachable events with corresponding SNMP timeout messages in the AVM log file. These IDs are normally derived from the unique MAC address for the device and assigned automatically, but they can be specified by the user. We recommend that you avoid custom SNMP Engine IDs. If you do use them, make sure they are unique.

The following check box and radio buttons are displayed in the SNMP tab of the New VNE dialog box:

Enable SNMP—Check this option to enable the SNMP communication protocol so that you can work with it.

Note SNMP can be enabled or disabled on a VNE at any time. However, when the Auto Detect option is selected in the General tab, it cannot be disabled. (For more information, see General Tab).

SNMP V1—Select SNMP version 1.

SNMP V2—Select SNMP version 2.

SNMP V3—Select SNMP version 3.

Note The SNMP V3 Settings area is only enabled when SNMP V3 is selected.

The following fields are displayed in the SNMP V1/V2 Settings area:

Read—The SNMP Read Community status, Public or Private, as defined by the user.

Write—The SNMP Write Community status, Public or Private, as defined by the user.

The following fields are displayed in the SNMP V3 settings area:

Authentication—Select one of the following:

No—No authentication is required.

md5

sha

If MD5 or SHA is selected, enter the required information in the following fields:

User

Password

Encryption—Select one of the following:

No—No encryption is required.

DES

AES-128

AES-192

AES-256

If one of the security options is selected, enter the required information in the following field:

Password

Telnet/SSH Tab

The Telnet/SSH tab enables you to define the Telnet command sequence and support SSH for device access (reachability) and investigation. See SSHv2 Protocol for more information about the SSH protocol. Figure 6-3 shows the Telnet/SSH tab dialog box.

Figure 6-3 Telnet/SSH Tab

Note The fields in the lower part of the Telnet/SSH tab change according to the selected protocol. If Telnet is chosen, the lower part of the tab is empty. If SSHv1 or SSHv2 is chosen, the related fields are displayed.

You cannot enable or disable fields.

The following check box is displayed in the Telnet/SSH tab of the New VNE dialog box:

Enable—Check this option to enable the Telnet, SSHv1, or SSHv2 communication protocol to be used by the VNE to investigate the reachability of the device by activating the Prompt and Run fields, and the Add and Remove buttons.

Note Telnet and SSH can be enabled or disabled for a VNE at any time.

The following fields are displayed in the Telnet/SSH tab of the New VNE dialog box:

Protocol—A drop-down list of the available protocols:

Telnet—By default this option is set to Telnet. When Telnet is selected, the Port field automatically displays 23.

SSHv1—When SSHv1 is selected, the Port field automatically displays 22 and the SSH fields are enabled in the dialog box.

SSHv2—When SSHv2 is selected, the Port field automatically displays 22 and the SSH fields are enabled in the dialog box.

Port—When Telnet is selected, this field automatically displays 23. When SSHv1 or SSHv2 is selected, this field automatically displays 22. You can edit the port number displayed.

Device credentials in the GUI can be masked with asterisks. Click Mask. A Password Controller window opens; enter the password and confirm it. An error message appears if one of the fields is missing, or if the password and confirm strings are not identical. Click OK. The Password Controller window closes, and the password is inserted in the Run text field as asterisks. The Run text field stays masked until you add the prompt to the sequence.

If you do not click Mask, the password is entered as regular text.

The Run column in the Telnet sequence table displays the data in regular text or as asterisks depending on the chosen option.

Prompt—The expected Telnet or SSH string. This information is displayed in the table (in the relevant column) after you click Add.

Run—The Telnet or SSH string to be sent to the device when the expected prompt is detected. This information is displayed in the table (in the relevant column) after clicking Add.

The following buttons are displayed in the Telnet/SSH tab of the New VNE dialog box:

Add—Adds the Prompt and Run fields to the list in the table.

Remove—Removes the selected row from the list in the table.

Use the Up and Down arrows to change the order of the commands in the list.

Note The Telnet sequence (the order of the commands) must end with a line that includes only the prompt field as shown in Figure 6-4.

Figure 6-4 Telnet Sequence Ending With Prompt Field

Note When creating a VNE for a Cisco CRS-1 or Cisco GSR device running Cisco IOS XR software, the device username must have root privileges.

SSHv1 Protocol

If the SSHv1 protocol is selected, enter the required information and properties in the following fields:

Username

Password

Cipher—Cisco ANA supports polling devices using the SSH protocol, which defines a set of encryption algorithms that can be used to encrypt data. This field provides a list of the available cipher options: 3DES (default), DES, AES-128, AES-192, AES-256, and Blowfish.

Authentication—Displays the Password option.

SSH Login Sequence

After an SSH session is established between the VNE and the device, the VNE starts the login sequence. This sequence is usually shorter than the corresponding Telnet login sequence, as the username or password might have been sent as part of establishing the SSH session.

We recommend that you first use any SSH client application, such as unix-ssh or openSSH, to see what the device valid SSH login sequence is and then add the sequence to the VNE configuration.

SSHv2 Protocol

SSH is a protocol that provides a secure session using standard cryptographic mechanisms.

SSH Login Sequence

For information on the SSH login sequence, see SSH Login Sequence.

Client Authentication

You need to enter your username and either a password or a private key according to the configured authentication option on the device.

Public key client authentication uses a key pair system in which the client application is configured with the secret private key and the device is configured with the public nonsecret key of this pair.

You must enter a private key. You can copy and paste it, or upload it from a file by clicking Browse for file.

Entering the matching public key is optional. If it is provided, the application verifies that the public and private key are a part of the pair. You can also click Generate to generate the matching public key using the private key information.

Supported Algorithms

At least one algorithm must be selected in each subject (key-exchange, MAC, cipher, or host-key). If more than one is selected, the application tries all algorithms until one is accepted by the server. There is no priority in the way the algorithms are tried.

Note Encryption algorithms can have multiple known versions. For example, 3DES has 3des-cbc, 3des-ecb, 3des-cfb, 3des-ofb, and 3des-ctr.

Cisco ANA supports the following algorithms commonly used in network devices:

MAC:

HMAC-SHA-1

HMAC-MD5

HMAC-SHA1-96

HMAC-MD5-96

Cipher:

3DES-CBC

AES128-CBC

AES192-CBC

AES256-CBC

Host key algorithm (up to 2048-bit keys are officially supported):

DSA

RSA

Key Exchange:

diffie-hellman-group1-sha1

diffie-hellman-group1-exchange-sha1

Server Authentication

Most of the devices that support SSH have a means of identifying themselves to the clients, so the clients are sure that the server is not an imposter.

The server has a permanent server public key and it passes it in each session negotiation. The client compares this public key to the known public key of the server. If they match, the client can be sure of the authenticity of the server.

There are several methods that a VNE uses for this authentication:

none—The server identity is never verified. Note that this method does not perform any authentication and is not recommended as it poses a security risk for "man-in-the-middle" attacks.

save-first-auth—On the first connection attempt with the server, the connection is established and the public key is saved.

For all subsequent connections, authentication is performed against the data saved in the first connection. This method assumes the first connection was legitimate and compares all later connections to it. Note that a security risk still exists if the first connection was compromised.

After the first connection, this option automatically changes to preconfigured and the public key data of the session is inserted as the preconfigured data.

preconfigured—The server public key or fingerprint is configured in the application event before the first connection is attempted.

If the server fails to authenticate itself using the preconfigured data, the connection fails. This is the default behavior and is the recommended security option.

Preconfigured data can be of either of the following types:

Public key for server public key in one of the permitted formats. See Public Key and Private Key File Formats.

Fingerprint—Short checksum of the server public key. Serves the same purpose, but is much shorter.

Public Key and Private Key File Formats

There are several file formats for public and private RSA and DSA keys. The same key can be written differently according to the format that is used.

This application officially supports the openSSH format. For more details, see http://www.openssh.com/manual.html.

Make sure that the keys you provide as input parameters are in this format. If they are not, you need to convert them to the open SSH format before applying them.

Use Case Example

When working with Cisco IOS, the public key is retrieved using the show crypto key mypubkey command. This format is not compatible with the OpenSSH format, and is not supported. There are several ways to convert the format.

The easiest solution is to use public key scan by the (free) openSSH application to retrieve the public key in the supported format. For more details, see http://www.openssh.com/manual.html.

Another option is to convert the files to the required format either manually or by using a script.

Examples of Valid File Formats 

RSA- private key 

-----BEGIN RSA PRIVATE KEY-----

MIICWwIBAAKBgQDvdpW8ItfbSp/hTbWZJqCPmjRyh9S+EpTJ0Aq3fnGpFPTR+

........

TiOfhiuX5+M1cTaE/if8sScj6jE9A0MpShBrnDU/0A==

-----END RSA PRIVATE KEY-----


DSA private key

-----BEGIN DSA PRIVATE KEY-----

MIIBuwIBAAKBgQDNGO+l2XW+W+YtVnWSYbKXr6qkrH9nOl+

.........

7wO4+FR9afoRjDusrQrL

-----END DSA PRIVATE KEY-----


DSA public key

ssh-dss AAAAB3.........HfuNYu+ DdGY7njEYrN++iWs= aslehr@aslehr-wxp01


RSA - public key

ssh-rsa AAAAB3...lot more...qc8Hc= aslehr@aslehr-wxp01

ICMP Tab

The ICMP tab enables repetitive sending of packets to a device to verify that the device is reachable. You can define the polling rate in seconds for the VNE. Click the ICMP tab to display the ICMP tab in the New VNE dialog box (see Figure 6-5).

Figure 6-5 ICMP Tab

The following check box is displayed in the ICMP tab of the New VNE dialog box:

Enable—Check this option to enable the use of the ICMP communication protocol to verify that the device is reachable.

Note The ICMP enable option can be enabled or disabled at any time. If this option is enabled, you must enter a polling rate in seconds.

Polling Tab

The Polling tab enables you to:

Associate a VNE with a previously created polling group.

Customize polling intervals for a VNE. Different polling intervals can be defined for:

Status—Typically the most frequently polled information, reflecting the current operational state of the element and its components.

Configuration—Reflects more dynamic element configuration such as forwarding, routing, and switching tables.

System—Reflects element configuration that is less dynamic in nature.

Topology—Reflects topology connections at different layers.

In addition, a polling interval can be configured for a class of devices, such as all Cisco routers.

Caution Changing polling rates can result in excess traffic and cause the NE to crash.

Click the Polling tab to display the Polling tab dialog box (Figure 6-6).

Figure 6-6 Polling Tab

The following radio buttons are displayed in the Polling Method area:

Group—The VNE inherits the polling rates from the polling group selected in the list. By default, the VNE inherits the polling rates from the default polling group.

For more information about creating customized polling groups, see Chapter 7, "Managing Global Settings."

The Polling Intervals and Topology areas are disabled when Group is selected.

Instance—Enables you to change the polling rates of any one of the built-in polling intervals currently displayed in the Polling Intervals area.

Note A polling rate that is not changed inherits its settings from the group specified in the Group drop-down list.

The Polling Intervals and Topology areas are enabled when Instance is selected.

The following polling interval fields are displayed in the Polling Intervals area:

Status—Sets the polling rate for status-related information, such as device status (up or down), port status, or admin status. The information is related to the operational and administrative status of the NE. The default setting is 180 seconds.

Configuration—Sets the polling rate for configuration-related information, such as VC tables or scrambling. The default setting is 900 seconds.

System—Sets the polling rate for system-related information, such as device name or device location. The default setting is 86400 seconds.

The following fields are displayed in the Topology area:

Layer 1—Sets the polling rate of the topology process as an interval for the Layer 1 counter. This is an ongoing process. The default setting is 30 seconds.

Layer 2—Sets the polling rate of the topology process as an interval for the Layer 2 counter. This process is available on demand. The default setting is 30 seconds.

Caution We recommend that you use the default values for polling intervals. Setting the fields below the default values can result in an overload of the ANA unit or polled device.

Defining a Generic SNMP VNE

The generic SNMP VNE is a VNE that is not related to any vendor, can represent any vendor (with certain limitations), and provides lightweight management support for network devices.

The generic SNMP VNE provides basic management capabilities for a device with the following technologies:

IP

Ethernet switching

802.q

Note IP support is restricted to basic IP only. It does not does include modeling of IPsec, MPLS, or routing protocols.

The generic SNMP VNE supports the following inventory items:

Physical inventory (specific port types only)

Routing table

ARP table

Default bridge

IP interfaces

A generic SNMP VNE can be loaded in two ways:

The VNE is loaded as a generic SNMP VNE when it is defined as a generic SNMP VNE by a user.

Cisco ANA Manage enables you to load a VNE as a generic SNMP VNE. You can do this by selecting the Generic SNMP option in the Type field of the New VNE dialog box. For more information about defining a generic SNMP VNE, see Defining VNEs.

The VNE is loaded as a generic SNMP VNE when its type is not supported because the device type is not recognized.

If the device is not found in the deviceTypes list, it is currently unsupported and you can load the VNE as:

An unsupported VNE

A generic SNMP VNE

Every VNE in agentdefaults/da has the entry "load generic agent for unsupported device type," where you can set the value as true or false (the default). If the value is true, it sets 1.3.999.3 as the property. It looks for this property in agentdefaults/da/deviceTypes and finds sheer/genericda. It then skips the investigation of the device software versions and builds the VNE (generic SNMP) from the default version.

Polling System Configuration

The sysoid command and the software version command are used to poll the system configuration. The following parameters are available:

interval—This parameter states the time in milliseconds required to wait before each poll. The default value is 180 seconds.

retries—This parameter states how many retries are required to be performed before discontinuing the poll. The default is -1 and means that the retry is unlimited (always). If a positive value is defined, such as 10, this is the number of retries that occur before the VNE stops retrying.

Note There is an option to override the default settings, if required. Changing these settings must be done with the support of Cisco. For details, contact the Cisco Project Manager or Cisco Account Team.

VNEs and Device Software Updates

You do not need to manually restart a VNE after a upgrading the software on a device. When the VNE polls for configuration information, it will detect these kinds of changes and will restart itself. When the VNE reloads, it will update any required registry information, such as the VNE registry path.

For information on configuration polling cycles, see Polling Tab.

Viewing and Editing VNE Properties

Cisco ANA Manage enables you to view and edit the properties of a VNE in a unit, such as the status or Telnet settings. See Defining VNEs.

To edit the properties of a VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch in the tree pane.

Step 3 Open the VNE Properties dialog box in one of the following ways:

Right-click the required VNE in the VNEs Properties table, then choose Properties.

Choose File > Properties.

Click Properties in the toolbar.

For more details about the fields displayed in the VNE Properties dialog box, see Defining VNEs. In addition to the fields displayed when adding a new VNE, the following fields and buttons are displayed:

VNE Status—The operational status: Up, Down, Shutting Down, Starting Up, or Unreachable. For more information on VNE status, see VNE Status.

Start—Start the VNE if it has been stopped or is in maintenance mode. See Changing VNE States.

Stop—Stop the VNE if it is running or is in maintenance mode.

Maintenance—Move the VNE to maintenance mode. If this is done when the VNE has been stopped, this has no meaning for the VNE.

ANA Unit—The current unit that hosts the VNE.

AVM—The current AVM number, which changes according to the unit selected to show one of the available AVMs on that unit.

Step 4 Edit the details of the VNE as required.

Step 5 Click Apply.

Step 6 Click OK. The VNE properties are updated with your entries.

Deleting a VNE

Cisco ANA Manage enables you to delete a VNE from a unit and AVM. This process stops the VNE if it is running and deletes all VNE references from the system and Golden Source. This includes the registry information of the VNE in the specified unit. A VNE that has been removed no longer appears in any future system reports.

Since all VNE information is deleted, adding the VNE again requires you to enter all VNE information.

Note A VNE that has static links configured cannot be deleted without first removing all static links configured for the VNE. Dynamic links are automatically removed.

To delete a VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch.

Step 3 Right-click the required VNE in the VNEs Properties table, then choose Delete. A warning message is displayed.

Step 4 Click Yes. A confirmation message appears.

Step 5 Click OK. The selected VNE is deleted from the AVM and is removed from the VNEs Properties table.

Changing VNE States

Cisco ANA Manage enables you to start or stop a VNE, or move a VNE to maintenance mode. Starting the VNE adds the VNE to the server bootstrap. Stopping the VNE removes the VNE from the server bootstrap.

During normal operation, NEs often undergo maintenance operations and planned outages such as software upgrades, hardware modifications, or cold reboots. The Cisco ANA platform supports such maintenance operations without affecting the overall functionality of the active network. Neighboring VNEs do not generate alarms that are related to links to or from the maintained VNE.

While in maintenance state (temporary state), a VNE:

Does not change state on its own unless you explicitly (manually) switch the VNE back to active state.

Never polls the device.

Handles events for correlation flow issues, but does not poll the device.

Does not initiate new service alarms, but might receive events from adjacent VNEs; for example, in the case of a link down alarm.

Does not handle syslogs and traps even though the flows are active.

Maintains the status of any existing links.

Does not fail on verification requests.

However, you are not required to manually restart a VNE when you upgrade the device software. The VNE will automatically restart itself and update any required information. For more details, see VNEs and Device Software Updates.

A VNE blocks all provisioning flows that run through the VNE. A device in maintenance state can be disconnected and restarted, and this does not result in link down alarms. Upon restart, the VNE receives only persistent information and returns to its latest known configuration. The topology links are renewed automatically.

Table 6-3 shows the icon used to indicate that a VNE is in maintenance state.

Table 6-3 VNE Maintenance Icon 

Icon
Description

This icon indicates a VNE in maintenance state in NetworkVision.


To change the state of a VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, and select the required AVM sub-branch in the tree pane.

Step 3 Select the required VNE in the VNEs Properties table.

Step 4 Perform one of the following actions:

To start the VNE, right-click Actions > Start, or click Start in the toolbar.

To stop the VNE, right-click Actions > Stop, or click Stop in the toolbar.

To place in maintenance state, right-click Actions > Maintenance, or click Maintenance in the toolbar.

Step 5 The state of the VNE changes based on your selection:

If the VNE is started, a confirmation message is displayed. Click OK. An Up status is eventually displayed in the VNEs Properties table. You might see a Starting Up status if the Server is overloaded or if the VNE is still being loaded.

If the AVM hosting the VNE is in a Down status, the VNE status remains Starting Up until the AVM is brought up.

If the VNE is stopped, a confirmation message is displayed. Click OK. A Down status is eventually displayed in the VNEs Properties table. You might see a Shutting Down status while processes are shutting down.

If the VNE is moved to maintenance mode, a confirmation message is displayed. Click OK. A Maintenance status is displayed in the VNEs Properties table.

Moving Multiple and Single VNEs

Cisco ANA Manage enables you to move single and multiple VNEs between AVMs. The VNEs that are moved are unloaded. The status of the VNEs is maintained after they are reloaded.

To move one or more VNEs:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, and select the required AVM sub-branch in the tree pane. The VNEs are displayed in the workspace.

Step 3 Select one or more VNEs using the mouse or keyboard, then right-click one of the selected VNEs.

Step 4 Choose Move VNEs from the shortcut menu. The Move To dialog box is displayed.

The Move To dialog box displays a tree-and-branch representation of the selected Cisco ANA server, its units, and AVMs, excluding the AVM in which the VNE is currently located. The highest level of the tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 5 In the Move To dialog box, browse to and select the AVM where you want to move the VNEs.

Step 6 Click OK. The VNE is moved to its new location, and now appears beneath the selected AVM in the VNEs Properties table.

Note You can verify that the VNE has been moved by selecting the appropriate AVM in the tree pane of the Cisco ANA Manage window (such as AVM 500-930000) and viewing the moved VNE in the VNEs Properties table.

Note The VNE that is moved is automatically unloaded and reloaded, and its status is maintained.