Cisco Active Network Abstraction Administrator Guide, 3.6.4
Managing AVMs and VNEs
Download this chapter
Managing AVMs and VNEsManaging AVMs and VNEs
Download the complete book
PDF of Cisco Active Network Abstraction Administrator Guide, 3.6.4PDF of Cisco Active Network Abstraction Administrator Guide, 3.6.4 (PDF - 3 MB)
give_us_feedback

Table Of Contents

Managing AVMs and VNEs

Creating AVMs

AVM Status

Admin and Oper Mode AVM Status

Viewing and Editing an AVM's Properties

Deleting an AVM

Starting and Stopping AVMs

Moving AVMs

Finding an AVM or VNE

Overview Of VNEs

VNE Status

Admin and Oper Mode VNE Status

Defining VNEs

General Tab

SNMP Tab

Telnet/SSH Tab

SSHv1 Protocol

SSH Login Sequence

SSHv2 Protocol

SSH Login Sequence

Client-Authentication

Supported Algorithms

Server Authentication

Public Key and Private Key File Formats

ICMP Tab

Polling Tab

Defining a Generic SNMP VNE

Polling System Configuration

VNEs and Device Software Updates

Viewing and Editing a VNE's Properties

Deleting a VNE

Changing the VNE's State

Moving Multiple and Single VNEs


Managing AVMs and VNEs

This chapter describes defining and managing autonomous virtual machines (AVM) and virtual network elements (VNE).

Creating AVMs—Describes how to define an AVM for a Cisco ANA unit server.

AVM Status—Describes the status of AVMs when they are created and loaded.

Viewing and Editing an AVM's Properties—Describes how to view and edit an AVM's properties.

Deleting an AVMDescribes how to delete AVMs.

Starting and Stopping AVMs—Describes how to stop and start AVMs, and the changes in AVM status.

Moving AVMs—Describes how to manage AVMs before you move them, and their status after a move.

Finding an AVM or VNE—Describes how to locate AVMs and VNEs among all Cisco ANA Servers.

Overview Of VNEs—Provides an overview of assigning VNE IP addresses, the VNE relationship to an AVM, and how to add a VNE to an AVM.

Defining VNEs—Describes how to open the New VNE dialog box and provides a description of property options you can define in each tab.

VNEs and Device Software Updates—Explains why you do not need to manually restart VNEs after upgrading device software.

Viewing and Editing a VNE's Properties—Describes how to view and edit the properties of a VNE.

Deleting a VNE—Describes how to delete a VNE from an AVM.

Changing the VNE's State—Describes how to start or stop a VNE or move a VNE to maintenance mode.

Moving Multiple and Single VNEs—Describes how to move VNEs between AVMs.

Creating AVMs

Cisco ANA Manage enables the user to define AVMs for Cisco ANA unit servers. Every AVM in the Cisco ANA fabric is managed by the watchdog protocol by default. Cisco ANA Manage enables the administrator to define AVMs for units, and enable or disable the watchdog protocol on the AVM.

To define an AVM:

The unit must be installed.

The unit must be connected to the transport network.

The following default AVMs must be running:

AVM 0—The switch AVM

AVM 99—The management AVM

AVM 100—The trap management AVM

Note For more information on the status of AVMs, see AVM Status.

The new AVM must have a unique ID within the unit.

Note AVM ID numbers 0-100 are reserved, and cannot be used. In addition, there might be other reserved AVM ID numbers. Users cannot enter a reserved number.

To create an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch and select the required ANA Servers Entity sub-branch.

Step 3 Open the New AVM dialog box:

Right-click the required unit, then select New AVM.

Click New AVM in the toolbar.

Select File > New AVM.

The New AVM dialog box is displayed.

The following fields are displayed in the New AVM dialog box:

ANA Unit—The IP address of the selected unit.

Note The unit does not have to be Up to create a new AVM.

ID—The name of the AVM as defined in Cisco ANA Manage, and unique to the unit, such as AVM 18.

Note The AVM numbers 0-100 are reserved and cannot be used. The user will be unable to enter a reserved number. A message is displayed in the New AVM dialog box informing the user that the number is reserved.

Key—A string that uniquely identifies an AVM in the system and across all units, thus enabling a transparent failover scenario in the system. If the user does not enter a key, the default key is used, "ID + timestamp".

Allocated Memory—The maximum memory allocated to the AVM.

The following check boxes are displayed in the New AVM dialog box:

Activate on creation—Loads the AVM into the bootstrap of the unit. This changes the administrative status of the AVM to Up and ensures that the AVM is loaded on subsequent restarts of the unit. By default this option is unchecked, and the newly created AVM has an administrative status of Down.

Enable AVM Protection—By default this option is selected, thereby enabling the watchdog protocol on the AVM when high availability is enabled. For more information, see the Cisco Active Network Abstraction High Availability User Guide.

Note We strongly recommended that you do not disable this option if high availability is enabled. If you check or uncheck this option when the AVM is up, you need to restart the AVM for the change to take affect.

Step 4 Define the properties of the AVM.

Step 5 Click OK. The new AVM is added to the selected unit, is displayed in the workspace, and is activated.

Creating a new AVM results in Cisco ANA providing the registry information of the new AVM in the specified unit. The AVM can now host VNEs. For more information, see Defining VNEs.

AVM Status

The status of AVMs and VNEs is affected by Admin and Oper modes. Admin mode is the administrative instructions that are sent to the AVM. Oper mode is the actual operational status of the AVM, such as Up. See Admin and Oper Mode AVM Status.

When moving an AVM (file), its operational status determines whether the file is reloaded (Up) or not (Down). For more information about moving AVMs, see Moving AVMs. For more information about starting and stopping AVMs, see Starting and Stopping AVMs.

An AVM can have only one of the following statuses at a time:

Up—The file (process) is reachable, and was loaded and started. When a Start (command) option is issued, and no problems are encountered, such as an overloaded server, the AVM is running (has been loaded and started), and its status is Up.

Down—The file (process) is reachable, and was stopped. When a Stop (command) option is issued, Cisco ANA issues instructions to shut down all processes. When all processes have stopped, the status of the AVM is Down.

Starting Up—When a Start or upload (command) option is issued and, for example, the server cannot run it as it is busy or overloaded, the status of the AVM is Starting Up.

Shutting Down—When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the AVM is Shutting Down.

Admin and Oper Mode AVM Status

Table 6-1 shows the status of an AVM as it relates to Admin and Oper modes and how it is displayed in the Status column of the AVMs table. The Admin mode is the administrative instructions that are sent to the VNE, while the Oper mode is the actual status of the VNE, such as Up.

Table 6-1 AVM Status 

Status
Admin Mode
Oper Mode

Up

Up

Up

Shutting Down

Down

Up

Down

Down

Down

Starting Up

Up

Down


Viewing and Editing an AVM's Properties

Cisco ANA Manage enables the user to view and edit certain properties of an AVM, such as the key or the allocated memory.

To view and edit an AVM's properties:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch and choose the required AVM sub-branch in the tree pane.

Step 3 Open the Properties dialog box:

Right-click the desired AVM, then select Properties.

Select File > Properties.

In the toolbar, click Properties.

The AVM Properties dialog box is displayed with the details of the selected AVM, including the IP address or key of the unit.

The following field is displayed in the AVM Properties dialog box:

Status—The status of the AVM: Up, Down, or Unreachable. See Admin and Oper Mode AVM Status.

Step 4 Edit the details of the AVM as required.

Note For more information on the other fields displayed in the AVM Properties dialog box, see Creating AVMs.

Step 5 Click OK. The AVM's new properties are displayed in the workspace.

Deleting an AVM

The user can remove an AVM. If the AVM is running, it is stopped before it is removed. This procedure deletes the registry information of the AVM in the specified unit. If there are VNEs running in the AVM, an error message is displayed, and the user cannot delete the AVM.

Warning You must remove all VNEs before removing their hosting AVM.

For more information, see Deleting a VNE.

Note Reserved AVMs 0-100 cannot be deleted.

To delete an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch in the tree pane.

Step 3 Right-click to display the menu, then select Delete. A warning message is displayed.

Step 4 Click Yes. A confirmation message is displayed.

Step 5 Click OK. The selected AVM is deleted from the selected unit.

Note Multiple rows can be selected for deletion.

Starting and Stopping AVMs

Cisco ANA Manage enables the user to start or stop an AVM.

Note Stopping the AVM process stops all VNEs in the AVM. Any change in status of the AVMs can take some time to be applied. For example, when running the Stop command, it might take several minutes before the status changes from Shutting Down to Down.

To start or stop an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM.

Step 3 Start or stop the AVM in one of the following ways:

Right-click the AVM, then select Actions > Start or Actions > Stop.

In the toolbar, click Start or Stop.

The AVM is started or stopped, and the appropriate status is displayed in the workspace as follows:

Starting Up—The AVM is started.

Up—The AVM has started.

Shutting Down—The AVM is stopped.

Down—The AVM has stopped.

Note When the AVM status is displayed as Down, the status remains Down and no-reload occurs.

Moving AVMs

Cisco ANA Manage enables the administrator to move an entire AVM between units.

Note Reserved AVMs 0-100 cannot be moved.

Cisco ANA Manage automatically checks the status of the AVM and VNE before it is moved. This information is maintained in the memory.

If the AVM is Up, the AVM is stopped and then moved to the target unit. After the move is completed, the AVM is reloaded according to its status prior to the move, so that the status of the AVM is maintained. For example, if it was Up before the move it will remain Up, if it was Down it will remain Down.

To move an AVM:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM.

Step 3 Right-click the AVM, then select Move AVM. The Move To dialog box is displayed.

The Move To dialog box displays a tree-and-branch representation of the selected Cisco ANA server and its units, excluding the unit in which the AVM is currently located. The highest level of the tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 4 Browse to and select the unit (branch) where you want to move the AVMs.

Step 5 Click OK. The AVMs is moved and now appears beneath the selected unit.

For information about moving VNEs, see Moving Multiple and Single VNEs.

Finding an AVM or VNE

A single search in Cisco ANA Manage can locate AVMs and VNEs among all Cisco ANA servers according to specifically defined search criteria.

To find an AVM or VNE:

Step 1 In the Cisco ANA Manage window, select the unit sub-branch or any sub-branch.

Step 2 Click Find. The Find dialog box is displayed.

The Find field enables the user to enter specific search criteria to find the required AVM or VNE. For example, the user can search for an AVM using the ID number, or search for a VNE using an IP address.

The Types list enables the user to specify whether they are searching for an AVM or VNE by selecting an option from the list. When an option is selected, the Property area is enabled, displaying the properties for the selected option. For example, if AVM is selected from the Types list, the AVM's properties are displayed in the Property area, and the user can select a specific property for the search.

The Up and Down radio buttons enable the user to search up and down (you can also use the F3 key).

The following buttons are displayed in the Find dialog box:

Find—Searches for the AVM or VNE from the selected point in the tree pane, either up or down.

Cancel—Cancels the search, and clears the Find dialog box.

Step 3 Enter the search criteria in the Find field.

When searching for an AVM the following search criteria are displayed:

ID

Status

Key

Loaded patches

When searching for a VNE the following search criteria are displayed:

Key

IP address

Status

Element type

Maintenance

Polling group

Step 4 From the Types drop-down list, select AVM or VNE (optional).

Step 5 From the Property area, select a specific property (optional).

Step 6 Select Up or Down for the direction.

Step 7 Click Find. The AVM or VNE matching the search criteria is highlighted in Cisco ANA Manage.

Note Press F3 to view the next AVM or VNE matching the search criteria.

Overview Of VNEs

A VNE is designated by its leading IP address and corresponds to a single network element (NE). Typically an NE has only one IP address that is used for management. For such devices, the leading IP address is the single IP address configured for this device.

In cases where an NE has multiple IP addresses, the user must choose one of these IP addresses to be used as a leading IP address. The leading IP address serves as an identifier of the VNE that corresponds to the NE and is displayed wherever the IP address of the NE is required.

Note Two VNEs cannot monitor the same NE.

Cisco ANA Manage enables the user to create VNEs (replicas of devices) by entering the IP address, SNMP, and polling rate information. This is called Element Management.

After Cisco ANA Manage installs and runs the process, samples the device, and collects the data, a VNE (managed element) is created. The VNE includes tables and physical inventory, and can be accessed using Cisco ANA NetworkVision.

VNE Status

The status of VNEs is affected by Admin and Oper modes. Admin mode is the administrative instructions that are sent to the VNE while Oper mode is the actual operational status of the VNE, such as Up. For more information about Admin and Oper modes, see Admin and Oper Mode VNE Status.

When moving a VNE, its status (either Up or Down), determines whether the VNE is reloaded (Up) or not (Down). For more information about moving VNEs, see Moving Multiple and Single VNEs. For more information about starting and stopping VNEs, see Changing the VNE's State.

A VNE can have only one of the following statuses at a time:

Up—The VNE (process) is reachable, and was loaded and started. When a Start (command) option is issued, and no problems are encountered, such as an overloaded server, the VNE is running (has been loaded and started), and its status is Up.

Down—The VNE (process) is reachable and was stopped. When a Stop (command) option is issued, Cisco ANA issues instructions to shut down all processes. When all processes have stopped, the status of the VNE is Down.

Unreachable—The VNE cannot be managed by Cisco ANA and its status is defined as Unreachable. When an option (command) is issued that cannot be run by Cisco ANA, the status of the VNE is Unreachable.

Starting Up—When a Start or upload (command) option is issued and, for example, when the server cannot run it because it is busy or overloaded, the status of the VNE is Starting Up.

Shutting Down—When a Stop (command) option is issued and, while the command is being run, some processes are still running, the status of the VNE is Shutting Down.

In addition to the statuses described, the VNE can be placed in maintenance mode, for example, a VNE's status can be Up and in maintenance mode. NEs often undergo maintenance operations and planned outages. The Cisco ANA platform supports such maintenance operations without affecting the overall functionality of the active network.

While in maintenance mode (temporary state) a VNE:

Does not change state on its own, unless the user explicitly (manually) switches the VNE back to active state.

Never polls the device.

Handles events for correlation flow issues, but does not poll the device.

Does not initiate new service alarms, but does receive events from adjacent VNEs, such as in the case of a link-down alarm.

Does not handle syslogs and traps even though the flows are active.

Maintains the status of any existing links.

Does not fail on verification requests.

For more information about maintenance mode, see Changing the VNE's State.

Admin and Oper Mode VNE Status

Table 6-2 presents the status of a VNE in relation to its Admin and Oper modes, as displayed in the Status column of the VNE table. The Admin mode is the administrative instructions that are sent to the VNE while the Oper mode is the actual status of the VNE, such as Up.

Table 6-2 VNE Status 

Status
Admin Mode
Oper Mode

Up

Up

Up

Shutting Down

Down

Up

Down

Down

Down

Starting Up

Up

Down

Unreachable

Up

Unreachable


For example, if a user starts a VNE, and the Admin status is Up but the Oper status is Down and has not started yet (because the server is busy), the status is Starting Up. If a VNE is Up and the user stops the VNE, the Admin status is Down but, because the process is not terminated immediately, the status is Shutting Down.

Defining VNEs

When a user adds and defines a new VNE, it corresponds to an NE and should only be added to the system once. As the VNE loads, Cisco ANA starts investigating the NE and automatically builds a live model of it, including its physical and logical inventory, its configuration, and its status.

When adding a new VNE, Cisco ANA creates the registry information of the new VNE in the unit. The newly created VNE has an administrative status of Down, and uses the default community strings and polling rates. The VNE inherits these properties from the configuration record that corresponds to the device type.

A VNE must be loaded into the bootstrap of the unit before it starts monitoring its underlying NE. This changes the administrative status of the VNE to Up, and ensures that the VNE is loaded on subsequent restarts of the unit. Loading the VNE also starts the VNE immediately. For more information about the status of VNEs, see Admin and Oper Mode VNE Status.

Before adding a new VNE using Cisco ANA Manage, the user must first determine which unit and AVM the new VNE should be added to.

The user can define and manage SNMP, Telnet/SHH, ICMP, and polling information for the appropriate VNEs in the New VNE dialog box.

Note A new VNE cannot be added to the reserved AVMs 0-100.

The user can create VNEs that perform reachability testing only through ICMP. This can be done by creating the VNE, selecting the type ICMP, and then defining the details in the ICMP tab. See ICMP Tab.

For information on defining VNE properties in the respective VNE tabs, see:

General Tab

SNMP Tab

Telnet/SSH Tab

SSHv2 Protocol

ICMP Tab

Polling Tab

For details on viewing and editing VNE properties, see Viewing and Editing a VNE's Properties.

To define the properties of a new VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage.

Step 2 Select the required AVM sub-branch in the tree pane.

Step 3 Open the New VNE dialog box:

Right-click the AVM sub-branch, then select New VNE.

Select File > New VNE.

In the toolbar, click New VNE.

The New VNE dialog box is displayed (see Figure 6-1).

Figure 6-1 New VNE Dialog Box

The New VNE dialog box contains the following tabs:

General Tab—Used to manage VNE information in the connected Cisco ANA (mandatory name and IP fields).

SNMP Tab—Used to support polling and accessing devices using SNMPv1, SNMPv2c and SNMPv3.

Telnet/SSH Tab—Used to choose Telnet or SSH for device access and configure the login sequence.

ICMP Tab—Used to verify that devices are reachable by sending repetitive ICMP request packets, and testing reachability by defining the polling rate.

Polling Tab—Used to associate a VNE in the Cisco ANA with a polling group, or define an instance.

Note The OK button in the New VNE dialog box is enabled only when the user has entered the VNE name and IP address in the General tab (Mandatory Fields).

General Tab

The General tab enables the user to manage VNE information in the connected Cisco ANA.

The following VNE identification fields are displayed in the Identification area:

VNE Name—The name of the VNE that is used as a unique key in NetworkVision, Cisco ANA Manage, and EventVision.

Note This name is also used for VNE manipulation commands.

IP Address—The IP address of the device.

Type—Select the VNE Type from the list:

Auto Detect—Automatically detects the device type and loads the relevant VNE.

Note SNMP cannot be disabled if the Auto Detect option is selected. See SNMP Tab.

Generic SNMP—Loads a generic VNE. For more information about defining a generic VNE, see Defining a Generic SNMP VNE.

Cloud—Loads an unmanaged network segment. Specific cloud configuration is provided on a per-project basis.

ICMP—Uses an ICMP-based reachability test to validate communication with the managed device by continuously sending ICMP packets.

Note When this option is selected, only the ICMP tab is enabled and the SNMP, Telnet/SSH, and Polling tabs are disabled.

Scheme—The VNE scheme determines what network element information is collected by a VNE and populated in its model; that is, it defines the VNE modeling components investigated during the discovery process. Choose a scheme that is based on the device family and on the technologies you want Cisco ANA to manage. This enables the administrator to define different behavior for different devices. For example, some devices poll only with SNMP, while other devices poll with Telnet. Soft properties and activation scripts are also attached to a specific scheme.

Cisco ANA supports two schemes:

Product—The default scheme is used for all device types supported in this release, except for Cisco CRS-1, Cisco XR 12000 series, Cisco 3750ME, and Juniper M-Series devices.

ipcore—This scheme is used only for routers serving as Provider (P) or Provider Edge (PE) devices.

The difference between the two schemes is that ipcore assumes that the device is used as part of an MPLS VPN network containing P and PE devices. Cisco ANA therefore models these VNEs slightly differently. In all other cases, Product should be used, including CEs. The Product scheme assumes that no MPLS and VRF configuration exists and thus does not retrieve it.

These schemes provide users with the flexibility to specify which registrations (a registration is how the VNE queries a live device for information) the VNEs modeling their routers are to use. The user can designate a VNE as a core router by setting it to work with the ipcore scheme, or an edge router by setting it to work with the Product scheme.

Product Scheme

The Product scheme should be used for routers that are not configured to serve as PE and P devices. The Product scheme includes all device types, except for Cisco CRS-1, Cisco XR 12000, Cisco 3750ME, and Juniper M-Series devices.

Since the routing entry to the management system can be discovered via BGP, one registration supports discovering just that one entry (mc-ip-bgp under the RoutingEntity DC).

Beginning with Cisco ANA 3.6 Service Pack 1, the following commands available in previous releases are not used by the product scheme:

gre tunnel

lse

martini

mpbgp

mpls interfaces

mpls te tunnels headend creator

tunnel container

vrf interfaces

label switching table

ldp local ip

mpls te tunnels in lse

mpls distribution protocol

mpls te interface attribute

mpls te interface properties

mpls traffic engineering tunnel information

bgp neighbors

bgp-process-state

local bgp as

local bgp identifier

VRF RoutingTable

VrfRoutingTarget

ipcore Scheme

The ipcore scheme is used when the user wants the VNE to poll for additional data that is typical for PE or P routers, for example VRF or MPLS. The ipcore scheme is applicable for the following device types:

All Cisco router devices of families greater than or equal to 3600.

Cisco CRS-1 (ipcore scheme only).

Cisco 12KXR (ipcore scheme only).

Cisco 3750ME (ipcore scheme only).

Juniper M-Series routers.

In addition to usual registrations in the product scheme, this scheme also includes the following registrations according to DCs and device queries using registrations:

GenericForwardingInvestigator

gre tunnel

lse

martini

mpbgp

mpls interfaces

mpls te tunnels headend creator

tunnel container

GenericVrfInvestigator

vrf interfaces

LSE

label switching table

ldp local ip

mpls te tunnels in lse

MPLS

mpls distribution protocol

mpls te interface attribute

mpls te interface properties

MplsTETunnel

mpls traffic engineering tunnel information

PTPLayer2MplsTunnel

Details

MPBgp

bgp neighbors

bgp-process-state

local bgp as

local bgp identifier

VRF

RoutingTable

VrfRoutingTarget

The following VNE state fields are displayed in the initial state area:

State—The initial state of the VNE:

Stop—The VNE is not loaded. This is the default state.

Start—The VNE is loaded and starts collecting data.

Maintenance—The VNE is started and moved to maintenance mode. See VNE Status.

The following fields are displayed in the Location area of the General tab:

ANA Unit—The IP address of the unit that hosts the VNE's AVM.

AVM—The AVM on the unit that hosts the VNE.

SNMP Tab

The SNMP tab enables the user to support polling and accessing devices using SNMPv1, SNMPv2, or SNMPv3. Figure 6-2 shows the SNMP tab dialog box.

Figure 6-2 SNMP Tab

Note If a device has a non-unique SNMP Engine ID, Cisco ANA generates Device unreachable events with corresponding SNMP timeout messages in the AVM log file. These IDs are normally derived from the device's unique MAC address and assigned automatically, but they can be specified by the user. We recommend that you avoid custom SNMP Engine IDs. If you do use them, make sure they are unique.

The following check box and radio buttons are displayed in the SNMP tab of the New VNE dialog box:

Enable SNMP—Check this option to enable the SNMP communication protocol so that the user can work with it.

Note SNMP can be enabled or disabled on a VNE at any time. However, when the Auto Detect option is selected in the General tab, it cannot be disabled. (For more information, see General Tab).

SNMP V1—Select SNMP version 1

SNMP V2—Select SNMP version 2

SNMP V3—Select SNMP version 3

Note The SNMP V3 Settings area is only enabled when SNMP V3 is selected.

The following fields are displayed in the SNMP V1/V2 Settings area:

Read—The SNMP Read Community status, Public or Private, as defined by the user.

Write—The SNMP Write Community status, Public or Private, as defined by the user.

The following fields are displayed in the SNMP V3 settings area:

Authentication—Select one of the following:

No—No authentication is required.

md5

sha

If MD5 or SHA is selected, enter the required information in the following fields:

User

Password

Encryption—Select one of the following:

No—No encryption is required.

DES

AES-128

AES-192

AES-256

If one of the security options is selected, enter the required information in the following field:

Password

Telnet/SSH Tab

The Telnet/SSH tab enables the user to define the Telnet command sequence and support SSH for device access (reachability) and investigation. See SSHv2 Protocol for more information about the SSH protocol. Figure 6-3 shows the Telnet/SSH tab dialog box.

Figure 6-3 Telnet/SSH Tab

Note The fields in the lower part of the Telnet/SSH tab change according to the selected protocol. If Telnet is chosen, the lower part of the tab is empty. If SSHv1 or SSHv2 is chosen, the related fields are displayed.

You cannot enable or disable fields.

The following check box is displayed in the Telnet/SSH tab of the New VNE dialog box:

Enable—Check this option to enable the Telnet/SSHv1/SSHv2 communication protocol to be used by the VNE to investigate the reachability of the device by activating the Prompt and Run fields, and the Add and Remove buttons.

Note Telnet/SSH can enabled or disabled for a VNE at any time.

The following fields are displayed in the Telnet/SSH tab of the New VNE dialog box:

Protocol—A drop-down list of the available protocols:

Telnet—By default this option is set to Telnet. When Telnet is selected, the Port field automatically displays 23.

SSHv1—When SSHv1 is selected, the Port field automatically displays 22 and the SSH fields are enabled in the dialog box.

SSHv2—When SSHv2 is selected, the Port field automatically displays 22 and the SSH fields are enabled in the dialog box.

Port—When Telnet is selected, this field automatically displays 23. When SSHv1 or SSHv2 is selected, this field automatically displays 22. You can edit the port number displayed.

Device credentials in the GUI can be masked with asterisks. Click Mask. A Password Controller window opens; enter the password and confirm it. An error message appears if one of the fields is missing, or if the password and confirm strings are not identical. Click OK. The Password Controller window closes, and the password is inserted in the Run text field as asterisks. The Run text field stays masked until you add the prompt to the sequence.

If you do not click Mask, the password is entered as regular text.

The Run column in the Telnet sequence table displays the data in regular text or as asterisks depending on the chosen option.

Prompt—The expected Telnet/SSH string. This information is displayed in the table (in the relevant column) after clicking Add.

Run—The Telnet/SSH string to be sent to the device when the expected prompt is detected. This information is displayed in the table (in the relevant column) after clicking Add.

The following buttons are displayed in the Telnet/SSH tab of the New VNE dialog box:

Add—Adds the Prompt and Run fields to the list in the table.

Remove—Removes the selected row from the list in the table.

Use the Up and Down arrows to change the order of the commands in the list.

Note The Telnet sequence (the order of the commands) must end with a line that includes only the prompt field as shown in Figure 6-4.

Figure 6-4 Telnet Sequence Ending With Prompt Field

SSHv1 Protocol

If the SSHv1 protocol is selected, enter the required information and properties in the following fields:

Username

Password

Cipher—Cisco ANA supports polling devices using the SSH protocol, which defines a set of encryption algorithms that can be used to encrypt data. This field provides a list of the available cipher options: 3DES (default), DES, AES-128, AES-192, AES-256, and Blowfish.

Authentication—Displays the Password option.

SSH Login Sequence

After an SSH session is established between the VNE and the device, the VNE starts the login sequence. This sequence is usually shorter than the corresponding Telnet login sequence, as the username or password might have been sent as part of establishing the SSH session.

We recommend that you first use any SSH client application, such as unix-ssh or openSSH, to see what the device valid SSH login sequence is and then add the sequence to the VNE configuration.

SSHv2 Protocol

Secure Shell (SSH) is a protocol that provides a secure session using standard cryptographic mechanisms.

SSH Login Sequence

For information on the SSH login sequence, see SSH Login Sequence.

Client-Authentication

You need to enter your username and either a password or a private key according to the configured authentication option on the device.

Public key client authentication uses a key pair system in which the client application is configured with the secret private key and the device is configured with the public non-secret key of this pair.

You must enter a private key. You can copy and paste it, or upload it from a file by clicking Browse for file.

Entering the matching public key is optional. If it is provided, the application verifies that the public and private key are a part of the pair. You can also click Generate to generate the matching public key using the private key information.

Supported Algorithms

At least one algorithm must be selected in each subject (key-exchange, MAC, cipher, or host-key). If more than one is selected, the application tries all algorithms until one is accepted by the server. There is no priority in the way the algorithms are tried.

Note Encryption algorithms can have multiple known versions. For example, 3DES has 3des-cbc, 3des-ecb, 3des-cfb, 3des-ofb, and 3des-ctr.

Cisco ANA supports the following algorithms commonly used in network devices:

MAC:

HMAC-SHA-1

HMAC-MD5

HMAC-SHA1-96

HMAC-MD5-96

Cipher:

3DES-CBC

AES128-CBC

AES192-CBC

AES256-CBC

Host key algorithm (up to 2048-bit keys officially supported):

DSA

RSA

Key Exchange:

diffie-hellman-group1-sha1

diffie-hellman-group1-exchange-sha1

Server Authentication

Most of the devices that support SSH have a means of identifying themselves to the clients, so the clients are sure that the server is not an imposter.

The server has a permanent server public key and it passes it in each session negotiation. The client compares this public key to the known public key of the server. If they match, the client can be sure of the authenticity of the server.

There are several methods that the VNE uses for this authentication:

none—The server identity is never verified. Note that this method does not do any authentication and is not recommended as it poses a security risk for "man-in-the-middle" attacks.

save-first-auth—On the first connection attempt with the server, the connection is established and the public key is saved.

For all subsequent connections, authentication is done against the data saved in the first connection. This method assumes the first connection was legitimate and compares all later connections to it. Note that a security risk still exists if the first connection was compromised.

After the first connection, this option automatically changes to "pre-configured" and the public key data of the session is inserted as the pre-configured data.

pre-configured—The server public key or fingerprint is configured in the application event before the first connection is attempted.

If the server fails to authenticate itself using the pre-configured data, the connection fails. This is the default behavior and is the recommended security option.

Pre-configured data can be of either of the following types:

Public key for server public key in one of the permitted formats. See Public Key and Private Key File Formats.

Fingerprint—Short checksum of the server public key. Serves the same purpose, but is much shorter.

Public Key and Private Key File Formats

There are several file formats for public and private RSA and DSA keys, the same key can be written differently according to which format is used.

This application officially supports the openSSH format. For more details, see http://www.openssh.com/manual.html.

Make sure that the keys you provide as input parameters are in this format. If they are not, you will need to convert them to the open SSH format before applying them.

Use Case Example

When working with Cisco IOS, the public key is retrieved using show crypto key mypubkey .... This format is not compatible with the OpenSSH format, and is not supported. There are several ways to convert the format.

The easiest solution is to use public key scan by the (free) openSSH application to retrieve the public key in the supported format. For more details, see http://www.openssh.com/manual.html.

Another option is to convert the files to the required format either manually or by using a script.

Examples of Valid File Formats 

RSA- private key 

-----BEGIN RSA PRIVATE KEY-----

MIICWwIBAAKBgQDvdpW8ItfbSp/hTbWZJqCPmjRyh9S+EpTJ0Aq3fnGpFPTR+

........

TiOfhiuX5+M1cTaE/if8sScj6jE9A0MpShBrnDU/0A==

-----END RSA PRIVATE KEY-----


DSA private key

-----BEGIN DSA PRIVATE KEY-----

MIIBuwIBAAKBgQDNGO+l2XW+W+YtVnWSYbKXr6qkrH9nOl+

.........

7wO4+FR9afoRjDusrQrL

-----END DSA PRIVATE KEY-----


DSA public key

ssh-dss AAAAB3.........HfuNYu+ DdGY7njEYrN++iWs= aslehr@aslehr-wxp01


RSA - public key

ssh-rsa AAAAB3...lot more...qc8Hc= aslehr@aslehr-wxp01

ICMP Tab

The ICMP tab enables repetitive sending of packets to a device to verify that the device is reachable. The user can define the polling rate in seconds for the VNE. Select the ICMP tab to display the ICMP tab in the New VNE dialog box (see Figure 6-5).

Figure 6-5 ICMP Tab

The following check box is displayed in the ICMP tab of the New VNE dialog box:

Enable—Check this option to enable the use of the ICMP communication protocol to verify that the device is reachable.

Note The ICMP enable option can be enabled or disabled at any time. If this option is enabled, the user must enter a polling rate in seconds.

Polling Tab

The Polling tab enables the administrator to:

Associate a VNE with a previously created polling group.

Customize polling intervals for a VNE. Different polling intervals can be defined for:

Status—Typically the most frequently polled information, reflecting the current operational state of the element and its components.

Configuration—Reflects more dynamic element configuration such as forwarding, routing, and switching tables.

System—Reflects element configuration that is less dynamic in nature.

Topology—Reflects topology connections at different layers.

In addition, a polling interval can be configured for a class of devices, such as all Cisco routers.

Warning Changing polling rates can result in excess traffic and cause the NE to crash.

Select the Polling tab to display the Polling tab dialog box (Figure 6-6).

Figure 6-6 Polling Tab

The following radio buttons are displayed in the Polling Method area:

Group—The VNE inherits the polling rates from the polling group selected in the list. By default, the VNE inherits the polling rates from the default polling group.

For more information about creating customized polling groups, see Chapter 7, "Managing Global Settings."

The Polling Intervals and Topology areas are disabled when Group is selected.

Instance—Enables the user to change the polling rates of any one of the built-in polling intervals currently displayed in the Polling Intervals area.

Note A polling rate that is not changed inherits its settings from the group specified in the Group drop-down list.

The Polling Intervals and Topology areas are enabled when Instance is selected.

The following polling interval fields are displayed in the Polling Intervals area:

Status—Sets the polling rate for status-related information, such as device status (up or down), port status, or admin status. The information is related to the operational and administrative status of the NE. The default setting is 180 seconds.

Configuration—Sets the polling rate for configuration-related information, such as VC tables or scrambling. The default setting is 900 seconds.

System—Sets the polling rate for system-related information, such as device name or device location. The default setting is 86400 seconds.

The following fields are displayed in the Topology area:

Layer 1—Sets the polling rate of the topology process as an interval for the Layer 1 counter. This is an ongoing process. The default setting is 30 seconds.

Layer 2—Sets the polling rate of the topology process as an interval for the Layer 2 counter. This process is available on demand. The default setting is 30 seconds.

Warning We recommend that you use the default values for polling intervals. Setting the fields below the default values can result in an overload of the ANA unit or polled device.

Defining a Generic SNMP VNE

The generic SNMP VNE is a VNE that is not related to any vendor, can represent any vendor (with certain limitations), and provides lightweight management support for network devices.

The generic SNMP VNE provides basic management capabilities for a device with the following technologies:

IP

Ethernet switching

802.q

Note IP support is restricted to basic IP only. It does not does include modeling of IPsec, MPLS, and routing protocols.

The generic SNMP VNE supports the following inventory items:

Physical inventory (specific port types only)

Routing table

ARP table

Default bridge

IP interfaces

A generic SNMP VNE can be loaded in two ways:

The VNE is loaded as a generic SNMP VNE when it is defined as a generic SNMP VNE by the user.

Cisco ANA Manage enables the user to load a VNE as a generic SNMP VNE. The user does this by selecting the Generic SNMP option in the Type field of the New VNE dialog box. For more information about how to define a generic SNMP VNE, see Defining VNEs.

The VNE is loaded as a generic SNMP VNE when its type is not supported because the device type is not recognized.

If the device is not found in the deviceTypes list, it is currently unsupported and the user can load the VNE as:

An unsupported VNE

A generic SNMP VNE

Every VNE in agentdefaults/da has the entry "load generic agent for unsupported device type", where the user can set the value as true or false (the default). If the value is true, it sets 1.3.999.3 as the property. It looks for this property in agentdefaults/da/deviceTypes and finds sheer/genericda. It then skips the investigation of the device's software versions and builds the VNE (generic SNMP) from the default version.

Polling System Configuration

The sysoid command and the software version command are used to poll the system configuration. The following parameters are available:

interval—This parameter states the time in milliseconds required to wait before each poll. The default value is 180 seconds.

retries—This parameter states how many retries are required to be performed before discontinuing the poll. The default is -1 and means that the retry is unlimited (always). If a positive value is defined, such as 10, this is the number of retries that occur before the VNE stops retrying.

Note There is an option to override the default settings, if required. Changing these settings must be done with the support of Cisco. For details, please contact the Cisco Project Manager or Cisco Account Team.

VNEs and Device Software Updates

You do not need to manually restart a VNE after a upgrading the software on a device. When the VNE polls for configuration information, it will detect these kinds of changes and will restart itself. When the VNE reloads, it will update any required registry information, such as the VNE registry path.

For information on configuration polling cycles, see Polling Tab.

Viewing and Editing a VNE's Properties

Cisco ANA Manage enables the user to view and edit the properties of a VNE in a unit, such as the status or Telnet settings. See Defining VNEs.

To edit a VNE's properties:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch in the tree pane.

Step 3 Open the VNE Properties dialog box:

Right-click the required VNE in the VNEs Properties table, then select Properties.

Select File > Properties.

Click Properties in the toolbar.

The VNE Properties dialog box is displayed with the details of the selected VNE.

For more details about the fields displayed in the VNE Properties dialog box, see Defining VNEs. In addition to the fields displayed when adding a new VNE, the following fields and buttons are displayed:

VNE Status—The operational status: Up, Down, Shutting Down, Starting Up, or Unreachable. For more information on VNE status, see VNE Status.

Start—Start the VNE if it has been stopped or is in maintenance mode. See Changing the VNE's State.

Stop—Stop the VNE if it is running or is in maintenance mode.

Maintenance—Move the VNE to maintenance mode. If this is done when the VNE has been stopped, this has no meaning for the VNE.

ANA Unit—The current unit that hosts the VNE.

AVM—The current AVM number, which changes according to the unit selected to show one of the available AVMs on that unit.

Step 4 Edit the details of the VNE as required.

Step 5 Click Apply.

Step 6 Click OK. The VNE's properties are edited.

Deleting a VNE

Cisco ANA Manage enables the user to delete a VNE from a unit and AVM. This process stops the VNE if it is running and deletes all VNE references from the system and Golden Source. This includes the registry information of the VNE in the specified unit. A VNE that has been removed no longer appears in any future system reports.

Since all VNE information is deleted, adding the VNE again requires the user to enter all VNE information.

Note A VNE that has static links configured cannot be deleted without first removing all static links configured for the VNE. Dynamic links are automatically removed.

To delete a VNE:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, then select the required AVM sub-branch.

Step 3 Right-click the required VNE in the VNEs Properties table, then select Delete. A warning message is displayed.

Step 4 Click Yes. A confirmation message appears.

Step 5 Click OK. The selected VNE is deleted from the AVM and is removed from the VNEs Properties table.

Changing the VNE's State

Cisco ANA Manage enables the user to start or stop a VNE, or move a VNE to maintenance mode. Starting the VNE adds the VNE to the server bootstrap. Stopping the VNE removes the VNE from the server bootstrap.

During normal operation, NEs often undergo maintenance operations and planned outages such as software upgrades, hardware modifications, or cold reboots. The Cisco ANA platform supports such maintenance operations without affecting the overall functionality of the active network. Neighboring VNEs do not generate alarms that are related to links to or from the maintained VNE.

While in maintenance state (temporary state), a VNE:

Does not change state on its own, unless the user explicitly (manually) switches the VNE back to active state.

Never polls the device.

Handles events for correlation flow issues, but does not poll the device.

Does not initiate new service alarms, but might receive events from adjacent VNEs, for example, in the case of a link-down alarm.

Does not handle syslogs and traps even though the flows are active.

Maintains the status of any existing links.

Does not fail on verification requests.

However, you are not required to manually restart a VNE when you upgrade the device software. The VNE will automatically restart itself and update any required information. For more details, see VNEs and Device Software Updates.

The VNE blocks all provisioning flows that run through the VNE. A device in maintenance state can be disconnected and restarted, and this does not result in link-down alarms. Upon restart, the VNE receives only persistent information and returns to its latest known configuration. The topology links are renewed automatically.

This icon indicates a VNE in maintenance state in NetworkVision.


To change a VNE's state:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, and select the required AVM sub-branch in the tree pane.

Step 3 Select the required VNE in the VNEs Properties table.

Step 4 Select the desired action:

To start the VNE, right-click Actions > Start, or click Start in the toolbar.

To stop the VNE, right-click Actions > Stop, or click Stop in the toolbar.

To place in maintenance state, right-click Actions > Maintenance, or click Maintenance in the toolbar.

Step 5 The state of the VNE changes based on your selection:

If the VNE is started, a confirmation message is displayed. Click OK. An Up status is eventually displayed in the VNEs Properties table. You might see a Starting Up status if the Server is overloaded or if the VNE is still being loaded.

If the AVM hosting the VNE is in a Down status, the VNE status remains Starting Up until the AVM is brought up.

If the VNE is stopped, a confirmation message is displayed. Click OK. A Down status is eventually displayed in the VNEs Properties table. You might see a Shutting Down status while processes are shutting down.

If the VNE is moved to maintenance mode, a confirmation message is displayed. Click OK. A Maintenance status is displayed in the VNEs Properties table.

Moving Multiple and Single VNEs

Cisco ANA Manage enables the administrator to move single and multiple VNEs between AVMs. The VNEs that are moved are unloaded. The status of the VNEs is maintained after they are reloaded.

To move one or more VNEs:

Step 1 Select the ANA Servers branch in the Cisco ANA Manage window.

Step 2 Expand the ANA Servers branch, and select the required AVM sub-branch in the tree pane. The VNEs are displayed in the workspace.

Step 3 Select one or more VNEs using the mouse or keyboard, then right-click one of the selected VNEs.

Step 4 Select Move VNEs from the shortcut menu. The Move To dialog box is displayed.

The Move To dialog box displays a tree-and-branch representation of the selected Cisco ANA server, its units, and AVMs, excluding the AVM in which the VNE is currently located. The highest level of the tree displays the Cisco ANA server. The branches can be expanded and collapsed to display and hide information.

Step 5 In the Move To dialog box, browse to and select the AVM (branch) where you want to move the VNEs.

Step 6 Click OK. The VNE is moved to its new location, and now appears beneath the selected AVM (branch) in the VNEs Properties table.

Note The user can confirm the VNE has been moved by selecting the appropriate AVM in the tree pane of the Cisco ANA Manage window (such as AVM 500-930000) and viewing the moved VNE in the VNEs Properties table.

Note The VNE that is moved is automatically unloaded and reloaded, and its status is maintained.