Table Of Contents
Working with Nodes
Managing Nodes
Creating New Nodes
Viewing Network Node Details
Editing Nodes
Deleting Nodes
Replacing Nodes
Managing WCCP Servers
Managing Virtual Clusters
Creating a Virtual Cluster
Changing Nodes Within a Virtual Cluster
Configuring WCCP for Cluster Management
Configuring WCCP for Traffic Redirection
Managing Node States
Configuring ACL/Classifiers
Configuring Recovery
Configuring a Virtual IP Address
VIP Configuration Examples
Configuring a Standalone Node
Sample Configurations
Configuring a Node for Use with TACACS+
Deploying to Nodes
Viewing Logs
Viewing Events
Configuring SNMP
Industry Standard MIBs
Cisco Standard MIBs
AON MIB to Support MIB Metrics
Configuring Syslog
Working with Nodes
Nodes are the devices that perform the actual application-oriented networking in an AON environment. Nodes are primarily managed by AMC, but they also have a command-line interface (CLI) through which some features can be configured. Additionally, nodes have the capability to be configured to operate in standalone mode, enabling third party tools to perform management functions previously reserved for AMC.
This chapter includes the following topics
•
Managing Nodes
•Managing Virtual Clusters
•Managing WCCP Servers
•Configuring Recovery
•Configuring a Virtual IP Address
•Configuring a Standalone Node
•Configuring a Node for Use with TACACS+
•Deploying to Nodes
•Viewing Logs
•Viewing Events
•Configuring SNMP
•Configuring Syslog
Note You must have System Administrator or Network Administrator privileges to perform most of the tasks described in this chapter. Deploy and monitor tasks are also visible to some other users. See the "Assigning Roles to Users" section on page 5-3 for further details.
Managing Nodes
Nodes are the individual devices that process messages in an AON environment. After being configured for basic network connectivity, a node must be configured to register with an AMC. On receipt of proper credentials, the AMC assumes control of the node.
Note A node can also be configured to operate in standalone mode. See the "Configuring a Standalone Node" section for details.
From the perspective of the AMC, nodes exist in one of the following states.
•Unregistered—Node created in the AMC, but no successful establishment of a trust relationship with AMC.
•Registered—Node successfully established a trust relationship with AMC.
•Active—Node activated by the administrator. Active nodes are able to receive deployment requests and process messages.
•Inactive—Formerly active node that has gone offline.
•Replaced—Node replaced by another node. During replacement, the new node assumes all processing responsibilities of the node being replaced. Replaced nodes cannot be activated again, nor can they be further configured by an administrator.
•Reachable—AMC can contact the node.
•Unreachable—A networking issue is preventing AMC from contacting the node.
•Unknown—AMC is unable to determine if the node is reachable.
This section covers the following topics:
•Creating New Nodes
•Viewing Network Node Details
•Viewing Network Node Details
•Editing Nodes
•Deleting Nodes
•Replacing Nodes
•Configuring a Standalone Node
•Configuring a Node for Use with TACACS+
Creating New Nodes
This section describes the procedure for creating a new AON node. To complete this procedure, you need access to the command-line interface of the node you are adding, and you need administrator access to AMC.
How to Get There
•Go to Network > Network Nodes > Manage, then click the New button.
Prerequisites
•AMC must be installed and running, and you must have appropriate privileges to create network nodes.
•Your node must be configured for basic IP network connectivity.
Step 1 Connect to the command-line interface of the AON node. Use the show version command to obtain the module serial number (highlighted below).
CPU Model: Pentium III (Coppermine)
Chassis Serial: 12345678901
Module Type: Cisco 2600/3700/ISR AON Module (NM-AON-K9)
Module Serial: FOC082313YY
Note the sample serial number in bold text above. You will need the serial number from your node to complete Step 3.
Step 2 Log in to AMC and Go to Network > Network Nodes > Manage to load the Manage Network Nodes page. Click the New button to load the New Network Node page.
Step 3 Complete the entries on this page as described in Table 2-1.
Table 2-1 New Network Node Entries
Entry
|
Description
|
Name
|
Name of your choosing for this node.
|
Serial Number
|
Enter the serial number obtained in Step 1.
|
Description
|
Optional entry.
|
Enable Node Polling
|
Enable polling when AMC is operating behind a firewall. Rather than waiting for the node to contact it, AMC will initiate contact with the node. If the polling feature is used, you must also enter the amc polling enable command described in Step 6.
|
Agent Hostname
|
Name or IP address of the node.
|
Agent Port
|
Port used by node for management traffic.
|
Step 4 Click Save to create the network node. The new node is in the Unregistered state and remains in this state until you configure the AON module to communicate with the AMC in the next step.
Step 5 In Configuration Terminal mode on the AON module, create an AON configuration. This configuration enables the AON node to register with the AMC.
aon-node> configure terminal
Enter configuration commands, one per line. End with exit.
aon-node(config)> aon config configuration_id create
aon-node(config)> aon config configuration_id ama host module_IP_address
aon-node(config)> aon config configuration_id amc host AMC_IP_address
aon-node(config)> aon config configuration_id activate
Step 6 If AMC is located behind a firewall and you checked the Enable Node Polling box when adding this node to AMC, use the amc poling enable command to configure the node to wait until AMC establishes contact before attempting to register.
aon-node(config)> amc polling enable
Step 7 Exit Configuration Terminal mode and allow AON to restart.
CAUTION!! Configuration changed. Need to restart AON.
Start counting down before restart
Step 8 After the module restarts, use the write memory command to save the configuration.
Step 9 In your browser window, click the browser's Reload button to refresh the Manage Network Nodes page. The new node should now be registered.
Tip If your network node remains unregistered, verify that the serial number is entered exactly as described in Step 3. The AMC will not establish trust with a node if this information is incorrect.
Step 10 Click the Manage States link to load the Manage Network Node States page,.
Step 11 Click the radio button for the registered node and then click Activate.
When the state changes to Active, the node is ready for configuration deployment.
Note You can make configuration changes to a node in the registered or unregistered state, however, you cannot deploy those configuration changes until the node becomes active.
Viewing Network Node Details
You can select a node and view details. To view details about a node, click the radio button next to the node name and then click Show.
The Show Network Node Details page appears. Table 2-2 describes the information shown on the Show Network Node Details page.
Table 2-2 Entries on the Show Network Node Details Page.
Entry
|
Description
|
Name
|
The name of the node.
|
Serial Number
|
The serial number of the device that is running the node.FOC083849D0
|
State
|
The state of the node. Can be Active or Inactive.
|
Node Health
|
Indicates whether the node is Reachable or Unreachable
|
Platform description
|
The AON platform that is running the node, For example, Cisco 2600/3700/ISR AON Module (NM-AON-K9).
|
IP Address
|
The IP address of the node.
|
AON Agent Service Port
|
Port number for the AON Agent Service.
|
AON Agent HTTP Port
|
HTTP Port.
|
AON Agent HTTPS Port
|
HTTPS port used by the AON Agent.
|
AON Agent SW Version
|
AON Agent software version running on the node.
|
AON SW Version
|
AON software version running on the node.
|
AON HW Version
|
AON hardware version running on the node.
|
Description
|
Additional descriptive information.
|
Additional Info
|
Indicates additional information about the state of the node; for example, if the node has been suspended, indicates that it is suspended.
|
AMC Database ID
|
Database ID of the AMC database.
|
Enable Node Polling
|
Indicates whether node polling is enabled. The value can be true or false.
|
Agent Hostname
|
Name of the host running the AON Agent.
|
Agent Port
|
Port number of the port used by the AON Agent.
|
Editing Nodes
The AMC enables you to edit the name and description of any node. If a node is unregistered, you can also change the serial number.
How to Get There
Go to Network > Network Nodes > Manage then select a node and click the Edit button.
Actions to Take
You can take one of the following actions:
•Make changes to the Name or Description. If a node is unregistered, you can also make changes to the serial number.
•Click the Save button to preserve your changes.
•Click the Cancel button to return to the Manage Network Nodes page.
Deleting Nodes
You can delete any node, regardless of its state. If a node is active, the AMC instructs the node to stop message processing before it is deleted.
How to Get There
Go to Network > Network Nodes > Manage, then select a node and click the Delete button.
Actions to Take
You can take one of the following actions:
•Click the Yes button to delete the node.
•Click the No button to cancel deletion and return to the Manage Network Nodes page.
Replacing Nodes
You can replace a registered node with another registered node. Active and unregistered nodes cannot be replaced, while active, inactive, and unregistered nodes cannot serve as replacements. After a node has been replaced, you can no longer change its configuration in the AMC, nor can you activate it for message processing. The replacement node inherits the exact configuration of the node being replaced, and you are then able to activate it for message processing.
How to Get There
Go to Network > Network Nodes > Manage. Click the radio button for the node you want to replace, then click the Replace button.
Actions to Take
You can take one of the following actions:
•Click the radio button for the node that is to serve as the replacement, then click the Submit button to save your change.
•Click the Cancel button to discard your change and return to the Manage Network Nodes page.
Managing WCCP Servers
A WCCP server is a switch or router that redirects traffic to an AON node. A WCCP Server can also be used for load balancing. By configuring a WCCP server, you provide the AMC with the information that it uses to contact the switch or router and configure it for traffic redirection or load balancing.
How to Get There
Go to Network > Network Nodes > WCCP Servers > Define WCCP Servers, then click the New button.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
Table 2-3. shows the entries available on the New WCCP Server page.
Table 2-3 New WCCP Server Entries
Entry
|
Description
|
IP Address
|
IP address of the switch or router being configured.
|
User name
|
Username required to configure device.
|
Password
|
Password required to gain access to device.
|
Enable password
|
Enable password required to access privileged EXEC mode.
|
Access method
|
If the device is configured for SSH, select secure shell. Otherwise select telnet.
|
Note AON uses Base64 to mask passwords entered during WCCP configuration.
Managing Virtual Clusters
A virtual cluster is a set of identically configured network nodes. After nodes are added to a virtual cluster, you can update the entire clustered group by changing a single set of configuration parameters. Virtual clusters can be configured for the following:
•High availability—Nodes in a cluster can function as a single node. When a node is taken out of service, the other nodes in that virtual cluster assume the messaging processing responsibilities of the missing node.
•Load balancing—Nodes in a cluster can share workload, meaning no single node becomes overloaded with network traffic.
Note If you are configuring a virtual cluster for use in retrieving JMS topic messages, topic retrieval is not load-balanced across multiple nodes. Only one node retrieves topics in this configuration, however, another node will assume this task should the first node fail.
This section covers the following topics:
•Creating a Virtual Cluster
•Changing Nodes Within a Virtual Cluster
•Configuring WCCP for Cluster Management
Creating a Virtual Cluster
A virtual cluster consists of two or more AON nodes that are configured to share workload and ensure redundancy. The first node you choose for a cluster is called the master node. Other nodes that you add to the cluster will receive duplicate configurations to that of the master node. After the virtual cluster has been created, all nodes are equal, meaning no node is a master node.
If you create a virtual cluster that consists of nodes assigned to one or more projects, the following occurs:
•If a node is to become the master node of the virtual cluster, it is removed from any projects to which it is assigned. The new virtual cluster is automatically assigned to those projects.
•If the node is not the master node, it is automatically removed from any projects to which it is assigned. The new virtual cluster is not assigned to those projects.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
Prerequisites
•You need at least two nodes. The master node can be in the registered or active state. Other nodes must be in the registered state.
•All nodes in a cluster must be running on the same type of hardware. You cannot, for example, combine an AON-SM and AON-NM into a virtual cluster.
Step 1 Go to Network > Network Nodes > Virtual Clusters > Create. This loads the Create Virtual Cluster page.
Step 2 Select a master node (the node whose configuration will be duplicated on the other nodes in the cluster) and click the Next button. This loads the Create Virtual Cluster page.
Step 3 Complete the entries as appropriate for your network and select the other nodes to be added to the cluster.
Step 4 Click the Finish button to save your changes. A dialog is displayed giving you a final opportunity to create the virtual cluster or cancel the operation.
Step 5 Go to Network > Network Nodes > Virtual Clusters > Manage to verify that the cluster was configured.
Step 6 Go to Network Nodes > Activate/Deactivate to make the nodes in the cluster Active.
Changing Nodes Within a Virtual Cluster
After a virtual cluster is configured, you can perform any of the following actions:
•Add Nodes—When you add additional nodes, the new nodes receive identical configuration to that of the existing nodes in the cluster. If you add a node that is assigned to one or more projects, that node is removed from those projects. The virtual cluster is not assigned to those projects
•Remove Nodes—If you remove a node from a cluster, it is returned to the registered state. Remaining nodes in the cluster continue to operate in the absence of the removed node. The configuration of a node that is removed from a cluster is restored to the factory default when that node is activated outside of the cluster. Nodes removed from a virtual cluster are not assigned to any project.
•Delete—If you delete a cluster, all member nodes are returned to the registered state, and their configurations are restored to the factory default. After a cluster is deleted, the member nodes are not assigned to any project.
Configuring WCCP for Cluster Management
AON nodes use WCCP to detect when a member of a cluster goes offline. If this happens, other members of the cluster assume the missing node's message processing workload.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
Prerequisites
•You must have a WCCP server available to add to the virtual cluster before beginning this configuration. See the "Managing WCCP Servers" section to configure a WCCP server.
Table 2-4 shows the entries available on the New WCCP Service Group page.
Table 2-4 New WCCP Service Group Entries
Entry
|
Description
|
Service group ID
|
Unique number for each service group. Range is 51 - 99.
|
Multicast address
|
IP address to be used by members of this service group.
|
Authentication password
|
Password by members of this service group for authentication.
|
Step 1 After completing the entries, click the Add Servers button. This loads the a page that lists available WCCP servers.
Step 2 Choose one or more servers, then click the Add button. The servers are added to the WCCP service group.
Step 3 Click the Configure Interfaces button to specify the interface to be used by the WCCP server. This loads the Server Interfaces page.
Step 4 Enter the names, such as Service-Engine1/0, of the interfaces to be used by members of the service group, then click the Save button. After you are returned to the New WCCP Service Group page, click the Save button to save the entire service group configuration.
Configuring WCCP for Traffic Redirection
AON nodes use WCCP to for traffic redirection and load balancing. You can configure nodes to redirect messages based on the IP address or port.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
How to Get There
•Go to Network > Network Nodes > Configure, then select a node and click the WCCP for Traffic Redirection button.
Prerequisite
•If traffic redirection is to be based on source or destination IP addresses, you must configure an ACL/Classifier for the cluster. See the "Configuring ACL/Classifiers" section to specify IP address parameters for traffic redirection.
Table 2-5. shows the entries available on the New WCCP Service Group page.
Table 2-5 New WCCP Service Group Entries
Entry
|
Description
|
Service group ID
|
Unique number for each service group. Range is 51 - 99.
|
Multicast address
|
IP address to be used by members of this service group. Address range is 224.0.0.0 to 239.255.255.255 (RFC 3171).
|
Authentication password
|
Password by members of this service group for authentication.
|
Port map
|
Comma-delimited string of destination ports to be redirected. Up to eight distinct ports can be entered.
|
Listener port
|
The port at which an adapter is listening for traffic.
|
Protocol
|
Choose TCP or UDP from the drop-down list.
Note You must configure the protocol on AMC. AON nodes do not support the use of the command-line interface to configure the protocol.
|
Step 1 Complete the entries as appropriate for your network, then click the Add Servers button. This loads a page that lists available WCCP servers.
Step 2 Choose one or more servers, then click the Add button. The servers are added to the WCCP service group.
Step 3 Click the Configure Interfaces button to specify the interface to be used by the WCCP server. This loads the Server Interfaces page. On this page you specify the following interfaces:
•Redirect in interface—this is the interface on which traffic to be processed by WCCP will arrive. Examples include FastEthernet 1/0 and Gigabit Ethernet 2.
•Group listen interface—this is the interface that receives the redirected traffic. Examples include AON-Engine 1/0 and Integrated Services-Engine 1/0.
Enter the name of the interfaces to be used by members of the service group, then click the Save button.
Step 4 After you are returned to the New WCCP Service Group page, click the ACL/Classifier button. On the next page, click the Add Entries button to load the page that lists the available ACL/Classifiers.
Step 5 Choose an ACL/Classifier, then click the Select button to associate it with the WCCP service group.
Step 6 Click the Save button to save your changes and return to the New Service Group page. From there click the Save button to complete the configuration.
Managing Node States
You can manage the state of the nodes associated with the AMC. You can activate and deactivate nodes. A node must be registered in order to be activated. When you deactivate a node, it stops all message processing and returns to the registered state. You can also suspend a network node.
•To activate a node, click Activate.
•To deactivate a node, click Deactivate.
•To suspend a node, click Suspend.
When you click Suspend, the Suspend Network Node Confirmation screen appears and prompts you to confirm the action. To continue and suspend the node, click Yes. To keep the node active, click No.
When you suspend a node, the node's state is temporarily changed from Active to Inactive. The global deployment operation will continue to deploy configuration changes to Active nodes, but will bypass all Inactive nodes. This is useful if a node loses network connectivity.
If a node loses network connectivity, the network administrator must take action to restore connectivity and then restart the node using the CLI. When the node is restarted, its state changes back to Active.
Configuring ACL/Classifiers
An ACL/Classifier contains an ordered list of access control entries. Each entry contains a source and destination IP address that are matched against the contents of a packet to determine if messages are to be redirected by WCCP.
ACL/Classifiers can also be used for message classification. After an ACL/classifier is created, users of ADS can bind the classifier to a message type so that messages can be subjected to additional processing.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
Step 1 Use one of the following navigation paths:
•For network nodes; Network > Network Nodes > Configure. Select a node, then click the ACL/Classifier button.
•For virtual clusters: Network > Virtual Clusters > Configure. Select a cluster, then click the ACL/Classifier button.
This loads the New ACL/Classifier Entry page.
Step 2 Complete the entries as required by your environment.
Step 3 Click the Save button to save your changes.
Configuring Recovery
The AMC enables you to control the recovery parameters of network nodes and virtual clusters. Watchdog is a process that runs on an AON node and verifies that the AON application on that node is operating normally. When watchdog detects a failure, it can attempt to restart AON and WCCP.
How to Get There
•Network node: Go to Network > Network Nodes > Configure. Select a node and click the Recovery button.
•Virtual cluster: Go to Network Nodes> Virtual Clusters > Configure. Select a node and click the Recovery button.
Note You must be in the System Project to configure WCCP, ACL/Classifier, or Recovery properties. If you have opened another project, you can only view these properties.
Table 2-6. shows the entries available on the Recovery page.
Table 2-6 Recovery Entries
Entry
|
Description
|
AON Heartbeat Interval
|
Rate at which the AON process sends heartbeats to the watchdog process.
|
AON Startup Delay
|
Number of seconds watchdog waits for the AON process to start up before attempting to restart.
|
Watchdog Recovery Action
|
Action to be taken when a watchdog timer expires.
|
Watchdog Failure Wait Retry Interval (Times):
|
An integer that specifies the number of Watchdog Failure Detection retries before the watchdog signals that AON is down.
|
WCCP "Here I Am" Interval
|
Interval at which WCCP clients send the "Here I Am" message.
|
Enable Watchdog
|
Drop-down list to select if watchdog is enabled or disabled.
|
Watchdog Failure Detection Interval
|
Time that will elapse before watchdog detects that AON is down.
|
Configuring a Virtual IP Address
A virtual IP (VIP) address is an IP address that is not assigned to a single device. Instead the VIP address is shared among a set of nodes. Nodes that are to use VIP are first assigned to a virtual cluster, and they use WCCP for cluster management.
Prerequisites
•Ensure that each node to be used in this procedure is properly configured and registered with AMC. Do not activate the nodes. See Managing Nodes.
•Ensure that WCCP servers are configured for the switches or routers hosting AON nodes that are to use VIP. See Managing WCCP Servers.
•Obtain an IP address for the VIP. This address must be on the same subnet as the nodes that are to use VIP.
Step 1 Create an ACL/classifier for the traffic that you want to divert to the VIP. Use the VIP as the destination address in the ACL. See Configuring ACL/Classifiers.
Step 2 Add the nodes that are to share a VIP to a virtual cluster. See Creating a Virtual Cluster.
Step 3 Configure WCCP to manage the VIP traffic. The following are key fields in a VIP configuration:
•Multicast address—an IP address from 224.0.0.0 to 239.255.255.255 (see RFC 3171) to be used exclusively by the devices in this VIP configuration.
•Redirect in interfaces—the interfaces on the host switches and routers that will receive traffic directed to the VIP. An example is FastEthernet 0/0.
•Group listen interfaces—the AON node interfaces to which VIP traffic is to be forwarded. An example is AON-Engine 1/0.
See Configuring WCCP for Traffic Redirection.
Step 4 Deploy all configuration changes to the affected nodes. See Deploying to Nodes.
Step 5 Establish a session with each node and enter configuration terminal mode. Use the aon node-address command to specify the VIP to be used by the virtual cluster.
aon-node> configure terminal
Enter configuration commands, one per line. End with exit.
aon-node(config)> aon node-address 10.94.0.135
Step 6 If the router is on the same subnet as the VIP, you must add the IP address to the router's configuration. If the router is on a different subnet, you can skip this step.
Establish a session to each switch or router and add the VIP as a secondary address to the appropriate interface. The example that follows shows a VIP address being mapped to the FastEthernet interface of a router.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface FastEthernet0/0
Router(config-if)# ip address 10.94.0.135 255.255.255.0 secondary
Step 7 Restart each node to activate the VIP configuration.
VIP Configuration Examples
The following examples show pertinent excerpts from the output of the show configuration command from a router and from an AON node.
Example 2-1 Router WCCP Configuration
This example shows WCCP group 51 is using the multicast address of 239.51.51.239. It is using an ACL/classifier named cisco-aon-wccp-acl-51. This configuration is added to the router when you properly configure a WCCP server in AMC.
ip wccp 51 group-address 239.51.51.239 redirect-list cisco-aon-wccp-acl-51
Example 2-2 Router Interface Configuration
This example shows the WCCP configuration applied to the interface of the router. The VIP is configured as a secondary IP address.
interface FastEthernet0/0
ip address 10.94.0.135 255.255.255.0 secondary
ip address 10.94.0.131 255.255.255.0
Example 2-3 AON Node VIP Configuration
This example shows the VIP address of 10.94.0.135 configured on the node.
aon config test ama host 10.94.0.133
aon config test amc host 10.94.0.47
aon node-address 10.94.0.135
Example 2-4 AON Node WCCP Configuration
This example shows the WCCP configuration of the AON node.
Configuring a Standalone Node
In environments where a third-party management application, such as AlterPoint, will manage AON nodes, each node must be configured to operate in standalone mode. This mode enables a node to operate without the AON Management Console, and it enables the node to receive all required configuration input from the command-line interface (CLI).
A node configured for standalone mode cannot communicate with an AMC. You must disable standalone mode before AMC can manage the node.
This feature also provides the ability to use the CLI to configure four different adapters (http, aonp, jms, and pmode). Previously these adapters required AMC's web interface for configuration.
Note If you install adapter extensions on a standalone node, they will be lost during subsequent upgrades of AON software. You must reinstall the adapter extensions after the upgrade.
Sample Configurations
The following example shows a node being configured for standalone mode. It also shows the commands to configure the promiscuous mode (Pmode) adapter.
aon-sm-1(config)> aon standalone
aon-sm-1(config)> adapter pmode
aon-sm-1(config-adapter)> domain PmodeAdapter
aon-sm-1(config-adapter-domain)> propertyset default
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination IP" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Interval" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Duration" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Mode" "false"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination Port" "10001"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> $exit domain
aon-sm-1(config-adapter)> $exit adapter
The following example shows the installation and configuration of a Pmode adapter extension:
aon-sm-1 aon install extension url http://10.0.0.1/RdfAdapterExtPackage.jar
aon-sm-1 configuration terminal
aon-sm-1(config)> adapter pmode
aon-sm-1(config-adapter)> domain PmodeAdapter
aon-sm-1(config-adapter-domain)> propertyset default
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination IP" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Interval" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Duration" "10"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Sampling Mode" "false"
aon-sm-1(config-adapter-domain-propertyset)> set "Default Destination Port" "10001"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1(config-adapter)> domain PmodeAdapterExtension
aon-sm-1(config-adapter-domain)> propertyset rdflink
aon-sm-1(config-adapter-domain-propertyset)> set "ExtensionLink" "RDF-FRAMING-EXTN-1"
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1(config-adapter)> domain RdfExtension
aon-sm-1(config-adapter-domain)> propertyset rdftraffi
aon-sm-1(config-adapter-domain-propertyset)> extension RDF-FRAMING-EXTN-1
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorPort" "10002"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "AdapterExtPolicyLink" "rdflink"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorMask" "255.255.255.255"
aon-sm-1(config-adapter-domain-propertyset-extension)>set "MonitorAddress" "10.235.1.11"
aon-sm-1(config-adapter-domain-propertyset-extension)>exit extension
aon-sm-1(config-adapter-domain-propertyset)> exit propertyset
aon-sm-1(config-adapter-domain)> exit domain
aon-sm-1{config)> exit adapter
Configuring a Node for Use with TACACS+
When a TACACS+ server is configured, a node provides the following functionality:
•Users authenticated against the TACACS+ server when they log in.
•The node will verify each command entered by a user before executing it. If a user does not have permission to use a command, the command is not executed.
•The user named "admin" is a local user. This user can successfully log in when the TACACS+ server is unavailable. The "admin" user has access to all commands on the node.
•You can enter up to three TACACS+ servers. If the first server is not found, the node will contact the second server. If the first two servers are not found, the node will contact the third server. If the first server denies authentication to the user, the node does not contact the other two servers.
•You can use the tacacs-server key command to enter an encryption key. The default for this optional command is unencrypted communication with the TACACS+ server.
•You can use the tacacs-server port command to specify the port used by the TACACS+ server. The default for this optional command is port 49.
•You can use the tacacs-server timeout command to specify the number of seconds the node is to wait for response from the TACACS+ server. The default for this optional command is 5 seconds.
Note This feature is supported on the AON Appliance, AON-SM, and AON-NME. The AON-NM does not support TACACS+.
The following example shows the configuration of a three TACACS+ servers on an AON node. Note that in this example, only the first command is required to configure TACACS+. The remaining commands are optional.
aon-sm-1(config)> tacacs-server host 10.10.10.1
aon-sm-1(config)> tacacs-server host 10.10.10.2
aon-sm-1(config)> tacacs-server host 10.10.10.3
aon-sm-1(config)> tacacs-server key encryption-key
aon-sm-1(config)> tacacs-server port port-number
aon-sm-1(config)> tacacs-server timeout seconds
The following example shows a sample configuration on a TACACS+ server for a user named "user123." In this example, the user can use only the "show" commands. Use of any other commands by this user yields an "Authorization Failure" error.
login = cleartext "user123"
Deploying to Nodes
Changes made to the configuration of an AON node must be explicitly deployed to the node. These changes include those made in AMC and those uploaded from the AON Development Studio. Whenever a configuration change is made, it appears in a deployment request (DR). There are two types of deployment requests:
•Global Deployment Request—contains changes, such as a global properties, that apply to all nodes in a project.
•Node Deployment Request—contains changes, such a new PEPs or message types, that apply to an individual node.
To deploy changes to nodes, perform the following steps:
Step 1 Go to Deployment > Manage Staging to view the deployment requests waiting in the Open and Staged state.
Step 2 Click the radio button for the deployment request, then click the Stage button. This changes the state to Staged, which is the last stop before deployment.
Step 3 Click the Manage Deployment link, which loads the Manage Deployment page.
Step 4 Click the radio button for the deployment request, then click the Deploy button. The AMC deploys the request to the AON node.
Step 5 Click the Summary Link to verify that the request was successfully deployed.
Viewing Logs
After configuring the Message Log Domain Policy at Properties > Application > Node > Message Log Domain, you can retrieve these logs.
How to Get There
Go to Monitor > Logs, then select a node and click the View Logs button.
Viewing Events
After configuring the Monitoring Policy at Properties > Monitoring, you can retrieve these events.
How to Get There
Go to Monitor > Events, then select a node and click the View Events button.
Configuring SNMP
SNMP is a well-established industry standard that provides a network management framework. To enhance the manageability of AON, several industry-standard MIBs and CISCO standards MIBs are supported. In AON 3.0, support for AON MIB CISCO-AON-STATUS-MIB has been added. This MIB provides AON node health, as well as node metrics information. SNMP traps for several AON internal events (for example, AonUp, AonDown, and so on) also have been added. Additionally, ability to generate user defined notification based on message content or context has been added with the new Notify Bladelet. These notifications are generated only if SNMP traps are enabled on the node.
For information on the Notify Bladelet, see "Notify" in chapter 3 of the Cisco AON Development Studio User Guide, 3.0, "ADS Bladelets Reference."
The following table lists the commands for configuring SNMP on AON.
Command
|
Description
|
snmp-server community string [ro | rw]
|
Enables SNMP and sets the community string. Use ro to specify read-only access for management stations; use rw to specify read-write access.
|
snmp-server contact text
|
Sets the system contact (sysContact) string.
|
snmp-server host ip-address community-string
|
Specifies the host that will receive SNMP messages.
|
snmp-server location text
|
Sets the system location string (sysLocation).
|
snmp-server enable traps [notification_type]
|
Enables the AON SNMP traps. The optional notification_type parameter specifies one of the following traps:
•aon-down—caonDown trap.
•aon-up—caonUp trap.
•custom-notification—caonCustomNotification trap.
•delivery-failure—caonMessageDeliveryFailed trap.
•new-pep-deployed—caonNewPepDeployed
•send-threshold-exceeded—caonSendResponseThresholdExceeded
•syslog—syslog trap.
If you do not specify the notification_type parameter, then all of the traps are enabled.
|
no snmp-server enable traps [notification_type]
|
Disables the AON SNMP traps. The optional notification_type parameter disables a specified trap that has been enabled using the snmp-server enable traps command. If you do not include the notification_type parameter, then all of the traps are disabled.
|
show snmp configuration
|
Displays the current SNMP configuration for the node.
|
The sections that follow list the MIBs supported by AON:
•Industry Standard MIBs
•Cisco Standard MIBs
To translate MIBs, use the Cisco SNMP Object Translator.
Industry Standard MIBs
SNMPv2-MIB
•Entire MIB, including coldStart trap
IF-MIB
•ifTable
IP-MIB
•ip objects
•ipAddrTable
SYSAPPL-MIB
•sysApplInstalledPkgTable
•sysApplRunTable
HOST RESOURCES-MIB
•hrSystemNumUsers
•hrSystemProcesses
•hrMemorySize
•hrStorageTable
–hrStorageDescr
–hrStorageAllocationUnits
–hrStorageSize
–hrStorageUsed
Note In AON, hrStorageTable contains two entries. The first entry denotes the RAM in the system, and the second entry denotes the disk partition.
Cisco Standard MIBs
CISCO-PROCESS-MIB
•cpmCpuTotalTable
•cpmProcessTable
CISCO-SYSLOG-MIB
AON MIB to Support MIB Metrics
CISCO-AON-STATUS-MIB
Cisco AON 3.0 includes support for a new AON MIB—the CISCO-AON-STATUS-MIB, which provides AON metrics information.
You can access the CISCO-AON-STATUS MIB online at the following location:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
The information available through this MIB includes:
•AON node state i.e., whether the AON node is unregistered, registered, active, or inactive.
•Node metrics information when a node is in the active state. The node metrics information includes the number of messages received by the node, number of PEPs deployed, and number of messages received by a PEP, as well as information about the endpoints that the messages are delivered to. The metrics are reset when the AON process is restarted.
By setting up the AON metrics using the AMC, the AON node can be configured to capture node metrics, PEP metrics, and endpoint metrics.For information on configuring the MIB metrics property, see AON Metrics Property, page 3-2.
Table 2-7 lists the MIB attributes.
Table 2-7 CISCO-AON STATUS-MIB MIB Attributes
MIB Attribute Name
|
Syntax
|
Access
|
Description
|
caonNodeState
|
Integer { unregistered(1), registered (2) active(3), inactive (4)}
|
ro
|
The node status can be:
•unregistered—AON is not yet registered with AMC.
•registered—AON has registered with AMC but is not yet activated.
•active— AON is active and ready to process messages.
•inactive—AON has been activated from AMC but AON process is down
|
caonAonBootTime
|
DateAndTime
|
ro
|
The value of sysUpTime at the time when AON process was bootstrapped successfully.
|
caonLastActivateTime
|
TimeStamp
|
ro
|
The local time at the node when AON was last activated from AMC.
|
caonReceivedMessages
|
Counter32
|
ro
|
Aggregate count of messages received by the node.
|
caonAmcIpAddressType
|
InetAddressType
|
ro
|
Indicates the type of IP address by which the AMC for the node is reachable.
|
caonAmcIpAddress
|
IPAddress
|
ro
|
IP Address of the AMC for this node.
|
caonPepCount
|
Gauge32
|
ro
|
The total number of PEPs that are currently deployed within the node.
|
caonPepTable
|
SEQUENCE of caonPepEntry
|
not-accessible
|
Table of descriptive and status information about the deployed PEPs on the node.
|
caonPepEntry
|
caonPepEntry
|
not-accessible
|
An entry in the PEP table, containing information about a single PEP. When AON data plane bootstraps, an entry is created for each PEP that has been deployed on the AON node. When PEPs are deployed from AMC to AON node after AON data plane bootstraps, an entry for each PEP is added to the table. An entry is deleted from the table when the PEP is deleted from AMC.
|
caonPepIndex
|
Unsigned32
|
ro
|
An integer uniquely identifying the PEP for which this entry contains information.
|
caonPepName
|
SnmpAdminString
|
ro
|
Specifies the PEP name
|
caonPepStyle
|
INTEGER
|
ro
|
This object indicates the PEP interaction style commonly known as the MEP. The possible values are:
•oneWay— Response is not expected from the receiving endpoint. AON does not wait for a response message in this case.
•requestResponse—Response is expected from the receiving endpoint. AON waits for the response from the receiving end point.
However, the PEP interaction style can be overridden by the Send Bladelet interaction style. If the user specifies the interaction style to be oneWay in the Send Bladelet, it overrides the PEP level interaction style and AON does not wait for a response from the receiving end point.
|
caonPepReceivedMessages
|
Counter32
|
ro
|
A counter to count the number of messages that were received by the PEP
|
caonPePpFailures
|
Counter32
|
ro
|
A counter to count the times the PEP was forced to execute exception flow. This count includes both the counts when an exception flow is present and when it is not
|
caonPepSecurityFailures
|
Counter32
|
ro
|
A counter to count the authentication and certificate validation failures encountered during PEP execution
|
caonPepEndPointTable
|
SEQUENCE of caonPepEndPointEntry
|
not -accessible
|
Table of endpoints that the messages were delivered to for the PEP.
|
caonPepEndPointEntry
|
caonPepEndPointEntry
|
not-accessible
|
An entry in the PEP EndPoint table, containing information about a single PEP EndPoint
|
caonPepPEndPointIndex
|
Unsigned32
|
not-accessible
|
An integer that uniquely identifies the PEP End point for which this entry contains information.
|
caonPepEndPointUrl
|
CiscoURLString
|
ro
|
URL of the end point. This URL does not include the query parameters.
|
caonEndPointAttempedtMessages
|
Counter32
|
ro
|
The number of message delivery attempts to the end point.
|
caonOneWayDeliveredMessages
|
Counter32
|
ro
|
The number of messages successfully delivered to the next hop. This count includes only those messages that do not require a response from the end point.
|
caonOneWayFailedMessages
|
Counter32
|
ro
|
The number of messages failed delivery. This count includes only those messages that do not require a response from the end point
|
caonReqResponseDeliveredMessages
|
Counter32
|
ro
|
The number of messages successfully delivered to the end point. The count includes only those messages for which a response is received successfully from the end point.
|
caonReqResponseFailedMessages
|
Counter32
|
ro
|
The number of messages failed delivery. This count includes only those messages for which a response message was expected from the end point.
|
caonEndPointMinResponseTime
|
TimeTicks
|
ro
|
The minimum response time to receive a response message from the Endpoint
|
caonEndPointMaxResponseTime
|
TimeTicks
|
ro
|
The maximum response time to receive a response message from the Endpoint
|
caonEndPointAvgResponseTime
|
TimeTicks
|
ro
|
The average response time e experienced by the PEP to receive a response from the endpoint.
|
caonCounterDiscontinuityTime
|
TimeStamp
|
ro
|
The value of sysUpTime at the most recent occasion at which one or more of the counters suffered a discontinuity. The relevant counters are the specific instances associated with any Counter32 or Counter64 object in the MIB. If no such discontinuities have occurred since the last initialization of the local management subsystem, then this object contains a zero value.
|
The caonNotifEnableIndicators MIB Object
The caonNotifEnableIndicators MIB object is a bit mask that specifies whether the SNMP notifications will be sent. If a bit in the bit mask is set, then the specified SNMP notification will be sent. If the bit is not set, the notification will not be sent.
Table 2-8 lists the bit mask values that specify whether SNMP traps are enabled or disabled. Please note that these are read-only attributes. These attributes will reflect if the notification will be sent or not.
Table 2-8 Values for the caonNotifEnableIndicators MIB Object Bit Mask
MIB Attribute Name
|
Syntax
|
Access
|
Description
|
caonUpNotifEnabled
|
TruthValue
|
ro
|
Specifies whether aonUP notifications are sent when AON processes bootstrap successfully. If this bit is set, then caonUp notification will be sent when the AON data plane bootstraps successfully. If the bit is not set, the caonUp notification will not be sent.
|
caonDownNotifEnabled
|
TruthValue
|
ro
|
Specifies whether aonDown notifications are sent when AON processes goes down.
|
caonNewPepDeployedNotifEnabled
|
TruthValue
|
ro
|
Specifies whether newPEPDeployed notifications are sent when a new PEP is deployed after AON bootstraps successfully.
|
caonMessageDeliveryFailedNotifEnabled
|
TruthValue
|
ro
|
Specifies whether messageDeliveryFailed notifications are sent when a message cannot be delivered to the end point.
|
caonSendResponseThresholdExceededNotifEnabled
|
TruthValue
|
ro
|
Specifies whether sendResponseThresholdExceeded notifications are sent when the end point response time exceeds the threshold value specified in the Send Bladelet.
|
caonCustomAONNotifEnabled
|
TruthValue
|
ro
|
Specifies whether customAONNotification notifications are sent when a notification is generated during PEP execution based on rules specified in the PEP.
|
SNMP Traps for AON Internal Events
In addition to the traps used to send metrics information, the CISCO-AON-STATUS MIB also defines several traps for AON internal events. Table 2-9 lists the traps for AON internal events.
Table 2-9 Traps for AON Internal Events
SNMP Trap Name
|
Varbind
|
Description
|
caonUp
|
none
|
The caonUp notification is sent when AON data plane is bootstrapped successfully and AON is ready to process messages.
|
caonDown
|
none
|
The caonDown notification is sent when an AON data plane goes down. The AON data plane might be down as a result of an administrative command i.e., stopping AON via a CLI command or deactivating the node from AMC or due to abnormal termination of AON data plane. If there is a hardware failure on the AON box then the notification might not be triggered.
|
caonNewPepDeployed
|
caonPepName
|
This notification is sent if a new PEP is deployed after AON has bootstrapped successfully. caonPepName identifies the name of the new PEP.
|
caonMessageDeliveryFailed
|
Varbinds:
•caonPepEndPointUrl,
•caonMessageSrcUri
•caonMessageSrcIpAddressType
•caonMessageSrcIpAddress
•caonMessageSrcPort
|
This notification is sent if a message cannot be delivered to the end point.caonMessageEndPointURL identifies the end point to which the message was being delivered to.The message source is either identified by caonMessageSrcUri or (caonMessageSrcIpAddr and caonMessageSrcPort).
|
caonSendResponseThresholdExceeded
|
Varbinds:
•caonPepEndPointUrl
•caonSendResponseThreshold
|
This notification is sent if the destination endpoint response time exceeds the threshold value specified in the Send Bladelet.
The caonPepEndPointUrl varbind identifies the URI of the end point the message was being delivered to The caonSendResponseThreshold varbind identifies the end point response time threshold value configured in the Send bladelet.
|
caonCustomNotification
|
Varbinds:
•caonNotificationName
•caonNotificationText
|
This notification might be triggered during PEP execution.Currently this is triggered from the Notify Bladelet if the customer-specified condition evaluates to TRUE and the notification type selected is SNMP.
This provides a way to extend the AON platform to generate customer-defined notifications based on customer specified conditions. For information on configuring the Notify bladelet, see the Cisco AON ADS User Guide, 3.0.
The caonNotificationName varbind identifies the name of the customer-defined notification type. The caonNotificationText varbind identifies the notification text for the custom notification.
|
Configuring Syslog
AON nodes include the capability to forward log messages to syslog servers. Up to four syslog servers can be configured for each AON node, and each host can use a unique priority and rate-level setting.
The table that follows lists the commands supported by the AON SNMP feature.
Command
|
Description
|
logging host ip-address priority priority-level [rate-limit bytes-per-second]
|
Configures the IP address of the recipient of syslog message and one of the following priority levels:
•alert—immediate action needed
•critical—critical conditions
•emergency—system is unusable
•error—error conditions
•info—informational messages
•notice—normal, but significant conditions
•warning—warning conditions
The default priority level is warning.
To control the bandwidth used for syslog messages, use the rate-limit keyword to specify the bytes per second. The default rate-limit is 0.
|
[no] enablesyslog aon
|
Instructs the AON process to start or stop logging events to syslog.
|
syslog aon level <level>
|
Specifies logging of AON messages of the specified level and higher (more severe) level to syslog. The level parameter can have the following values:
•debug—Debug messages
•info—Informational messages
•notice—Notice conditions
•warning—Warning conditions
•errors—Error conditions
|
show logging
|
Displays current logging and syslog server configuration for the node.
|
Feedback
