achieving operational excellence - cisco · presentation_id © 2006 cisco systems, inc. all rights...
TRANSCRIPT
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Achieving Operational Excellence
Asia Pacific Technical Services
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
What is Operational Excellence?
PeoplePeople
TechnologyTechnology
ProcessProcess
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Is this Rocket Science?
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
What are the risks?
• Purchase price is ONE element of the total cost
of a system
• Hidden or less obvious cost/value drivers often
outweigh the purchase price
• A network foundation with integrated advanced services
leads to lower TCO
Training CostsTraining Costs
Opportunity CostsOpportunity Costs
Cos
t Driv
ers
Cos
t Driv
ers
Network Purchase PriceNetwork Purchase Price
Network Costs = 20% Purchase, 80% OperationsSource: The Meta Group, 2005
Cost of ComplexIntegration
Cost of ComplexIntegration
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Architectures
� ITIL or ETOM
� Information Technology Infrastructure Libraryhttp://www.itil-officialsite.com/home/home.asp
� Enhanced Telecom Operations Maphttp://www.tmforum.org/
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
A4
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Lets manage the network
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
First Problem
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
What information do we have?
1. Voice quality on a phone has problems
2. Quality make voice stream unrecognisable?
1. Voice quality on a phone has problems
2. Quality make voice stream unrecognisable?
Assess
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
What information do we have?
Acquire- Environmental
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
What information do we have?
Acquire - Lifecycle
??
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
What information do we have?
1. Check the devices between phone and CCM for drops and resource issues
2. Connect a network analyser at the Phone
3. Observe phone during poor voice quality
1. Check the devices between phone and CCM for drops and resource issues
2. Connect a network analyser at the Phone
3. Observe phone during poor voice quality
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
IOS command line
AirServicesNat# show interfaces | inc drop
Input queue: 0/75/0/0 (size/max/drops/flushes); Tot al output drops: 0
Input queue: 0/75/0/0 (size/max/drops/flushes); Tot al output drops: 0
Input queue: 0/75/0/0 (size/max/drops/flushes); Tot al output drops: 0
Input queue: 0/75/0/0 (size/max/drops/flushes); Tot al output drops: 0
� Redirect IOS command line output to a URL example
AirServicesNat#show interfaces | tee tftp://10.5.1.2/command-out
AirServicesNat#show interfaces | append ftp://10.5.1.2/command-out
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
IOS command line
AirServicesNat#show buffers input-interface fast 2/0
Header DataArea Pool Rcnt Size Link Enc Flags Input Output
64030310 E0010C4 Small 1 60 7 1 2 80 Fa2/0 None
64031BAC E001984 Small 1 60 7 1 2 80 Fa2/0 None
646A4BD8 E221FE4 Small 1 60 7 1 2 80 Fa2/0 None
646A5D6C E222624 Small 1 60 7 1 2 80 Fa2/0 None
646A7608 E2234E4 Middl 1 292 7 1 280 Fa2/0 None
646A7D10 E223B64 Middl 1 292 7 1 280 Fa2/0 None
Header DataArea Pool Rcnt Size Original Flags caller_pc
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
XML PI and NETCONF
� Programatic interface that uses CLI or NETCONF RFC4741, RFC4742
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
XML PI and NETCONF
� Supported in 12.4Thttp://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/ feature/guide/srnetcon.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Wireshark – Initial Voice Capture
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Wireshark – Analyse Voice Streams
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Audacity– Playback Audio
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
SPAN and VLAN Capture
� Supported on most switches
� Used for examining traffic on a local switch
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
IP Traffic Export / IP Traffic Capture
� Exports matched traffic out a specific interface or VLAN on the router
� Ideal for Network analyser or probe
� Capture to memory device (flash, tftp, usbflash)
� Only supported on software switching ISR’s 12.4(11)T
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/h t_rawip.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Phone during problem
Press ‘i’ twice to obtain call stastistics
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
What information do we have?
1. The packets are originating from the Media Server (IVR) traversing the local switch/router infrastructure, terminating at the phone.
2. Problem is seen in packets originating from server.
1. The packets are originating from the Media Server (IVR) traversing the local switch/router infrastructure, terminating at the phone.
2. Problem is seen in packets originating from server.
Acquire - Lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
More Video
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
What information do we have?
Possible Causes:
1. Server is “busy” causing a corruption of the audio file as it is played on the LAN
2. The audio file itself is corrupt, incorrectly recorded or using the wrong codec
Possible Causes:
1. Server is “busy” causing a corruption of the audio file as it is played on the LAN
2. The audio file itself is corrupt, incorrectly recorded or using the wrong codec
Analyse
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
What information do we have?
1. Monitor server performance
2. Examine audio file that is on the server for quality problems.
1. Monitor server performance
2. Examine audio file that is on the server for quality problems.
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Monitor Server Performance
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Examine audio file
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
What’s next?
Next Problem!
What else can we do that will proactivelyexamine counters and alert us to potential problems?
Next Problem!
What else can we do that will proactivelyexamine counters and alert us to potential problems?
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Synchronised Clocks
� Network Time Protocol (NTP)
ntp server (host) [version n]
ntp peer (host) [version n]
http://www.cisco.com/en/US/tech/tk648/tk362/tk461/t sd_technology_support_sub-protocol_home.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Embedded Event Manager (EEM)
� Applet-based policies� Defined via CLI� Simpler
� Tcl-based policies� Programmed in Tcl� As complex as you want
Think of a policy as an action
registered to an event
ED notifies EEM Server; which
triggers interested policies
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Periodic MIB Data Collection
� Device polls specific MIB counters
� Stores this locally (memory)
� Periodically transfers data to server (tftp, rcp, and ftp)
� Introduced 12.3(2)T
http://www.cisco.com/en/US/docs/ios/netmgmt/configu ration/guide/nm_mib_collect_trans.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Second Problem
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Second Problem
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
What information do we have?
1. Internet access is down
2. Users complaining
3. Large Business Impact
1. Internet access is down
2. Users complaining
3. Large Business Impact
Assess
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
What information do we have?
Acquire- Environmental
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
What information do we have?
??
Acquire - Lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
R2
R3
R1 R4
R5
R6
R7
R9
R8
PC BPC A
Network Topology Diagram
Internet
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
What information do we have?
1. Gather Source and Destination addresses
2. Verify problem existence in the network
3. Identify which device(s) is causing the issue
1. Gather Source and Destination addresses
2. Verify problem existence in the network
3. Identify which device(s) is causing the issue
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Gather Source and Destination addresses
� Translate the customer complaint to useful information
� Helps identify what are possible causes
� Narrow problem down to a specific lifecycle through the network
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Verify problem existence in the network
� Gain access to the devices experiencing the issue
� Confirm the customer’s symptoms
� Find alternate device exhibiting same issue
� Recreate in a lab environment
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Traceroute and Debug ip icmp
� Traceroute from source to destination
� Traceroute in the opposite direction
� Enable “debug ip icmp” on either side of suspected device
� Turn off console and terminal logging
no logging console
no logging monitor
logging buffered
� Traceroute again to observe debugs
http://www.cisco.com/warp/public/63/ping_traceroute .html#traceroute
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
R2
R3
R1 R4
R5
R6
R7
R9
R8
PC BPC A
Network Topology Diagram
Internet
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Using access-lists to find packet flows
� Configure access lists ingress and egress
access-list 100 deny ip host a.b.c.d host w.x.y.z
access-list 100 permit ip any any
� Verify access-list matches
show access-list 100
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Netflow and IP accounting
� Configure netflow ingress on the interface
ip route-cache flow ORip flow ingress
Verify access-list matches
show ip cache flow
� IP Accounting on the egress
ip accounting [access-violations] [output-packets]show ip accounting
http://www.cisco.com/en/US/docs/ios/12_4/netflow/configuration/guide/onf_bcf.html#wp1047360http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1091971
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
What now?
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
What information do we have?
1. Problem narrowed down to a single device R3
2. Traffic direction is broken toward the internet
1. Problem narrowed down to a single device R3
2. Traffic direction is broken toward the internet
Acquire - Lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
What information do we have?
Possible Causes:
1. Access-list blocking traffic
2. Physical interface problems
3. Forwarding problem
Possible Causes:
1. Access-list blocking traffic
2. Physical interface problems
3. Forwarding problem
Analyse
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
What information do we have?
1. Implement a workaround to minimise the impact
2. Gain console access to the device in question
3. Step through possible causes to identify the culprit
1. Implement a workaround to minimise the impact
2. Gain console access to the device in question
3. Step through possible causes to identify the culprit
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
Access-list
� Check ingress and egress interface configuration
show run interface [Interface name]
� Verify access-list configuration and deny matches
show access-list [number}
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Check Ingress and Egress Interfaces
� Display interface counters
show interfaces [Interface name]
� Check the command output for the following
Duplex SettingInput and output dropsCRC’sOverrunsunderrunsIgnoresThrottles
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094791.shtml
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Forwarding verification steps
� Start by checking the routing table entry
� Check arp entry for next hop
� Verify switching methodshow interfaces [Interface name] stats
show cef interface [Interface name]
show cef not-cef-switched
� Check cef entriesshow ip cef w.x.y.z detail (w.x.y.z destination ip)
show adjacency a.b.c.d (a.b.c.d next hop ip)
http://www.cisco.com/en/US/tech/tk827/tk831/tk102/tsd_technology_support_sub-protocol_home.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Forwarding architectures
� Centralised software
� Centralised hardware
� Distributed software
� Distributed hardware
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Root CauseDrop adjacency in hardware cef on GSR linecard
show ip hardware-cef exact-route a.b.c.d w.x.y.z
FIB: 0x45AE0980, FIB->hwleaf: 0x7004FD60 PSA node: 0x86000FE0PSA leaf from PSA node: 0x78003F80
Leaf FCR 1, psa_node 0x78003F80 found 1 deep
Prefix w.x.y.zLeaf FCR 1, psa_node 0x78003F80 found 1 deepdefault psa ip loadbalance
(hw rpfmask 0x80000000)16 paths (hw maxpath 0)
Hash 1,3,5,7,9,11,13,15: psa adjacency: 0x700C8D40 ( hw_adj0x700C7D80)
[0-7] loq ABAB mtu 4 (Drop) oq BABA ai 0 oi 00000000 oac lFFFF (encaps size 0)
punt gather 210 (bufhdr size 32 Punt profile 16)counters 15458387815 bytes, 134893531 pkts; reporte d 0 bytes,
0 pkts.Drop Adjacencya.b.c.d -> w.x.y.z hash: 5
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
What Else?
1. Scripts and Syslog
2. Test fix in lab
3. Interface usage graphs
4. Apply change management
1. Scripts and Syslog
2. Test fix in lab
3. Interface usage graphs
4. Apply change management
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Scripts and Syslog information
� Very useful when time is limited
� Large amount of Data
� Across many devices
� Check for any configuration changes made
� Track any physical events in the network
� Helps in isolating trigger conditions
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Lab Setup and Usage Graphs
� Root cause not found in production
� Problem cleared itself
� Large business impact
� Monitored for network status
� Produce possible causes
� Pin point fault location in lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Enhanced Object Tracking and IPSLA to avoid “black holes”
ip sla 99icmp-echo source-interface Fa0/0timeout 1000threshold 1000frequency 2
ip sla schedule 1 life forever start-time now!access-list 101 permit icmp any host !route-map track-primary-if permit 10
match ip address 101set interface Fa0/0set default interface Fa0/0
ip local policy route-map track-primary-if!track 1 rtr 99 reachability
delay down 10 up 10!ip route 0.0.0.0 0.0.0.0 Fa0/0 track 1ip route 0.0.0.0 0.0.0.0 Fa0/1 200
http://www.cisco.com/en/US/docs/ios/12_4t/ip_appl/configuration/guide/taipbtrk.html#wp1054537
http://www.cisco.com/web/about/ac123/ac114/downloads/packet/packet/apr04/pdfs/apr04.pdf
(pages 9-12,88)
Internet
Cable
DSL
LAN
Fa0/0
Fa0/1
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Change Management
� Develop change plans
� Prepare your team
� Notify Stakeholders
� Implement change plans and document
� Assess gaps
� Implement corrective actions
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
Third Problem
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
Third Problem
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
What information do we have?
Concerns:
1. Router’s User Interface cannot be accessed.
2. At risk of missing the provisioning deadline as a result
Concerns:
1. Router’s User Interface cannot be accessed.
2. At risk of missing the provisioning deadline as a result
Assess
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
What information do we have?
Acquire- Environmental
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
What information do we have?
1. Need to “see” the symptom that the user experiences.
2. Need to understand the network topology
1. Need to “see” the symptom that the user experiences.
2. Need to understand the network topology
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
WebEx – Information sharing
http://www.cisco.com/web/products/webex/index.htmlhttp://www.webex.com/index.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
Screen Shots – Information sharing
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
Document the network – logical/physical
Internet
Home VPN User
PC 1
Lab
Corporate
R1
2851
ASA
5520
R2
3845
SW1
4507R
SW2
3750G
AD ACS R1
R3
871
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 69
What information do we have?
Concerns:
1. Router “SDM” interface cannot be accessed.“The page cannot be displayed”
2. At risk of missing the provisioning deadline as a result
Concerns:
1. Router “SDM” interface cannot be accessed.“The page cannot be displayed”
2. At risk of missing the provisioning deadline as a result
Assess
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 70
What information do we have?
Acquire- Environmental
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 71
What information do we have?
Relevant Lifecycles:1. Packet flow along the network lifecycle2. TCP setup3. HTTP Get/Reply lifecycle4. Network device packet processing
Facts:
?
Relevant Lifecycles:1. Packet flow along the network lifecycle2. TCP setup3. HTTP Get/Reply lifecycle4. Network device packet processing
Facts:
?
Acquire - Lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 72
What information do we have?
1. Get access to the network devices to run show commands, debugs etc.
2. Need to look at the traffic at other points in the network.
1. Get access to the network devices to run show commands, debugs etc.
2. Need to look at the traffic at other points in the network.
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 73
Network Topology Diagram
Internet
Home VPN User
PC 1
Lab
Corporate
R1
2851
ASA
5520
R2
3845
SW1
4507R
SW2
3750G
AD ACS R1
R3
871
Here Here
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 74
Console access to devices
Methods:
� Access server (reverse telnet)
� Cross connecting the AUX port from one device to the neighbouring CON port for reverse telnet
� Send someone onsite to physically connect to the console
Once on the device, you might try doing a
“debug ip packet ” on an acl that matches the users traffic.
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 75
ASA CaptureSteps to capture:
1. Create an ACL to match traffic you are interested in.access-list tac_acl_in permit ip host host access-list tac_acl_in permit ip host hos t access-list tac_acl_out permit ip host host access-list tac_acl_out permit ip host ho st
2. Capture the ACL traffic.capture tac_cap_out access-list tac_acl_out packet-le ngth 1522 interface outsidecapture tac_cap_in access-list tac_acl_in packet-leng th 1522 interface inside
3. Capture traffic dropped by the ASP drop featurecapture type asp-drop all
4. Capture ARP trafficcapture ethernet-type arp interface ins idecapture ethernet-type arp interface out side
“capture” command supported in 6.2(1) onwards
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2090739
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 76
ASA Capture cont…Viewing the capture information:
a) ASA CLI:⇒ show capture
b) Packet Decoder:
1. Download the capture file via FTP/TFTP:copy /pcap capture: tftp://10.1.1.10/< dst_capt_name>
2. Download the capture file via HTTP/HTTPS:https:///capture//pca p
Note: You may need to allow https access to download the files:http server enablehttp http 255.255.255.255 inside
3. Now just open the capture up in Ethereal/Wireshark!
“copy capture” command supported in 7.0(1) onwards
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2104187
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 77
ASA Packet tracera) Enable Packet Tracing via the CLI:
syntax: packet-tracer input [detail] example: packet-tracer input outside tcp 10.66.64.25 4 1 10.66.76.45 http
“packet-tracer” command supported in 7.2(1) onwardshttp://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1830068
Phase: 1Type: CAPTURESubtype: Result: ALLOWConfig:Additional Information:
Phase: 2Type: ACCESS-LISTSubtype: Result: DROPConfig: Implicit RuleAdditional Information:
Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: outsideoutput-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 78
ASA Packet tracer cont…b) Enable Packet Tracking via ASDM (GUI):Step 1 In the main ASDM application window, choose Tools > Packet Tracer.
Step 2 Specify the following
- source interface, protocol type, source address, s ource port, destination IP address destination port
Step 3 Click Start to trace the packet.
=> The Information Display Area shows detailed messages about the packet trace.
The packet-tracer feature was added to the ASDM in software version 5.2(1)http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/tools.html#wp1536158
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 79
What information do we have?
Facts:
1. Packets pass through firewall and reach router
2. No reply packets from router
3. TCP SYN sent by client, no SYN,ACK returned.
Facts:
1. Packets pass through firewall and reach router
2. No reply packets from router
3. TCP SYN sent by client, no SYN,ACK returned.
Acquire - Lifecycle
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 80
More Video
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 81
What information do we have?
Possible Causes:
1. Router is blocking access
2. HTTP server is not configured correctly
3. Router is not responding due to load
Possible Causes:
1. Router is blocking access
2. HTTP server is not configured correctly
3. Router is not responding due to load
Analyse
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 82
What information do we have?
1. Check router configuration
2. Monitor router performance
1. Check router configuration
2. Monitor router performance
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 83
Monitor Router Performance
Troubleshooting CPU/Memory Utilization on Routers
show proc cpu sorted
show proc mem sorted
show interfaces []
http://www.cisco.com/warp/customer/63/highcpu.htmlhttp://www.cisco.com/warp/customer/63/highcpu_interrupts.html
Memory Leak Detector
show memory debug leaks
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtmleakd.htmlhttp://www.cisco.com/en/US/docs/ios/12_4/cfg_fund/configuration/guide/hmleakd.html
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 84
Root Cause
1. TCP SYN (DoS) attack 2. High CPU due to IP Input
R3#sh proc cpu | ex 0.00CPU utilization for five seconds: 71%/14%; one minu te: 67%; five minutes:64%PID Runtime(ms) Invoked uSecs 5Sec 1Min 5 Min TTY Process
3 12816372 161039479 79 0.47% 0.40% 0 .24% 0 OSPF Hello155 218176261 976798810 223 45.68% 45.44% 43.90% 0 IP Input206 41532046 155427986 267 1.91% 1.70% 0.87% 0 OSPF Router 1230 24436795 536684 45533 4.15% 0.50% 0.34% 0 BGP Scanner
R3# debug ip packet *Mar 3 03:54:40.436: IP: s=192.168.40.53 (Ethernet0 /1), d=144.254.2.204
(Ethernet0/0), g=10.200.40.1, len 44, forward *Mar 3 03:54:40.440: TCP src=11004, dst=53,
seq=280872555, ack=0, win=4128 SYN
Troubleshooting High CPU Utilization in IP Input Processhttp://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 85
What’s next?
1. Action to Fix: Limit connections on ASA, rate-limit communications (apply a config change)
Sample Configuration:http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732
2. Other preventative actions: - ERM/EEM to monitor CPU and send email
1. Action to Fix: Limit connections on ASA, rate-limit communications (apply a config change)
Sample Configuration:http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732
2. Other preventative actions: - ERM/EEM to monitor CPU and send email
Act
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 86
Config Management
� Keep regular archives of config
� When changing config(s)- test in a lab environment and/or off peak - deploy config in a staggered form
� Out of band access in case of connectivity loss
IOS Configuration Archive/Replace/Rollback� Store, organise and manage archives
� No need to power cycle when rolling back
� Config locking to prevent conflicting multiple accesses
� 12.3T and onwards
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html#wp1066709
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 87
Embedded Resource Manager (ERM) andEmbedded Event Manager (EEM) toNotify of CPU threshold events
1. Configure ERM CPU event thresholds:(config t) resource policy
policy system-global-cpu global system
cpu total critical rising 90 interval 12 falling 20 interval 10 major rising 70 interval 12 falling 15 interval 10 minor rising 60 interval 12 falling 10 interval 10
2. Configure EEM to react to the ERM events:event manager applet erm_cpu
event resource policy system-global-cpuaction 1.0 syslog msg “CPU $_resource_level alarm:
$_resource_current_value percent“action 1.1 mail from [email protected] to [email protected] subject “CPU
$_resource_level alarm: $_resource_current_value per cent” body “”server email.xyz.com
http://www.cisco.com/en/US/docs/ios/12_4/netmgmt/configuration/guide/nm_erm.htmlhttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html#wp1052497
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 88
Smart Call Home?
Call Home
Customer
Interactive Technical Services
TAC
Call Home DB
Service RequestTracking System
� Customer Notification� Device and Message Reports � Exceptions/Fault Analysis
Internet
AutomatedDiagnosisCapabilitySecure Transport 1
2
3
Messages Received:� Diagnostics� Environmental� Syslog� Inventory and
Configuration
IOS 12.2(33)SXH
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 89
Summary
� People, Process and Technology
� Small steps through best practices
� Take action now!
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 90
End
-
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 91