Network-Management Transformation
Policy-based software helps manage quality of service and security on distributed networks
By Joel Conover, Network Computing
informationweek.com
Vendors are reinventing network management, transforming its role from passive network monitoring to active quality-of-service and network service-level-agreement provisioning. New network-management tools promise to help you squeeze every last ounce of bandwidth from your overworked network, so key applications perform at peak levels.
During the past year, a number of new features should have made their way onto your routed network. For example, Cisco's Internetwork Operating System version 11 introduced new ways to manage the traffic on local and wide area network links. Likewise, Nortel Networks' BayRS 13.2 offers many new quality-of-service-specific commands. But it's a nightmare to implement and track the configuration modifications required to affect specific traffic flows on your network, and in many cases it's simply impossible. Policy-based network-management software is vendors' answer for managing quality of service and security on distributed networks.
Nine vendors brought products to Network Computing's Real-World Labs at the University of Wisconsin-Madison. The device vendors were Allot Communications, Cisco Systems, Extreme Networks, Lucent Technologies, Nortel, and Spectrum Management (a wholly owned subsidiary of Cabletron Systems). Hewlett-Packard has separate network-management and network-equipment divisions, with a product tailored to both halves. IPHighway and Orchestream tout device-independent solutions.
The nine contenders implemented the features we thought necessary for a 1.0 policy-management product (see chart, pp. 148-150). We tested each vendor's work in progress--generally unreleased beta software--and made an assessment of overall product strategies: Our top choices were Orchestream, for having the most mature policy-based network-management solution to date, and Cisco, for having the most-comprehensive long-term strategy.
Orchestream has been a trailblazer in policy-based management, and its 2.0 software, which was being prepared for shipment during our tests, reflects this. The software supports the widest range of devices and the most options among the products we tested. Cisco's solution, based on the Common Open Policy Server (Cops) protocol, builds a foundation that will let the vendor integrate not only its own products, but also most other products on the network. Active network monitoring, network service-level-agreement management, and integration with multiple network operating systems for user-based policies are all part of its picture. Bringing all these components together isn't easy, but we think Cisco has the best chance to do it first.
We installed each product, pointed it at the three or four routers in the vendor's test bed, and saw it all work. But that was in the lab. While this technology is powerful, it's also generally unproven. This is the kind of technology you expect to roll out in the lab today for eventual production use six months to a year from now.
This area still suffers from a lack of standards. There are two key issues that remain to be addressed: first, how the vendor will access and control the hardware; and second, how these systems glean information about a company's users and resources. Device configuration can be accomplished only by employing a combination of command-level interface (CLI), Simple Network Management Protocol, Cops and Lightweight Directory Access Protocol (LDAP). We'd feel better if there was a single standardized access transport and nomenclature.
The odds favor Cops to become the protocol of choice for device configuration. Current solutions use CLI commands to provision policy, which is insufficient. An unexpected change in syntax can render a policy-based network-management tool useless.
Also, within a year, most users will be rolling out Active Directory-enabled networks based on Microsoft Windows 2000--and the last thing you'll need is to be jumping through hoops to reconcile user and resource information in Active Directory with the same information, more or less, in your policy-based network management. This is one area in which the vendors are way behind. The policy working group is bogged down and being pulled in different directions by different factions. The Desktop Management Task Force, the Directory-Enabled Networking group, Microsoft, and other vendors all have their own ideas about how the directory schema should look. There is nothing even close to a directory standard yet, and no one really knows how Microsoft Active Directory and Novell Directory Services are going to couple with policy. There won't be an answer to this question for a while.
Beyond a few basic must-have components, policy-based network-management solutions vary. For switch makers such as Cabletron or Extreme Networks, policy management encompasses virtual LAN membership and Layer 2 network security. Lucent and Nortel, among others, lump in IP address and domain name system management as part of policy management.
Most players see a directory-enabled policy-management solution in their futures, but how the vendors will use the directory differs greatly. Extreme Networks sees the directory as a way for policy servers to share information, allowing scalability and third-party interoperability. For Allot, using a directory enables its customers to insert new policies without having to develop a special API. Lucent sees the directory as a giant storehouse of information, where each user has a private subtree. For Lucent, the directory is the single sign-on for complete network resource management, both voice and data services. The vendor plans to accomplish this via a directory-independent LDAP schema.
There are other roles for policy-based network management as well. HP, for instance, sees it as an end-to-end tool for Cops-enabled desktops as well as network hardware.
Policy-based network-management rules can be grouped into three categories: conditions, actions, and roles. Conditions are events that cause a certain policy to take effect. Actions define what is done when a condition is met, while roles define how a device or interface implements an action.
Policy conditions can be defined at almost any layer of the OSI model, a communications standard that defines a framework for implementing protocols in seven layers. The amount of functionality is limited only by the software implementation and the capability of the hardware.
Most vendors concentrate their software on the IP layer and above. Notable exceptions are Extreme, HP, Nortel, and Spectrum. Spectrum has the widest range of condition support, including some very specific Internetwork Package Exchange network quality-of-service features unique to its product.
Support for Layer 3 Differentiated Services is relegated primarily to traditional software-based routers. HP and Cabletron are the only vendors with Layer 3-aware switches capable of operating based on information in the IP Type-of-Service field during our tests. DiffServ is a critical part of policy management, as it enables end-to-end IP quality of service. If your edge devices don't offer Layer 3/Layer 4 intelligence, your policies will be relegated to the WAN and the core of your infrastructure.
Once a traffic flow has been defined in the policy server and identified by the switching or routing hardware, a number of actions can be applied to that flow. The role of a particular router interface describes how that router interface will enforce an action. For some vendors, such as Extreme and Lucent, the role applies to the entire device. For others, such as HP, roles cannot be configured in their current software release. Roles affect traffic only when the network is congested. These parameters are the most important for defining your network application behavior, but their effects are the most difficult to measure.
Roles were best supported by Cisco, IPHighway, and Orchestream. Every vendor whose products we tested plans to roll out support for these features in a future release.
also see:
networkcomputing.com |
