"Network Devices Get Smart"
[[OK, so which is it? Networks need to be stupid? Push the intelligence out to te edge? Networks need to be smart? They must be entirely policy and rules-based? Networks are to be neutral-minded, and not have an opinion? Which is it? Frank C.]]
August 18, 1998
PC Week via NewsEdge Corporation : Setting user
access rights for computing resources and networks has
long been commonplace in legacy mainframes and
NOSes, but policy-based network management must
now evolve to include network devices such as routers
and switches so they can dynamically respond to
network traffic conditions.
In the first half of this year, three major networking
vendors--3Com Corp., Bay Networks Inc. and Cisco
Systems Inc.--provided details on their approaches to
policy-based network management. As one might expect,
policy-based network management is being treated as an
extension of current network management systems, with
vendors building on their management tools and user
interfaces.
The specifics vary, but the same technologies form the
basis of each vendor's policy-based network
management architecture. For example, LDAP 3
(Lightweight Directory Access Protocol 3) has been
adopted as the protocol for exchanging information with
directories and, in some cases, network devices. The
COPS (Common Open Policy Service) protocol, which is
still in the draft stage with the Internet Engineering Task
Force, is also being adopted for exchanging policies
between policy servers and intelligent network devices.
It is too early to tell which vendor's approach, if any, will
be the right one. In the meantime, network managers
interested in deploying policy-based network
management should focus on support for open
standards, keeping a close eye on network devices that
support LDAP and/or COPS.
In addition, translation services that convert rules from
policy servers into commands that legacy network
devices can understand will be important for easing the
transition to policy-based network management.
3Com: Implementing LDAP and COPS
3Com has been working to build policy management into
its TranscendWare management software. Company
officials plan to depend on open standards such as
LDAP and COPS to exchange information and policies
and to use the Institute of Electrical and Electronics
Engineers 802.1p standard for traffic prioritization.
Although 802.1p supports eight priority values, 3Com
has adopted less granularity, using only four classes of
service. Company officials said the 3Com format is
sufficient to handle network congestion problems. Using
a smaller number of classes reduces the number of rules
a network manager has to define to prioritize and control
traffic.
The Smart Bandwidth LAN and WAN devices 3Com
started to introduce in the fourth quarter of last year,
including the CoreBuilder 3500, PathBuilder WAN
switches and SuperStack II switches, are designed to
support 3Com's policy-based network management
scheme.
Not only can these products act as LDAP clients, but
they use multiple queues to handle traffic with different
priorities. 3Com expects to provide its first LDAP clients
in its NetBuilder II family of routers at the end of this
year. Similar capabilities will be added to its Layer 2 and
Layer 3 switches and remote access platforms
throughout next year.
3Com's Transcend Policy Server, slated for release in the
third quarter of this year, will offer a single user interface
for setting traffic prioritization across an enterprise
network, linking the policy server to directory services
via LDAP. To support non-3Com devices, the Policy
Server can work with devices that support 802.1p or the
IP type of service field.
3Com has done the most of any vendor to ensure that its
policy-based management can be used with legacy
network devices that don't include the resources
necessary for communicating directly with a policy
server and may not even be able to poll for configuration
information.
The company plans to provide translation service
between the policy server and standard protocols, such
as SNMP and HTTP, that can be used to communicate
with older devices, as well as handling command line
interfaces.
3Com plans to simplify user registration with the policy
service by using DNS (Domain Name System) and other
sources, such as NDS, to populate names onto the
policy server.
Over time, 3Com expects to support policy setting based
on other parameters, such as IP address or user name.
As the company moves forward with a system for user
authentication, partly in connection with its VPN (virtual
private network) products, policy management could link
to direct user authentication at the desktop or laptop
level, rather than relying solely on address-to-name
mapping.
Bay: Tiered services plan
Bay Networks outlined its strategy for policy-based
network management this month. The first phase
resembles that of Cisco, focusing on support for tiered
services on networks and tying these services to the
user's IP address via DHCP (Dynamic Host
Configuration Protocol) and DNS.
User tracking is accomplished via Bay's NetID
DHCP/DNS server, resulting from the company's Isotro
Network Management Inc. acquisition, and will
eventually be tied to its Optivity network management
software. The company plans to further extend the NetID
architecture to include other network policy information
in the next year or so.
Initial system configurations will be accomplished via a
static set of rules, set with Bay's NetArchitect software.
That capability is now available in the company's
Centillion devices and will be added to the rest of Bay's
networking devices in the next three to four months.
Bay's policy server will communicate with other
directories and devices using LDAP; the first
LDAP-capable network devices from Bay are the
Contivity Extranet Switches for VPNs.
Bay's first step in end-to-end monitoring to provide
feedback on network operations is based on VitalSigns
and VitalAgent, which Bay is licensing from VitalSigns
Software Inc.
In the first quarter of next year, Bay plans to deliver a
common, systemwide user interface for configuring
application and user requirements without point
configuration, although these will still be static rules.
Dynamic interactions between network devices to
guarantee bandwidth, using Resource Reservation
Protocol, for example, won't come until the second
phase, when a policy server that can obtain information
from directories via LDAP 3 becomes available.
Once Bay starts implementing rate enforcement and
traffic shaping to enforce systemwide policies in the
second phase of its rollout, its focus will extend to
further integration of the network topology, offering
QOS (quality of service)- based routing and using
feedback from various network elements.
Cisco: Phasing in policies
Cisco's architecture for policy-based network
management, CiscoAssure Policy Networking, aims to tie
devices running Cisco IOS (Internet Operating System)
software with user profiles to control QOS, security and
address assignment.
Cisco's plan started with control of individual devices
via Cisco IOS and the setting of static policies, usually
via a command-line interface. The current phase consists
of using an extended DHCP/DNS service for user
registration. The next part of this phase, which includes
a GUI for policy administration across devices and
shipping a policy server for controlling QOS based on
products from Class Action (which Cisco acquired this
year), is due to be completed by the end of this year.
This will also include the use of LDAP 3 for exchanging
information with other directories, such as those from
Netscape and Novell, and dynamic DNS updates from
DHCP services.
The most important phase for the next generation of
policy-based network management, that of tighter
integration with directory-enabled infrastructures and
dynamic controls across the network, is likely to be
finalized next year.
Cisco is now licensing Network Registrar from American
Internet Corp. and using it as its DHCP and DNS
services for IP address and name management. A new
service, called User Registration, has been built on top
of DHCP, letting administrators bind policies to network
users and their IP addresses. Later, to help with the
assignment of IP addresses, CiscoAssure will integrate
with the DHCP and DNS services bundled into Windows
NT 5.0.
Like the other two vendors, Cisco will sell policy servers
capable of gathering information using LDAP 3, but
Cisco has also been working with Microsoft Corp. and
others in the Directory-Enabled Networks initiative to
utilize Active Directory as its primary directory.
When Active Directory becomes available sometime next
year, Cisco expects CiscoAssure users to be able to
reduce the number of duplicate stores of information,
concentrating instead on Active Directory.
Dave Kosiur is a writer and consultant based in Reston,
Va. His book on VPNs, "Building and Managing Virtual
Private Networks," from John Wiley and Sons Inc., is
due this fall. He can be reached at
drkosiur@ix.netcom.com.
<<PC Week -- 08-17-98>>
[Copyright 1998, Ziff Wire]
|
