ehealth Integration for Cisco VPN Solutions Center User Guide

Transcription

1 ehealth Integration for Cisco VPN Solutions Center User Guide MN-NHVPNSC-001 June 2003

2 Important Notice Concord Communications, Inc., ehealth, ehealth Suite, the Concord Logo, eroi, AdvantEDGE, SystemEDGE, Live Health, Network Health, Live Status, System Health, Application Health, Automating Technology Management, Enterprise, Enterprise Monitor, Firstsense, FirstSense and design, FirstSense Enterprise, Pulse, Pulsecheck, Token/Net, Token/Scope, We See It Happening, Fault Manager, Empire, Empire Technologies and/or other Concord marks or products referenced herein are either registered trademarks or trademarks of Concord Communications, Inc. SMIC. Copyright 1992 SynOptics Communications, Inc. All Rights Reserved. SynOptics makes no representations about the suitability of this software for any particular purpose. The software is supplied as is, and SynOptics makes no warranty, either express or implied, as to the use, operation, condition, or performance of the software. SynOptics retains all title and ownership in the software. ehealth incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code, and the original compression sources are freely available from ftp://ftp.cdrom.com/pub/infozip/ on the Internet and from the Concord Communications Web site: Copyright Bigelow and Holmes 1986, Lucida is a registered trademark of Bigelow & Holmes. Sun Microsystems Inc., AT&T, and Bigelow & Holmes make no representations about the suitability of the source code for any purpose. It is provided as is without express or implied warranty of any kind. All other brand and product names are trademarks or registered trademarks of their respective companies. Proprietary Notice The information and descriptions contained herein are the property of Concord Communications, Inc. Such information and descriptions may not be copied, disseminated, or distributed without the express written consent of Concord Communications, Inc. Concord Communications, Inc., assumes no responsibility for any inaccuracies that may appear in this document. Concord Communications, Inc., reserves the right to improve its products and change specifications at any time without notice. U. S. Government Restricted Rights Use, reproduction, and disclosure by the U.S. Government are subject to the restrictions set forth in FAR (c) (1) and (2) and DFARS (c) (1) (ii). U. S. Patent 5,615,323 Patents Pending Patent Information 2003 Concord Communications, Inc. All Rights Reserved

3 Table of Contents Preface 7 Audience About This Guide Reading Path Revision Information Terms Documentation Conventions License Request Information Technical Support Professional Services Chapter 1 Product Overview 13 About ehealth About Cisco VPNSC Cisco VPNSC MPLS Solution Cisco VPNSC IPsec Solution Cisco VPNSC Features About ehealth Cisco VPNSC How ehealth Cisco VPNSC Works ehealth Reporting iii

4 iv Table of Contents Chapter 2 Getting Started with ehealth Cisco VPNSC 23 Before You Begin Setup Checklists ehealth System Requirements Cisco VPNSC System Requirements Obtaining User Permissions for Services ehealth Cisco VPNSC Performance Considerations Starting ehealth and Licensing ehealth Cisco VPNSC Starting ehealth Licensing ehealth Cisco VPNSC Setting up ehealth Cisco VPNSC Prerequisites Running the Setup Program Modifying ehealth Cisco VPNSC Settings Chapter 3 Configuring Cisco VPNSC Elements in ehealth 39 Before You Begin About the Configuration Process Adding Configuration Information to ehealth Adding SA Agent Information Adding Router Information Reconfiguring Response and Router Information Grouping Elements Scheduling the Configuration Process Managing the Configuration Process Element Files Response Element File Fields Router Element File Fields Element Definition Examples Sample Rules Files

5 Table of Contents v Chapter 4 Importing ehealth Cisco VPNSC Statistics 73 Importing Statistics Data Verifying Statistics Data Collection Stopping the Import Process Modifying Data Import Running ehealth Reports Index 79

6

7 Preface This guide uses the term ehealth Cisco VPNSC to refer to this integration module. This guide describes how to set up, configure, and use the ehealth Integration for Cisco VPN Solutions Center (VPNSC) module. This module enables ehealth to collect performance data about virtual private networks (VPNs) that Cisco VPNSC manages. This release of the ehealth Integration for Cisco VPNSC module (ehealth Cisco VPNSC) is available with ehealth Release 5.6 and later. It supports Cisco VPNSC Releases 2.1 and 2.2. NOTE If you are using an ehealth release that is later than Release 5.6, refer to the ehealth Readme file for the latest information on the versions of Cisco VPNSC that are supported for that release. Audience This guide is intended for network management administrators and service providers who use Cisco VPNSC to manage their VPNs and collect data from Cisco routers, and who want to use ehealth Cisco VPNSC to import this data to ehealth and run ehealth reports. 7

8 8 Preface To use ehealth Cisco VPNSC, you must be knowledgeable about the following: Network management and terminology Your network topology Cisco routers in your network Configuration information stored on Cisco VPNSC Cisco router information (such as models, IOS versions, and addresses) About This Guide This guide assumes that you are using Cisco VPNSC to collect and store configuration information about Cisco routers in your network and that you are familiar with all aspects of managing this Cisco product. This guide provides the information that you need to integrate ehealth with Cisco VPNSC so that you can run ehealth reports on the data that Cisco VPNSC collects. If you are not currently using Cisco VPNSC, or you are a new ehealth user, you can refer to Chapter 1 for product overview information. To learn more about ehealth, refer to the reading path that follows for a list of ehealth documents. For information about installing and configuring Cisco products, refer to the Cisco Web site at and the Cisco Systems, Inc. documentation. The following sections provide a reading path that you can follow, revision information, a list of terms, and the documentation conventions used in this guide.

9 About This Guide 9 Reading Path Before you use ehealth Cisco VPNSC, you must install ehealth and become familiar with its features. For more information about ehealth, refer to the following documentation: Introduction to ehealth. This guide provides an introduction to and overview of ehealth. New Features in ehealth. This guide provides information about new features available with the current release. ehealth Installation Guide. This guide provides information about ehealth system requirements, licensing, installing the ehealth software, and starting the ehealth console. ehealth Administration Guide. This guide is intended for the person who must perform the critical ehealth administration tasks such as discovery, polling, database maintenance, or report administration. ehealth Reports Guide. This guide provides an overview of the types of reports that you can generate from the ehealth console and from the Web interface. ehealth Web Help. The Web Help provides detailed information about all ehealth reports that you can run from the Web interface. For information about Cisco products, refer to the Cisco Systems, Inc. documentation. Revision Information This guide is a revision of the ehealth Cisco VPN Solutions Center User Guide for ehealth Release and later. That guide supports the integration module for Cisco VPNSC Release 2.0. This guide supports ehealth Release 5.6 and later versions of this integration module (which supports Cisco VPNSC Releases 2.1 and 2.2).

10 10 Preface Terms In addition, this version of ehealth Cisco VPNSC provides the following: Support for the Cisco VPNSC IPsec Solution in addition to the MPLS solution Enhanced grouping for your response and router elements (For more information, refer to Grouping Elements on page 42.) This guide uses the following terms when referring to ehealth and Cisco products: ehealth. A Concord product that allows you to manage and monitor resources in your internet infrastructure. You use the ehealth console and Web interface to generate reports on data that you collect. VPN. Virtual private networks that Cisco VPNSC manages. VPNSC. The Cisco Virtual Private Network Solutions Center product. MPLS. The Cisco VPNSC solution that supports Multi-Protocol Label Switching. IPsec. The Cisco VPNSC solution that supports Internet Protocol security. API. Application programming interface. ehealth accesses information from Cisco VPNSC through its APIs. CORBA. The Common Object Request Broker Architecture application server platform that Cisco VPNSC uses. ehealth Cisco VPNSC. The ehealth integration module that collects data from Cisco VPNSC and enables you to generate ehealth reports on this data.

11 About This Guide 11 Documentation Conventions Table 1 lists the conventions used in this document. Table 1. Documentation Conventions Convention File or Directory Name code emphasis enter Name New Term Variable NOTE CAUTION WARNING Description Text that refers to file or directory names. Text that refers to system, code, or operating system command line examples. Text that refers to guide titles or text that is emphasized. Text that you must type exactly as shown. Text that refers to menus, fields in dialog boxes, or keyboard keys. Text that refers to a new term, that is, one that is being introduced. Text that refers to variable values that you substitute. A sequence of menus or menu options. For example, File Exit means Choose Exit from the File menu. Important information, tips, or other noteworthy details. Information that helps you avoid data corruption or system failures. Information that helps you avoid personal physical danger.

12 12 Preface License Request Information Technical Support Professional Services You must submit a completed License Request form for all ehealth products that you purchase. This form is in your ehealth package and on the TotalDoc online documentation CD-ROM. Fax it to the License Generation Group at (508) or forward it using to [email protected]. If you have a support Contract ID and password, you can access our Support Express knowledgebase at the following URL: If you have a software maintenance contract, you can obtain assistance with this product. Have your Support Contract ID available and contact Technical Support at the following: Phone: (888) (508) [email protected] Web site: If you need any assistance with customizing this product, contact Professional Services at the following: Phone: (800) Fax: (508) [email protected] Web site:

13 1 Product Overview Cisco is a registered trademark of Cisco Systems, Inc. About ehealth This chapter provides information about ehealth, Cisco VPNSC, and the ehealth Cisco VPNSC integration module. Concord s ehealth Suite of software products provides a comprehensive fault, availability, and performance management solution that spans the entire infrastructure, including applications, systems, and networks. All Concord products are integrated and store data in the ehealth database. ehealth automates technology management for IT departments, telecommunication carriers, and service providers. With ehealth, you can manage the quality and performance of services such as data, voice, wireless, Internet, and cable. You can report on behavior for thousands of elements in real time, or you can generate reports on historical information. You generate these reports from the ehealth console or from the ehealth Web interface. You can run scheduled reports automatically, create your own custom reports, view live data, or perform on-demand queries. For more information about running reports, refer to the ehealth Reports Guide. 13

14 14 Chapter 1 Product Overview In addition to providing out-of-the-box support for many devices, ehealth does the following: Discovers devices in your infrastructure using Simple Network Management Protocol (SNMP) Frequently polls statistics collected by each device s Management Information Base (MIB) Collects information and stores it in a database where it is available for reporting Concord also provides several modules that enable ehealth to integrate with various network management software products. These integration modules enable you to use the reporting capabilities of ehealth to monitor data that third party products gather about switches, routers, and other devices in your infrastructure. For more information about the ehealth suite of products, refer to the Introduction to ehealth. About Cisco VPNSC MPLS is the acronym for Multi- Protocol Label Switching. IPsec is the acronym for Internet Protocol security. Cisco VPNSC is a network- and service-management system that you use to manage IP virtual private networks (VPNs) and services. More specifically, Cisco VPNSC provides provisioning, auditing, and service level agreement (SLA) monitoring tools that you can use to manage both MPLS and IPsec VPNs. Cisco VPNSC manages VPNs that use the following routers: Provider edge (PE) Customer edge (CE) Customer premise equipment (CPE) Cisco VPNSC provides two solutions; Cisco VPNSC for MPLS and Cisco VPNSC for IPsec. You use the solution that is appropriate for your particular VPN. NOTE ehealth Release 5.6 and later versions of ehealth Cisco VPNSC support both of these solutions.

15 About Cisco VPNSC 15 Cisco VPNSC MPLS Solution The Cisco VPNSC MPLS Solution enables you to manage IP VPN services such as service provisioning, service auditing, and service-level accounting. External operating support systems (OSSs) can access the configuration information that Cisco VPNSC for MPLS gathers from CE and PE routers through a set of Common Object Request Broker Architecture (CORBA) application programming interfaces (APIs). Through these interfaces, you can add, delete, or modify MPLS VPNs and define the VPN service topology associated with each. 1 About MPLS VPNs PE routers communicate through the Border Gateway Protocol-Multiprotocol (MP-BGP). In an MPLS VPN, a CE router connects to a PE router, which sends traffic to other CE routers. Cisco VPNSC for MPLS accesses configuration files on both the CE and PE routers and makes the changes required to support the services over the various CE and PE router connections. An MPLS VPN consists of a set of sites that are interconnected by one MPLS provider network. Each site contains one or more CE routers, which connect to one or more PE routers. The Cisco VPNSC IPsec Solution is also known as the security module. Cisco VPNSC IPsec Solution The Cisco VPNSC (Security) IPsec Solution enables you to automatically configure Internet Key Exchange (IKE) and IPsec tunnels between routers that use the following Cisco software: Cisco IOS Cisco 3000 Series concentrators Cisco PIX Firewall This solution automates tasks such as resolving incompatible or inconsistent IPsec and IKE policies among devices and the routing protocols among sites. As with the Cisco MPLS solution, Cisco VPNSC for IPsec provides open APIs to enable integration with existing service provider OSSs.

16 16 Chapter 1 Product Overview About IPsec VPNs In an IPsec VPN, a CPE router on one site connects to a CPE router on another site as defined by the IPsec protocol. The IPsec traffic sent and received across this connection is monitored by a process on the CPE s secure interface. This data is sent to the destination CPE router through a process that provides security for the data and stores it in files on the destination CPE router. Cisco VPNSC for IPsec accesses these data files and obtains the information necessary to manage the IPsec VPN. Cisco VPNSC Features Cisco VPNSC offers the following features: Provisioning module. This service management module supports scheduled VPN service provisioning. You use this module to configure VPNs and to link CE routers to PE routers. The provisioning module has a database of all CE routers and PE routers (and links between them) and their associations with VPNs, customers, customer sites, and so on. The provisioning module also serves as a source of element and group information for LAN/WAN and Router/Switch reporting. Templates for provisioning. Cisco VPNSC templates allow flexible provisioning of Cisco IOS software commands. QoS provisioning. This feature enables you to offer and monitor different classes of service (COS). Cisco VPNSC measures SLA compliance and generates router configurations that allocate bandwidth to different COS. SLA module. This module monitors specific SLAs for round-trip times, availability, and usage. It collects and stores performance information, and reports on SLA conformance based on Service Assurance (SA) Agent probes in Cisco routers. Through this module, you can configure thresholds so that violations are reported. The data that this module monitors can also serve as a data source for Response reports.

17 About ehealth Cisco VPNSC 17 Accounting server. The accounting server is based on a Cisco NetFlow FlowCollector that collects, stores, and reports on a traffic matrix in this case, one that passes through a VPN. Service auditing. A Cisco VPNSC auditor validates IP VPN service configuration, monitors performance, and identifies faults to ensure network integrity and quality service. Service quality assurance. Cisco service assurance features ensure that VPN target devices remain correctly provisioned and that the VPN itself is operational. 1 NOTE Of these features, ehealth provides reporting capabilities for provisioning and SLA monitoring. About ehealth Cisco VPNSC For more information about additional features, the Cisco MPLS solution, or the Cisco IPsec solution, refer to the Cisco Systems, Inc. documentation. The ehealth Release 5.6 version of the ehealth Cisco VPNSC integration module supports the Cisco VPNSC IPsec and Cisco VPNSC MPLS solutions. ehealth Cisco VPNSC collects configuration information and statistics data for PE, CE, and CPE routers in your VPN. It gathers response statistics from the Cisco VPNSC database and collects performance statistics for routers by polling them directly. ehealth provides a setup program that you run on your ehealth system. This program allows you to configure CORBA, Cisco VPNSC, and ehealth system settings for integrating ehealth with Cisco VPNSC. If you have the appropriate ehealth licenses, you can use ehealth Cisco VPNSC to report on LAN/WAN, router/switch, and response path elements.

18 18 Chapter 1 Product Overview The Cisco SA Agent is a Cisco IOS technology that monitors network performance and response time between a Cisco router and a remote device. How ehealth Cisco VPNSC Works ehealth Cisco VPNSC performs the following tasks to gather the information that you need to manage and report on your VPNs: Collects Cisco SA Agent configuration information and the response statistics that these agents measure. Collects router configuration information, which ehealth uses to discover routers in your VPN. Collects router performance statistics data by polling routers directly. Collects and groups information about Cisco VPNSC group types that you can display in ehealth reports. When you set up ehealth Cisco VPNSC and use it for the first time, you collect configuration information for the routers and SA Agents in your VPN from the Cisco VPNSC database. You run the nhgetvpnscrouterconfig command on the ehealth system to extract the configuration information for routers, and you run the nhgetvpnscslaconfig command to extract the configuration information for SA Agents. Cisco VPNSC provides a CORBA API through which ehealth Cisco VPNSC accesses this information. ehealth Cisco VPNSC updates the ehealth poller configuration with the new configuration information. Once this information resides in ehealth, you run the ehealth Discover process to discover all Cisco routers and SA Agents in your VPN. After ehealth discovers these devices and saves them as elements in ehealth, ehealth Cisco VPNSC begins to import response statistics data from the Cisco VPNSC database through the ehealth import polling process. To collect performance statistics for the routers in your VPN, you must use the ehealth statistics polling process (SNMP polling) to poll these routers directly. For more information, refer to Gathering Statistics Data on page 19. Figure 1 on page 19 illustrates an ehealth Cisco VPNSC integration configuration.

19 About ehealth Cisco VPNSC 19 ehealth Database ehealth System Discover and SNMP Polling 1 CORBA API Cisco VPNSC System Configuration Information and Response Statistics Data Cisco VPNSC Database Cisco VPNSC Managed Network PE Routers CE Routers Customer Edge CE Routers Routers CPE Router SA Agent SA Agent Figure 1. ehealth Cisco VPNSC Integration Configuration For detailed instructions about how to run the commands to obtain this configuration information, refer to Chapter 3, Configuring Cisco VPNSC Elements in ehealth. ehealth Cisco VPNSC gathers data that Cisco Service Assurance (SA) Agents collect to monitor network availability, usage, and response time for service level agreements (SLAs). Gathering Statistics Data ehealth Cisco VPNSC gathers statistics data for response times and router performance using two types of polling processes: import polling and SNMP polling.

20 20 Chapter 1 Product Overview Using Import Polling. ehealth Cisco VPNSC uses import polling to gather response statistics data from the Cisco VPNSC database at the interval you specify when you set up the integration module. ehealth Cisco VPNSC accesses this data through a Cisco VPNSC CORBA interface which allows ehealth Cisco VPNSC to query for data at specific intervals. Cisco VPNSC saves response statistics in one-hour blocks or buckets. After a block is complete, it is available the next time ehealth polls for data. After ehealth imports data, it translates the statistics into ehealth DCI files and imports these files into the ehealth database. NOTE By default, ehealth polls for these statistics every 60 minutes. If new data is not available when ehealth polls, ehealth does not import any data. If several blocks of new data are available, ehealth imports all of them. Using SNMP Polling. Although Cisco VPNSC gathers some router information, ehealth requires more data about router performance to display in ehealth reports. To gather this data, ehealth polls routers directly using SNMP polling. For more information about polling network devices with SNMP, refer to the ehealth Administration Guide. Comparing Import Polling and SNMP Polling. Note the following advantages and disadvantages of import polling and SNMP polling. Import polling offers the following advantages: It transfers statistics in an efficient manner, using the enhanced grouping capabilities of Cisco VPNSC. You do not lose data when you stop the ehealth server. When you restart ehealth and it polls Cisco VPNSC for data, ehealth Cisco VPNSC collects all data stored in the Cisco VPNSC database with hourly queries.

21 About ehealth Cisco VPNSC 21 The disadvantage of import polling is that you have less control over the granularity of the data. SNMP polling has the following advantages: It provides more control over the granularity of the data. It populates all charts within ehealth reports. SNMP polling has the following disadvantages: Depending upon the number of elements, it increases network traffic according to the number of SNMP polling requests. (ehealth sends one request per element.) SNMP queries can impact router performance. 1 ehealth Reporting You can generate ehealth reports for response time and router activity performance data in your VPN. ehealth Cisco VPNSC integrates ehealth s reporting capabilities with the service-management capabilities of Cisco VPNSC. If you have the appropriate ehealth licenses, you can run a variety of ehealth reports on response, router, and LAN/WAN elements. For more information about ehealth reports, refer to the ehealth Reports Guide and the ehealth Web Help.

22

23 2 Getting Started with ehealth Cisco VPNSC Before You Begin This chapter contains the following information that you need to get started with ehealth Cisco VPNSC: Setup checklists ehealth system requirements Cisco VPNSC system requirements Starting ehealth and Licensing ehealth Cisco VPNSC procedures ehealth Cisco VPNSC setup procedure Before you run the ehealth Cisco VPNSC setup program, complete the checklists in the following section, review the ehealth and Cisco VPNSC system requirements, and obtain an ehealth Cisco VPNSC license for your ehealth system. After you complete the setup procedure, you must configure your Cisco VPNSC elements before you can use the integration module. (For instructions, refer to Chapter 3, Configuring Cisco VPNSC Elements in ehealth. ) The following steps outline the order in which you must perform the procedures to get started with ehealth Cisco VPNSC. 23

24 24 Chapter 2 Getting Started with ehealth Cisco VPNSC NOTE This guide assumes that you are already using Cisco VPNSC for IPsec, MPLS, or for both. For information about installing, configuring, and managing these products, refer to the Cisco Systems, Inc. documentation. 1. Install ehealth on a dedicated Solaris system. Refer to your ehealth Installation Guide. 2. Request an ehealth Cisco VPNSC license. Refer to License Request Information on page Complete the checklists in the following section. 4. Review the ehealth and Cisco VPNSC requirements on page 26 and the performance considerations on page Obtain user permissions to systems and services on the Cisco VPNSC system. Refer to Obtaining User Permissions for Services on page Start ehealth and license the integration module. Refer to Starting ehealth and Licensing ehealth Cisco VPNSC on page Run the ehealth Cisco VPNSC setup program. Refer to Setting up ehealth Cisco VPNSC on page Configure your Cisco VPNSC elements in ehealth. Refer to Chapter 3, Configuring Cisco VPNSC Elements in ehealth. Setup Checklists The setup checklists outline the information that you must provide when you run the integration module setup program. Make copies of these checklists and complete them with your system information. Prior to running the setup program, you can research the information for which the program will prompt you.

25 Before You Begin 25 Concord recommends that you save the completed checklists for future reference. You can refer to them each time you run the setup program and use them to provide Concord Technical Support with information if you require assistance. Cisco VPNSC System Checklist Use this checklist to record the information that you must provide for the CORBA name service and the Cisco VPNSC system settings. 1 2 Table 2. Cisco VPNSC System Checklist Description Your System Information The hostname or IP address of the system on which the CORBA name service is installed. NOTE: In most cases, this is the hostname of the Cisco VPNSC system. The port number that the CORBA server is using. Default: The default port number is Use this number unless it has already been allocated for use by another application. The hostname or IP address of the Cisco VPNSC system. Default: The default value should appear as the same value that you entered for the hostname or IP address of the CORBA name service system. The UNIX user name that ehealth uses to log in to the Cisco VPNSC system. Default: vpnadm The password for this user name. The user name that enables access to the Cisco VPNSC software. Default: admin The password for this user name.

26 26 Chapter 2 Getting Started with ehealth Cisco VPNSC ehealth System Checklist Use this checklist to record the information that you will provide for the polling interval and configuration extraction times on the ehealth system. Table 3. ehealth System Checklist Description Your System Information The ehealth polling interval in minutes. NOTE: Specify a polling interval that is approximately the same as the rate at which the Cisco VPNSC system collects data. Valid values (minutes): 15, 30, 45, 60, 75, 90, 105, or 120 Default: 60 minutes The maximum time (in minutes) to allow a configuration extraction to complete. Valid range: 1 to 1,440 minutes Default: 15 ehealth System Requirements This version of the ehealth Cisco VPNSC integration module supports Cisco VPNSC Releases 2.1 and 2.2 and is available with ehealth Release 5.6. NOTE This release of the integration module supports both Cisco VPNSC MPLS and Cisco VPNSC IPsec. ehealth Cisco VPNSC runs on Solaris systems only. Therefore, you must install ehealth Release 5.6 or later on a Solaris system to access the setup program for this version of the integration module. Install ehealth according to the instructions and requirements provided by your ehealth Installation Guide. The following sections describe additional installation and operational requirements for the ehealth system.

27 Before You Begin 27 ehealth Licenses You must add an ehealth Cisco VPNSC license for your ehealth system before you run the setup program for this integration module. For instructions, refer to Starting ehealth and Licensing ehealth Cisco VPNSC on page 32. When you create groups and grouplists for your response and router elements (as Chapter 3 describes), these appear in Service Level reports. This type of ehealth report requires a license for your ehealth system. For more information about additional ehealth reports that you can run to display your information, and for information about report licensing requirements, refer to the ehealth Reports Guide and your ehealth Installation Guide. 1 2 Telnet Access The ehealth system must have reliable Telnet access to the Cisco VPNSC system. ehealth uses Telnet to determine the version of Cisco VPNSC and to verify the settings that you specify when you run the setup program. Guidelines for Multiple ehealth Systems You can run ehealth Cisco VPNSC on several ehealth systems. However, every ehealth system extracts information from the same Cisco VPNSC system. If you do run the integration module on multiple ehealth systems, you must use the following guidelines: Do not run the nhvpnscsetup command (which launches the setup program) on multiple ehealth systems at the same time. Do not run the nhconfig command (which extracts configuration information from the VPNSC database) on multiple ehealth systems at the same time. Running either of these commands simultaneously could cause the commands to fail.

28 28 Chapter 2 Getting Started with ehealth Cisco VPNSC Synchronizing System Clocks Make sure that the system clocks on the ehealth systems and the Cisco VPNSC server are synchronized to within five minutes of each other. CORBA Interface Connection and Permissions for ehealth The Cisco VPNSC application server platform is CORBA. The CORBA-standard interfaces of Cisco VPNSC are Orbix application programming interfaces (APIs). NOTE Orbix is an application services product and a trademark of IONA Technologies. ehealth systems require reliable connections through the CORBA API of the Cisco VPNSC system, and ehealth Cisco VPNSC requires permissions to communicate with the Cisco VPNSC name services. The administrator of the Cisco VPNSC system must grant the following user permissions to all ehealth administrators who want to set up ehealth Cisco VPNSC or configure the Cisco VPNSC elements that reside in ehealth: User permissions to the DataSetServer and VpnInvServer systems on Cisco VPNSC User permissions to the CORBA name service For instructions, refer to Obtaining User Permissions for Services on page 29. Cisco VPNSC System Requirements Cisco VPNSC must reside on the same version of Solaris on which ehealth resides. (Concord recommends that you install each product on a separate system for optimal performance.) You must configure only one Cisco VPNSC system from which ehealth systems collect data.

29 Before You Begin 29 Cisco VPNSC Licenses You must install the following licenses on your Cisco VPNSC system to enable the integration: Cisco VPNSC API enabling license Cisco VPNSC MPLS GUI license For information about installing these licenses, refer to the Cisco Systems, Inc. documentation. 1 2 Cisco VPNSC Middleware You must ensure that the Orbix CORBA middleware (version 3.0.1) is installed. For information about the latest Patch version of Orbix that you must use for this version of Cisco VPNSC, refer to Cisco Systems, Inc. documentation. Time Zones Ensure that your ehealth and Cisco VPNSC systems use the same time zone. The VPNSC system must be set to the C locale (for global monitoring capabilities). Obtaining User Permissions for Services The Cisco VPNSC administrator must perform two procedures on the Cisco VPNSC system to enable user permissions for all ehealth administrators. As the ehealth administrator, you must do the following: Ensure that the Cisco VPNSC administrator configures Cisco VPNSC to allow connections to, and accept data from, the ehealth systems. Verify that all ehealth administrator user names on the ehealth and Cisco VPNSC systems are the same, and that both systems use a common user authentication mechanism.

30 30 Chapter 2 Getting Started with ehealth Cisco VPNSC Coordinate with the Cisco VPNSC administrator to obtain user permissions to the DataSetServer and VpnInvServer servers and to the Orbix CORBA name service on the Cisco VPNSC system. (These procedures are described in the following sections.) NOTE The following procedures assume that you are running ehealth Cisco VPNSC on multiple ehealth systems. The commands that the Cisco VPNSC administrator enters provide permissions for all ehealth administrators. If you do not want to grant permissions to all ehealth administrators, you can specify individual user IDs (instead of +all). Obtaining Permissions to DataSetServer and VpnInvServer To obtain permissions to the DataSetServer and VpnInvServer servers, the Cisco VPNSC administrator must perform the following procedure on the Cisco VPNSC system. To grant permissions to the Cisco VPNSC servers: 1. Log in to the VPNSC system as vpnadm. 2. Change to the VPNSC directory by entering the following command: cd /vpn 3. Source the permissions file by entering the following command: source vpnenv.csh

31 Before You Begin Enter the following commands, as needed: chmodit DataSetServer i+all chmodit VpnInvServer i+all chmodit DataSetServer l+all chmodit VpnInvServer l+all 1 2 If you have an Orbix admin account, you can use this account to grant permissions to the naming service. However, you are no longer required to use this account. You can use your VPN admin account to grant all permissions. Obtaining Permissions to the Orbix CORBA Name Service To obtain permissions to the Orbix CORBA name service, the Cisco VPNSC or Orbix administrator must perform the following procedure. To grant user permissions to the Orbix Corba name service: 1. Log in to the Orbix server by entering the following command on the Cisco VPNSC system: orbixadm NOTE NOTE If you do not have an Orbix Admin account, you can enter vpnadm. 2. Change to the Orbix3 directory by entering the following command: cd /Orbix3 3. Source the permissions file by entering the following command: source setenvs.csh 4. Enter the following commands for the name service: chmodit NS i+all chmodit NS l+all

32 32 Chapter 2 Getting Started with ehealth Cisco VPNSC As the ehealth administrator, make sure that the appropriate permissions have been granted and review the performance considerations in the following section before you license and set up ehealth Cisco VPNSC. ehealth Cisco VPNSC Performance Considerations When you run the ehealth Cisco VPNSC setup program, it does not install software on the Cisco VPNSC system. Therefore, you do not have to consider memory or disk space usage. However, when you use this integration module, it slightly increases network traffic between the following: Routers and the ehealth system, as a result of the SNMP polling activity associated with statistics collection The Cisco VPNSC and ehealth system, as a result of importing configuration data In addition, ehealth Cisco VPNSC extracts performance information from Cisco VPNSC through its CORBA API. The extraction process has a small impact on the Cisco VPNSC processing load for the following reasons: It occurs entirely through the CORBA interface. It typically runs only once per hour. It requires no computation. (It only extracts raw data.) Starting ehealth and Licensing ehealth Cisco VPNSC Before you run the ehealth Cisco VPNSC setup program, you must add an ehealth Cisco VPNSC license for your ehealth system. In addition, you must enter licenses for all ehealth products that you plan to use. For more information about adding other licenses, refer to the ehealth Installation Guide. The following sections describe how to start ehealth and license this integration module.

33 Starting ehealth and Licensing ehealth Cisco VPNSC 33 Starting ehealth Use the following procedure to start ehealth and open the console. To start ehealth: Log in to the ehealth system as the ehealth administrator. 2. Open a terminal window and change to the ehealth directory by entering the following command, where ehealth is the full pathname of that directory: cd ehealth 3. Optionally, use one of the commands listed in Table 4 to source the appropriate ehealth resource file to set your environment. Table 4. Sourcing the ehealth Resource File Shell Bourne C Korn Command. nethealthrc.sh source nethealthrc.csh. nethealthrc.ksh NOTE NOTE If you do not source the resource file, change to the $NH_HOME/bin directory, or specify the full pathname in your ehealth commands. 4. Enter the following command: ehealth The ehealth console appears on your screen.

34 34 Chapter 2 Getting Started with ehealth Cisco VPNSC Licensing ehealth Cisco VPNSC If you are starting ehealth and specifying license information for the first time, the Enter Licenses dialog box appears and prompts you for license information. If you have been using ehealth, you must access this dialog box to add the new ehealth Cisco VPNSC license. To access the Enter Licenses dialog box and add license information: 1. Select Setup Enter Licenses from the ehealth console. The Enter Licenses dialog box appears. 2. Click Add. The Add Licenses dialog box appears. 3. Enter your license information. NOTE NOTE For specific information about entering information in this dialog box, click Help. Setting up ehealth Cisco VPNSC After you add your ehealth Cisco VPNSC license information, ehealth does the following: Updates the console with the appropriate buttons and menu options Opens one or more polling status windows Opens the Discover dialog box For more information about the ehealth console, polling status windows, and the Discover dialog box, refer to the ehealth Administration Guide. ehealth provides an ehealth Cisco VPNSC setup program that you run on your ehealth system. This program allows you to specify the settings through which ehealth communicates with Cisco VPNSC. Before you run this program, as the ehealth administrator you must ensure that you have met the prerequisites outlined in the following section.

35 Setting up ehealth Cisco VPNSC 35 Prerequisites Before you run the setup program, verify that you have done the following: Installed ehealth on a dedicated Solaris system. For detailed information, refer to the instructions provided in the ehealth Installation Guide. Met the requirements outlined in ehealth System Requirements on page 26 and Cisco VPNSC System Requirements on page 28. Obtained all necessary user permissions, as described in Obtaining User Permissions for Services on page 29. Licensed this integration module as described in Licensing ehealth Cisco VPNSC on page 34. Completed the checklists provided in Setup Checklists on page Running the Setup Program The setup program presents a series of questions, validates your answers, and prompts you to supply a new answer if the one that you provided is invalid. When you run the setup program, default responses that are available for a particular question appear in brackets [ ]. You can press Return to accept the default response. You can exit the setup program at any time by entering q to quit. The first portion of the setup program prompts you for information about your CORBA settings and your Cisco VPNSC system settings. The second portion prompts you for information about your ehealth system settings. The first time that you run the setup program, make sure that you have completed copies of the checklists available. Refer to the information that you recorded to configure the Cisco VPNSC system and to configure the ehealth polling settings.

36 36 Chapter 2 Getting Started with ehealth Cisco VPNSC After you run the initial setup, you can run the setup program on additional ehealth systems. However, these systems will have to collect data from the same Cisco VPNSC system that you specify during the initial setup. To run the ehealth Cisco VPNSC setup program: 1. Log in to the ehealth system as the ehealth administrator. 2. Open a terminal window and change to the ehealth directory by entering the following command, where ehealth is the full pathname of that directory: cd ehealth 3. Optionally, use one of the commands listed in Table 4 on page 33 to source the appropriate ehealth resource file to set your environment. 4. Run the setup program by entering the following command: nhvpnscsetup The setup program menu appears and displays the following options: 1. Perform a complete setup 2. Modify CORBA settings 3. Modify Cisco VPN Solutions Center settings 4. Modify ehealth polling settings q. Quit 5. Enter 1 to run the complete setup. The program prompts you for information about the CORBA name service, the Cisco VPNSC system, and the ehealth system.

37 Setting up ehealth Cisco VPNSC Enter the required information at the appropriate prompts. Use the values that you recorded in the Cisco VPNSC System Checklist on page 25 and in the ehealth System Checklist on page 26. During the setup, the program displays various messages while it verifies the existence of Telnet access, user names and passwords, and the version of Cisco VPNSC. It also displays messages when portions of the program complete successfully. When the setup completes, it prompts you to restart the ehealth server to save the changes. 7. Enter y to restart the ehealth server and save your ehealth Cisco VPNSC integration module configuration. Note the pathname of the log file for the setup. ehealth Cisco VPNSC stores each setup session in a log file named /ehealth/log/install/installvpnscn.log. (The variable n represents a number that increments by one each time the setup runs.) This log file can be useful if you need to troubleshoot installation problems. 1 2 Modifying ehealth Cisco VPNSC Settings After you run the complete setup, you can run all or portions of the ehealth Cisco VPNSC setup program at any time to modify the following: CORBA settings Cisco VPNSC settings ehealth polling settings When you modify any of these settings, you must restart the ehealth server to save your changes. If you modify the setting for the ehealth polling interval, refer to the following section for information about this change.

38 38 Chapter 2 Getting Started with ehealth Cisco VPNSC Changing the ehealth Polling Interval If you change the ehealth polling interval, ehealth does not begin polling at the new interval until it has performed two additional polls. For example, assume you poll every 60 minutes as shown in Figure 2. You then change the polling interval to 45 minutes between the second and third polls (P2 and P3). ehealth polls two more times at the old (60-minute) interval (P3 and P4) before starting to poll at the new (45-minute) interval. 60 mins 60 mins 60 mins 45 mins P1 P2 P3 P4 P5 Change polling interval to 45 minutes Figure 2. Changing the ehealth Polling Interval Before you use ehealth Cisco VPNSC, you must configure your Cisco elements in ehealth as described in Chapter 3, Configuring Cisco VPNSC Elements in ehealth.

39 3 Configuring Cisco VPNSC Elements in ehealth Before You Begin This chapter describes how to obtain configuration information from the Cisco VPNSC database and how to configure Cisco VPNSC elements that reside in ehealth. Before you run the ehealth configuration process, make sure that you have done the following: Installed ehealth Release 5.6 or later on a Solaris system. Refer to your ehealth Installation Guide. Obtained user permissions to the Cisco VPNSC services. Refer to Obtaining User Permissions for Services on page 29. Licensed and set up ehealth Cisco VPNSC. Refer to Licensing ehealth Cisco VPNSC on page 34 and Setting up ehealth Cisco VPNSC on page

40 40 Chapter 3 Configuring Cisco VPNSC Elements in ehealth About the Configuration Process The ehealth configuration process extracts Cisco SA Agent and Cisco router configuration information from the Cisco VPNSC database and adds it to the ehealth poller configuration. After you license and set up ehealth Cisco VPNSC, you run the commands described in the following procedures so that ehealth can access this information through the Cisco VPNSC CORBA interface. The nhgetvpnscslaconfig command extracts configuration information for SA Agents, and the nhgetvpnscrouterconfig command extracts elements for routers on your managed network. Optionally, you can run variations of these commands to create groups and group lists for this information. (Refer to Grouping Elements on page 42.) You can also schedule the configuration process to update your poller configuration automatically. For instructions, refer to Scheduling the Configuration Process on page 50. Adding Configuration Information to ehealth Elements in the ehealth poller configuration represent the routers, objects, and other devices for which ehealth collects data. Use the following procedures to add SA Agent and router configuration information to ehealth. This information is stored in ehealth as element information. Adding SA Agent Information When you add SA Agent (response) configuration information to ehealth, it resides in the ehealth poller configuration and database as response element information. To add response element information: 1. Log in to the ehealth system as the ehealth administrator. 2. Open a terminal window and change to the ehealth directory by entering the following command, where ehealth is the full pathname of that directory. cd ehealth

41 Adding Configuration Information to ehealth Optionally, source the ehealth resource file that is appropriate for your shell environment using one of the commands in Table 4 on page Enter the following command and argument: nhconfig -dcicmd "nhgetvpnscslaconfig" Adding Router Information When you add router configuration information to ehealth, ehealth updates the poller configuration with information about CE, PE, and CPE router information and saves this information as elements in the ehealth database. For information about the ehealth elements that represent these routers, refer to Table 5 on page To add router element information: 1. Complete Steps 1 through 3 in the previous procedure to log in to the ehealth system, change to the ehealth directory, and optionally source the ehealth resource file. 2. Enter the following form of the nhconfig command: nhconfig -dcicmd "nhgetvpnscrouterconfig" Reconfiguring Response and Router Information It is important to update the ehealth database periodically to reflect changes that occur in the Cisco VPNSC database when SA Agent (response) and router information is added or reconfigured. To do so, you can run the commands described in the previous procedures periodically.

42 42 Chapter 3 Configuring Cisco VPNSC Elements in ehealth When you run these commands, the ehealth configuration process detects changes in the Cisco VPNSC database and updates the ehealth database and poller configuration. Optionally, you can schedule the configuration process to update your poller configuration automatically. For instructions, refer to Scheduling the Configuration Process on page 50. Grouping Elements You can organize your data according to the way in which you want ehealth to store it, and present it in reports. For example, you can create groups of elements of the same type and you can create group lists for certain group types. Before you group your elements, you need to understand the ehealth elements that represent the objects in your Cisco VPNSC-managed network. Table 5 lists these objects and elements. Table 5. ehealth Elements for Network Objects Cisco VPNSC-Managed Network Object CE router PE router CPE router CE router acting as a source router for an SA Agent PE router acting as a source router for an SA Agent SA Agent SA Agent acting as a target element ehealth Element Router/switch element with child interface elements Router/switch element with child interface elements Router/switch element with child interface elements Response source endpoint element Response source endpoint element Response path element Response destination endpoint element

43 Adding Configuration Information to ehealth 43 Group lists appear in Service Level reports. If you are running these reports, you can create domain and customer group lists as a means of displaying and comparing your data. For more information, refer to Creating Response Element Group Lists on page 44 and Creating Router Element Groups on page 46. For more conceptual information about ehealth elements, groups, and group lists, refer to the ehealth Administration Guide. The following sections describe variations of the nhconfig command that you can run to create groups and group lists for response and router elements. When you run these commands, ehealth Cisco VPNSC extracts elements from the Cisco VPNSC database. The ehealth configuration process then creates groups and group lists according to the values that you specify within the commands. Creating Response Element Groups To create groups for response elements: 1. Complete Steps 1 through 3 in the procedure To add response element information on page 40 to log in to the ehealth system, change to the ehealth directory, and optionally source the ehealth resource file. 2. To group response elements, enter the following command: 1 3 nhconfig -dcicmd "nhgetvpnscslaconfig -groupby grouptype" Enter one of the following values for grouptype: vpn - VPN name domain - Domain name region - Region name customer - Customer name protocol - Protocol name site - Customer site name tos - Type of service all - All group types

44 44 Chapter 3 Configuring Cisco VPNSC Elements in ehealth For example, when you enter the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -groupby customer" ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically groups these elements by customer. Creating Response Element Group Lists Optionally, you can create two types of group lists for your response element groups; customer and domain. Customer group lists can contain VPN groups and site groups. Domain group lists can only contain region groups. When you create these group lists, ehealth displays them in Service Level reports. To create customer and domain group lists for your response element groups: 1. Log in to the ehealth system, change to the ehealth directory, and optionally source the ehealth resource file. 2. Create a customer group list for your response element groups by entering the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -grouplistby customer" ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates groups of these elements by customer. ehealth then places the new groups in a response element group list named AllCustomers. 3. Create a domain group list for your response element groups by entering the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -grouplistby domain" ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates groups of these elements by domain. ehealth then places the new groups in a response element group list named AllDomains.

45 Adding Configuration Information to ehealth Optionally, enter one or more of the following commands to create additional response group and response group list associations. To create customer group lists that contain VPN groups, enter the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -groupby vpn -grouplistby customer" 1 3 ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates a group for each VPN element. It then creates a group list for each customer, and places each VPN group in the associated customer group list. To create customer group lists that contain site groups, enter the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -groupby site -grouplistby customer ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates a group for each site element. It then creates a group list for each customer, and places each site group in the associated customer group list. Domain group lists can only contain region groups. To create these group lists, enter the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -groupby region -grouplistby domain ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates a group for each region element. It then creates a group list for each domain and places each region group in the associated domain grouplist.

46 46 Chapter 3 Configuring Cisco VPNSC Elements in ehealth When you use the following command: nhconfig -dcicmd "nhgetvpnscslaconfig -groupby all -grouplistby all ehealth Cisco VPNSC extracts response elements from the Cisco VPNSC database and automatically creates groups for each VPN, domain, region, customer, protocol, site and tos. It then creates group lists for each domain and each customer element in the database. ehealth places each region group in the associated domain group list, and places each VPN and site group in the associated customer group list. Creating Router Element Groups Use the following procedure to create various group types. To create groups for router elements: 1. Log in to the ehealth system, change to the ehealth directory, and optionally source the ehealth resource file. 2. To group router elements, enter the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby grouptype" Enter one of the following values for grouptype: vpn VPN name domain Domain name region Region name customer Customer name site Customer site name CEPE CE and PE router groups all All group types

47 Adding Configuration Information to ehealth 47 For example, when you enter the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby region ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically groups these elements by region. Creating Router Element Group Lists Optionally, you can create two types of group lists for your router element groups; customer and domain. Customer group lists can contain VPN groups and site groups. Domain group lists can only contain region groups. When you create these group lists, ehealth displays them in Service Level reports. 1 3 To create customer and domain group lists for your router element groups: 1. Log in to the ehealth system, change to the ehealth directory, and optionally source the ehealth resource file. 2. Create a customer group list for your router element groups by entering the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -grouplistby customer" ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates groups of these elements by customer. ehealth then places the new groups in a router element group list named AllCustomers. 3. Create a domain group list for your router element groups by entering the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -grouplistby domain" ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates groups of these elements by domain. ehealth then places the new groups in a router element group list named AllDomains.

48 48 Chapter 3 Configuring Cisco VPNSC Elements in ehealth 4. Optionally, enter one or more of the following commands to create additional router group and router group list associations. To create customer group lists that contain VPN groups, enter the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby vpn -grouplistby customer" ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates a group for each VPN element. It then creates a group list for each customer, and places each VPN group in the associated customer group list. To create customer group lists that contain site groups, enter the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby site -grouplistby customer ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates a group for each site element. It then creates a group list for each customer, and places each site group in the associated customer group list. Domain group lists can only contain region groups. To create these group lists, enter the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby region -grouplistby domain ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates a group for each region element. It then creates a group list for each domain, and places each region group in the associated domain grouplist.

49 Adding Configuration Information to ehealth 49 When you use the following command: nhconfig -dcicmd "nhgetvpnscrouterconfig -groupby all -grouplistby all ehealth Cisco VPNSC extracts router elements from the Cisco VPNSC database and automatically creates groups for each VPN, domain, region, customer, site, and CEPE. It then creates group lists for each domain and each customer element in the database. ehealth places each region group in the associated domain group list, and places each VPN and site group in the associated customer group list. 1 3 While running the nhconfig command, you can use the -dciout argument to create an element file to review information for each added element. For more information, refer to the ehealth Integration Guide. You can also specify the dcioutputfile from a previous run of the nhconfig command for the -dciin argument. This allows you to examine the output of a previous configuration extraction without having to repeat the extraction process. NOTE For complete information about the nhconfig command syntax and the configuration log, refer to the ehealth Administration Reference.

50 50 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Scheduling the Configuration Process You can add a scheduled job to run the nhconfig command to regularly extract configuration information from Cisco VPNSC. The scheduled job updates your poller configuration automatically for changes in the managed network. Use the nhschedule command to create a new job type and to schedule the job. You must enter this command through the command line. You cannot use the ehealth Schedule Jobs dialog box to schedule the extraction of configuration information from the VPNSC. For complete information about the nhschedule command, refer to the ehealth Administration Reference. To create and schedule a VPNSC configuration job: 1. Log in to the ehealth system as the ehealth administrator. 2. In a terminal window, change to the ehealth directory. 3. Optionally, source the ehealth resource file that is appropriate for your shell environment using one of the commands in Table 4 on page Use the form of the nhschedule command that creates a new job type. For example, the following command creates a job type named VPNSC Config that uses 100 percent of the system resources. When it runs, the job executes the two commands, nhconfig -dcicmd nhgetvpnscslaconfig and nhconfig -dcicmd nhgetvpnscrouterconfig. nhschedule -definetype "VPN Solutions Center Config" \ -load 100 -cmd "nhconfig -dcicmd nhgetvpnscslaconfig" \ and "nhconfig -dcicmd nhgetvpnscrouterconfig"

51 Adding Configuration Information to ehealth Run the form of the nhschedule command that schedules the job. For example, the following command schedules the VPN Solutions Center Config job to extract configuration information each day at 12:30 A.M. and update the ehealth poller configuration. The command takes the name of the rules file as an argument. nhschedule -schedule "VPN Solutions Center Config" \ -time "12:30 AM" -daily yyyyyyy \ -args "-dcirule rulesfilename" 1 3 These nhschedule commands are examples. You should specify a time and frequency that correspond to the frequency with which changes are made to your network. For example, if your network configuration changes daily, schedule the configuration jobs to run daily. If you schedule several configuration jobs, make sure that there is enough time between jobs so that one is completed before the next one starts. For more details on the nhschedule command, refer to the ehealth Administration Reference.

52 52 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Managing the Configuration Process As an alternative to using the ehealth Edit Groups dialog boxes to group elements, you can use rules files and data files to group, modify, or exclude elements during the configuration process. Before you can create rules files and data files, you need to understand the structure of element files. Table 6 provides information about these file types. Table 6. Element, Rules, and Data File Descriptions File Element file Rules file Data file Description An ASCII file that defines the configuration information for each element. When you run the nhconfig command with the -dciout dcioutputfile argument, nhconfig saves the element information in an element file. You can examine the contents of the element file to determine the rules to implement in a rules file. An element file is also known as a DCI file. An ASCII file that specifies criteria for selecting elements and what to do with the selected elements. For example, a rules file can specify a selection condition (elements that have the text trunk in their name) and an action (add the selected elements to the poller configuration). An ASCII file that specifies a list of elements. You can specify a data file as the selection condition in the rules file.

53 Element Files 53 Element Files An element file (also known as a DCI file) is an ASCII file that defines the configuration information for each element in comma-separated fields. You can create rules files that use these fields to filter elements, modify element information, and group elements during the configuration process. For example, you can create rules files that rename elements to more meaningful names. When the configuration process extracts the configuration information for Cisco response and router elements, ehealth creates temporary element files. The configuration process deletes these temporary element files after the element information is added to the poller configuration. The element file consists of element definitions. Each element definition contains several fields. For information about the fields used to define Cisco elements, refer to Router Element File Fields on page 62. The following sections describe the fields in response and router element files and show sample definitions for Cisco elements. 1 3 Response Element File Fields The response element files contain five description areas, each with their own fields that ehealth populates for each area: GlobalInfo Elements ElementGroups Associations Operations Table 7 lists the areas and fields for response element files.

54 54 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 7. Response Element File Fields (Page 1 of 8) Areas Field Description GlobalInfo nmssource Specifies the name of the NMS source of this element. For an individual element, this value overrides the nmssource value specified in the GlobalInfo section of the DCI file. Elements objid Assigns a unique identifier to the object (element) in this file. ehealth uses the objid as an intersection reference. Each definition in the DCI file must begin with a unique object ID (without spaces). The objid value does not appear in the ehealth Poller Configuration dialog box. ehealth uses this value in this file only. name nmsid Specifies the name of the element. This is the name that appears in the list of elements. The element name cannot exceed 64 bytes. If the element name exceeds 64 bytes, ehealth rejects the entire DCI file. You can specify up to 32 double-byte or 64 single-byte characters using uppercase or lowercase letters (A - Z), numbers 0 through 9, dashes (-), periods (.), underscores (_), colons (:), slashes (/), and backslashes. Specifies a unique ID for an element; usually an NMS provides this ID. If the value includes spaces, you must enclose it in quotation marks (" "). This field accelerates ehealth processing. Supply a value for this field to give the element a unique identifier that is independent of its name. If you want to modify element attributes by using operations such as merge, you must specify an nmsid value and other attributes such as indexes. NOTE: You cannot use the merge operation to change this field.

55 Element Files 55 Table 7. Response Element File Fields (Page 2 of 8) Areas Field Description 1 Elements (continued) poll Indicates whether ehealth polls the element. Specify Yes (the default) to enable importing data for the element. Specify No to disable importing. NOTE: You cannot use the merge operation to change this field. 3 mibtranslationfile Specifies the name of the ehealth MTF for the element. The default is an empty string (" "). When you create a new element, set this field and the discovermtf field to the same MTF name. To determine if the configuration information for an element is imported, ehealth examines the MTF name in this field. The characters LPS must be part of the MTF name for an imported element. If you change an element s agent type in the poller configuration, the element s mibtranslationfile value changes, but its discovermtf value does not. ipaddr Specifies the Internet Protocol (IP) address of the element. The default is NOTE: You cannot modify this field on a child element; however, you can modify this field on a parent element to change its value on all associated children. iftype Specifies the type for an interface element. You can specify any text. This field is for display purposes only. The default is an empty string (" ").

56 56 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 7. Response Element File Fields (Page 3 of 8) Areas Field Description Elements (continued) index1 index2 nmssource discovermtf nmsname protocolcfgsymbol Specifies values that help to create unique definitions for multiple elements on the same device. You can use the MIB index values to make elements easily identifiable in the DCI file or poller configuration. The value for index1 must be an integer. The default is 0. The value for index2 can be any string. The default is an empty string (" "). Specifies the name of the NMS source of this element. For an individual element, this value overrides the nmssource value specified in the GlobalInfo section of the DCI file. Specifies the name of the MTF that ehealth assigned when it discovered the element. This may not be the same MTF that ehealth uses to poll the element. This field is for ehealth internal use. When you create a new element, set the mibtranslationfile field and the discovermtf field to the same MTF name. If you change an element s agent type in the poller configuration, the element s mibtranslationfile value changes, but its discovermtf value does not change. Specifies the name of the element at the NMS. The default value is an empty string (" "). For ehealth Response elements, specifies the protocol used to measure response time between the two endpoints of a response path. NOTE: For defining new integration modules, you can only specify genericresponsepath (the default).

57 Element Files 57 Table 7. Response Element File Fields (Page 4 of 8) Areas Field Description 1 Elements (continued) devicespeedin Specifies the default incoming speed of a device in bits per second. To obtain the element s incoming speed from the NMS, specify a value for the devicespeedin field. This value appears as the default incoming speed for the element in the ehealth poller configuration. If you set an incoming override speed using the speedin field, ehealth uses the element s override speed instead of its default speed to calculate performance. The default leaves the devicespeedin value unchanged. 3 devicespeedout Specifies the default outgoing speed of a device in bits per second. To obtain the element s outgoing speed from the NMS, specify a value for this field. This value appears as the default outgoing speed for the element in the ehealth poller configuration. If you set an outgoing override speed using the speedout field, ehealth uses the element s override speed instead of its default speed to calculate performance. The default leaves the devicespeedout value unchanged. genericresponsecommunity Name of the Response Community genericresponseagentaddress IP address for the Response Agent genericresponsegoal Variable to set for the protocol ElementGroups objid Assigns a unique identifier to the object (element) in this file. ehealth uses the objid as an intersection reference. Each definition in the DCI file must begin with a unique object ID (without spaces). The objid value does not appear in the ehealth Poller Configuration dialog box. ehealth uses this value in this file only.

58 58 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 7. Response Element File Fields (Page 5 of 8) Areas Field Description ElementGroups (continued) groupname elementobjid The name of the group. If it does not exist in ehealth, ehealth creates it. If the group already exists, ehealth adds the elements to the existing group. Specifies the object identifier of the element that you are adding to a group. This value must correspond to the element s object ID specified in the objid field of the Elements section. Associations objid Assigns a unique identifier to the object (element) in this file. ehealth uses the objid as an intersection reference. Each definition in the DCI file must begin with a unique object ID (without spaces). The objid value does not appear in the ehealth Poller Configuration dialog box. ehealth uses this value in this file only. originelemobjid destelemobjid Specifies the object ID of the element that you want to associate with another element. For example, in a parent-child relationship, you would specify the originelemobjid for a child element. The originelemobjid value must correspond to the element s object ID specified in the ObjId field of the Elements section. Specifies the object ID of the element with which you want to associate another element. For example, in a parent-child relationship, you would specify this field for a parent element. The destelemobjid value must correspond to the element s object ID specified in the objid field of the Elements section.

59 Element Files 59 Table 7. Response Element File Fields (Page 6 of 8) Areas Field Description 1 Associations (continued) assoctype Specifies the association (relationship) type: 0 - parentchild (the default) You can define parent-child relationships for the following ehealth element types: router or system CPUs, system partitions or disks, and remote access server (RAS) CPUs. 1 - responsesource The source relationship for ehealth elements associates a response path with a response source (the logical or physical source [client] of the transaction request). 2 - responsedestination The destination relationship for ehealth elements associates a response path with a response destination (logical or physical target [server] of the transaction request). 3 - datacollector The datacollector relationship for ehealth elements associates a response path with a response collector (response data source that ehealth Response uses to populate path elements). 4 - device The device relationship for ehealth exists for application service and response elements. This association relates an element such as an application service process set, system process set, or response endpoint (source or destination) to a device element such as a router, system, or probe. The device relationship enables these elements to share addressing information. It also allows you to drill down to device performance information from the specific element reports. 3

60 60 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 7. Response Element File Fields (Page 7 of 8) Areas Field Description Associations (continued) assoctype (continued) 5 - copyof This field is for ehealth internal use. 6 - processset The processset relationship associates multiple processes that are running on the ehealth system with a single process set. 7 - sidea 8 - sidez The sidea and sidez relationship identifies the two endpoint elements associated with a common PVC element. Once this relationship is established, ehealth can poll and report on the PVC element. 9 - respclientset The respclientset relationship associates a response source with a client set resppathset The resppathset relationship associates a response path with a response destination for a particular application.

61 Element Files 61 Table 7. Response Element File Fields (Page 8 of 8) Areas Field Description Operations operator Specifies the operation to perform. It has one of the following values: add - Adds an individual object (element, calendar, group, association), specified by its OID, to the ehealth poller configuration. delete - Deletes an individual object specified by the OID from the ehealth poller configuration. modify - Modifies the attributes of an individual object, specified by objid1, with the non-blank fields specified for objid2. merge - Adds all objects (elements, groups, group contents, calendars, group lists, group list contents, and associations) specified in the DCI file to the ehealth poller configuration. mergewithdelete - Adds all objects (elements, groups, calendars, associations, or monitored subjects) specified in the DCI file to the ehealth poller configuration. It also disables polling for all elements that are not included in the DCI import file and whose NMS source value (nmssource) matches the nmssource value set in the GlobalInfo section. To use the mergewithdelete operation, you must specify an nmssource value in the GlobalInfo section. 1 3

62 62 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Router Element File Fields The router element files contain six description areas, each with their own fields that ehealth populates for each area: GlobalInfo Elements Parents DiscoverAddrs DiscoverPorts Operations Table 8 lists the areas and fields for the Router element files. Table 8. Router Element File fields (Page 1 of 8) Area Field Description GlobalInfo nmssrc Name of the NMS being used host addrfile community findmib2 createnew mergesource commit modes Name of the host being used Location where the DCI file can be found SNMP community string name Yes or No Yes Equals interactive Yes Always router Elements objid Assigns a unique identifier to the object (element) in this file. ehealth uses the objid as an intersection reference. Each definition in the DCI file must begin with a unique object ID (without spaces). The objid value does not appear in the ehealth Poller Configuration dialog box. ehealth uses this value in this file only.

63 Element Files 63 Table 8. Router Element File fields (Page 2 of 8) Area Field Description Elements (continued) name Specifies the name of the element. This is the name that appears in the list of elements. The element name cannot exceed 64 bytes. If the element name exceeds 64 bytes, ehealth rejects the entire DCI file. You can specify up to 32 double-byte or 64 single-byte characters using uppercase and lowercase letters (A - Z), numbers 0 through 9, dashes (-), periods (.), underscores (_), colons (:), slashes (/), and backslashes. 1 3 poll sysdescription sysname ifdescription Indicates whether ehealth polls the element. Specify Yes (the default) to enable importing data for the element. Specify No to disable importing. NOTE: You cannot use the merge operation to change this field. Specifies system description information, enclosed in quotation marks (" "). The default is an empty string (" "). Specifies the system name information, enclosed in quotation marks (" "). The default is an empty string (" "). NOTE: You cannot modify this field on a child element; however, you can modify this field on a parent element to change its value on all associated children. Specifies the interface description, enclosed in quotation marks (" "). The default is an empty string (" ").

64 64 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 8. Router Element File fields (Page 3 of 8) Area Field Description Elements (continued) speedin Specifies the incoming override speed of an interface element in bits per second. This field corresponds to the Override field in the Speed In area of the Modify Element dialog box. If the override speed has not been set in the Modify Element dialog box, this field is blank. To set or change the override speed for an element in the ehealth poller configuration, specify a value for this field. ehealth uses the element s override speed instead of its default (device) speed to calculate performance. To clear an element s incoming override speed, set speedin to -1. The default leaves the speedin value unchanged. speedout Specifies the outgoing override speed of an interface element in bits per second. This field corresponds to the Override field in the Speed Out area of the Modify Element dialog box. If the override speed has not been set in the Modify Element dialog box, this field is blank. To set or change the override speed for an element in the ehealth poller configuration, specify a value for this field. ehealth uses the element s override speed instead of its default (device) speed to calculate performance. To clear an element s outgoing override speed, set speedout to -1. The default leaves the speedout value unchanged.

65 Element Files 65 Table 8. Router Element File fields (Page 4 of 8) Area Field Description Elements (continued) mibtranslationfile Specifies the name of the ehealth MTF for the element. The default is an empty string (" "). When you create a new element, set this field and the discovermtf field to the same MTF name. To determine if the configuration information for an element is imported, ehealth examines the MTF name in this field. The characters -imp- must be part of the MTF name for an imported element. If you change an element s agent type in the poller configuration, the element s mibtranslationfile value changes, but its discovermtf value does not. 1 3 ipaddr readcommunity storeindb Specifies the Internet Protocol (IP) address of the element. The default is NOTE: You cannot modify this field on a child element; however, you can modify this field on a parent element to change its value on all associated children. This field maps to the readwritecommunity field. This field specifies the SNMP community string for read and write access. If you indicate a value in this field, ehealth ignores it. Specifies whether to save the individual data for this element. You typically use this field for router or system interfaces, or system process elements. Specify Yes (the default) to save detailed data for the element; otherwise, specify No. This field corresponds to the Record detail data (may use additional poller license) option in the Add Element, Modify Element, and Modify Elements dialog boxes.

66 66 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 8. Router Element File fields (Page 5 of 8) Area Field Description Elements (continued) iftype Specifies the type for an interface element. You can specify any text. This field is for display purposes only. The default is an empty string (" "). uniquedevid index1 Specifies a value that identifies the hardware, such as its chassis ID or media access control (MAC) address. This field is equivalent to the Hardware ID field in the Modify Element dialog box. The default is an empty string (" "). The value for this field might not be the MAC address of the specified port. NOTE: You cannot modify this field on a child element; however, you can modify this field on a parent element to change its value on all associated children. Specifies values that help to create unique definitions for multiple elements on the same device. You can use the MIB index values to make elements easily identifiable in the DCI file or poller configuration. The value for index1 must be an integer. The default is 0.

67 Element Files 67 Table 8. Router Element File fields (Page 6 of 8) Area Field Description Elements (continued) possiblelatencysources This field is for ehealth internal use. It specifies whether the element supports alternate latency. This field applies only to devices that are polled using SNMP. The value for this field is a comma-separated list enclosed in quotation marks (" ") that contains one or both of the following values: "concord" (the default); "concord, ciscoping". By default, an element supports poller-to-device latency, which is latency between the element and the ehealth system. If the element supports device-to-partner latency, which is latency between itself and another device in your network, this field is set to concord, ciscoping. Do not change the value of this field to enable or disable the alternate latency source feature. Use the latencysource field to enable or disable the alternate latency source feature, and use the latencypartner field to specify the IP address of the latency partner. You can also set the values of these fields through the Poller Configuration dialog box. For more information about managing alternate latency, refer to the Network Health Administration Guide. 1 3

68 68 Chapter 3 Configuring Cisco VPNSC Elements in ehealth Table 8. Router Element File fields (Page 7 of 8) Area Field Description Elements (continued) enterpriseid Specifies the enterprise number that identifies the vendor of the SNMP agent running on the device to which the element belongs. The Internet Assigned Numbers Authority (IANA) maintains the enterprise numbers. You can obtain the latest list of enterprise numbers at the following address: ftp://ftp.isi.edu/in-notes/iana/assignments /enterprise-numbers NOTE: You cannot modify this field on a child element; however, you can modify this field on a parent element to change its value on all associated children. Also, you cannot use the merge operation to change this field. aggregateavailability argsrequired ifphysaddress Specifies whether you want to include an application process in availability calculations for a process set. This field corresponds to the Mandatory Process field in the New Process dialog box. Specifies whether you need to include arguments to uniquely identify a process. Specifies the physical address of an interface. This field is for ehealth internal use. Parents objid Assigns a unique identifier to the object (element) in this file. ehealth uses the objid as an intersection reference. Each definition in the DCI file must begin with a unique object ID (without spaces). The objid value does not appear in the ehealth Poller Configuration dialog box. ehealth uses this value in this file only. elementobjid Specifies the object identifier of the element that you are adding to a group. This value must correspond to the element s object ID specified in the objid field of the Elements section.

69 Element Files 69 Table 8. Router Element File fields (Page 8 of 8) Area Field Description 1 DiscoverAddrs addr Address used to discover this element Operations operator DCI operator (For more information, refer to operator in Table 7 on page 61.) DiscoverPorts port Port to discover 3 Element Definition Examples The following is an example of a response element definition file. (The header is omitted.) DS,,GlobalInfo, VPNSolutionCenter DE DS,,Elements, 1,Src-peso,,Src-peso,No,,,,,,,,,generic-respSrc.mtf,\ ,,,,,,0,Src-peso,,,,,,VPNSolutionCenter,,,,,\ Src-peso,,,,,,,,,,,, 2,Dest ,,,No,,,,,,,,,generic-respDest.mtf,\ ,,,,,,0, ,,,,,,VPNSolutionCenter,,,,,\ Dest ,,,,,,,,,,,, 3,peso icmp-slal,,1,Yes,,,,,,,,,\ vpnsc-imp-icmp-resppath.mft, ,,,,0,,0,icmp-1\,,,,,,vpnsolutioncenter,,,,vpnsc-icmp-resppath.mtf, \ peso icmp-slal,,,genericresponsepath,20,20,\,,,,,,,public, ,20 4,Dest ,,,No,,,,,,,,,generic-respDest.mtf,\ ,,,,,,0, ,,,,,,VPNSolutionCenter,,,,,\ Dest ,,,,,,,,,,,, DE DS,,Associations, a1,3,1,1 a2,3,1,3 a3,3,2,2 DE DS,,ElementGroups, g1,mygroup,1 g2,mygroup,2 g3,mygroup,3 g4,mygroup,4

70 70 Chapter 3 Configuring Cisco VPNSC Elements in ehealth DE DS,,Operations merge DE The following is an example of a router element definition file. (The header is omitted.) DS,,Elements 1-1,1on-3620-ce-d,,,Yes,, Cisco Internetwork Operating System \ Software IOS (tm) 3600 Software (C3620-JS-M), Version 12.0(7)T, \ RELEASE SOFTWARE (fc2)copyright (c) by Cisco Systems, \ Inc.Compiled Wed 08-Dec-99 09:34 by phanguye, \ 1on-3620-ce-d.nsm.cisco.com,, Core Router Stats,0.0.. \ cisco-rh-rtr.mtf, , public,,yes, Router, ,0,,,, \ concord,ciscoping,,,,,,,,,,,,,,,9,,,no,no,,,, \ 00:02:16:51:E2:C0, 1-3,1on-3620-ce-d-RH-Cpu-1,, \ 1on-3620-ce-d.nsm.cisco.com Cpu-0,Yes,, Cisco Internetwork \ Operating SystemSoftware IOS (tm) 3600 Software (C3620-JS-M), \ Version 12.0 (7)T, RELEASE SOFTWARE (fc2)copyright (c) by \ Cisco Systems, Inc.Compiles Wed 08-Dec-99 09:34 by phanguye, \ 1on-3620-ce-d.nsm.cisco.com,, Router CPU Stats,0,0,, \ cisco-rh-cpu.mtf, , public,,yes, Router PUR, ,1, \,,, concord,,,,,,,,,,,,,,,9,,,no,no,,,,, 1-5,1on-3620-ce-d-A1/0-RH-ATMPort-1,, 1on-3620-ce-d.nsm.cisco.com \ link ATM1/0,Yes,, Cisco Internetwork Operating System Software \ IOS (tm) 3600 Software (C3620-JS-M), Version 12.0(7)T, RELEASE \ Software (fc2)copyright (c) by Cisco Systems, Inc.Compiled \ Wed 08-Dec-99 09:34 by phanguye, 1on-3620-ce-d.nsm.cisco.com,, \ ATM1/0,0,0,,mib2-atm.mtf, , public,,no, ATM Port, \ ,1,,,, concord,ciscoping,,,,,,,,,,,, , , \,9,,,No,No,,,,, DE DS,,Parents, 1-1-1,1-1, ,1-3, ,1-5,1-1 DE DS,,DiscoverAddrs, DE

71 Element Files 71 DS,,DiscoverPorts, 161 DE DS,GlobalInfo VPNSolutionCenter, uknsm009,, \ /opt/nethealth/tmp/vpnscrouters.6617.dci,, public, No, Yes, \ interactive, Yes, router DE DS,,Operations, merge,,, DE 1 3 Sample Rules Files The following is an example of a rules file that would cause all CE routers to be ignored. name matches "CE.*": { exclude () ; } This example adds all elements with the IP subnet of to the group mysubnetgroup1 : ipaddr matches " " { setgroup("mysubnetgroup1"); } For more information about rules files, refer to the ehealth Integration Guide

72

73 4 Importing ehealth Cisco VPNSC Statistics This chapter describes the ways in which ehealth imports response statistics from the Cisco VPNSC database and performance statistics data for routers in your Cisco VPNSC-managed network. It also provides the following: Procedures to verify statistics data collection and to stop the import polling process Information about the ehealth reports that you can run to monitor the data that ehealth Cisco VPNSC collects Importing Statistics Data The Import Polling Status window on the ehealth console displays the number of records imported and the time of the next poll. When the configuration process completes, the ehealth import poller initializes and connects to Cisco VPNSC. SA Agents in your VPN collect response statistics data and store this information in the Cisco VPNSC database. The ehealth import poller obtains statistics from the Cisco VPNSC database for the response elements in your ehealth poller configuration. These statistics are added to the ehealth database as shown in Figure 3 on page

74 74 Chapter 4 Importing ehealth Cisco VPNSC Statistics ehealth Database ehealth System Importing Response Statistics Cisco VPNSC System Cisco VPNSC Database SA Agent Response Statistics Cisco Routers SA Agent Cisco Routers Figure 3. Importing Response Statistics Data

75 Importing Statistics Data 75 To gather the router performance statistics data that ehealth requires for reports, the statistics poller (SNMP poller) polls the routers in your VPN directly. ehealth Cisco VPNSC obtains performance statistics data for the router elements in your ehealth poller configuration. These statistics are then added to the ehealth database. Verifying Statistics Data Collection When you set up the ehealth Cisco VPNSC integration module, you specified the intervals by which ehealth automatically and continuously polls for data. To verify that ehealth Cisco VPNSC is collecting this data, use the following procedure. 1 4 To verify statistics data collection: 1. Log in to the ehealth system as the ehealth administrator. 2. Select Console Statistics Polling Status. The Statistics Polling Status dialog box appears. 3. Select Console Import Polling Status. The Import Polling Status dialog box appears. Verify that these dialog boxes are reporting the time for the next poll, and that good polls and imported records are being collected as indicated by green-colored bars. NOTE The Statistics Polling Status dialog box displays all elements available in the poller configuration, including good and bad elements, elements that are off (ports, CPU elements), and elements that are not applicable (RD and RS elements, and so on). It can take some time for the Polling Status dialog box to display good polls and imported records. The amount of time depends upon the polling interval values that you specified during the integration module set up. However, Cisco VPNSC collects data only once per hour regardless of the polling interval setting. Therefore, after VPN objects are defined by

76 76 Chapter 4 Importing ehealth Cisco VPNSC Statistics Cisco VPNSC, ehealth Cisco VPNSC requires at least one hour to report meaningful data. For more information about the Statistics Polling Status and Import Polling Status dialog boxes, refer to the ehealth Administration Guide. If ehealth does not import all of the data that you want to monitor, you can modify the import process settings. For more information, refer to Modifying Data Import on page 77. Stopping the Import Process You use the Poller Controls on the ehealth console to stop the data import process. When you stop the poller, you stop both the data import and SNMP polling processes on your ehealth system. You can stop the import process altogether for a period of time, or you can stop the import process for one or more elements. To stop the import process for a period of time: 1. Select Setup Poller Controls. The Poller Controls dialog box appears. 2. Select Off next to Poller. 3. Click OK or Apply. To stop importing data for one or more elements: 1. Select Setup Poller Configuration. The Poller Configuration dialog box appears. 2. In the Poller Configuration dialog box, select one or more elements for which you want to stop importing data. 3. Click Modify. The Modify Elements dialog box appears. 4. Do one of the following: If you selected one element, select Off under Poll and click OK. If you selected more than one element, select Off next to Change Poll To and click OK. 5. Click OK or Apply in the Poller Configuration dialog box.

77 Importing Statistics Data 77 For more information about using the Poller Controls or Poller Configuration dialog boxes, refer to the online Help or the ehealth Administration Guide. You cannot use the Poller Configuration dialog box while the import poller is running, or to change the import polling interval. To change this interval, you must run the ehealth Cisco VPNSC setup program and select the option to modify ehealth settings. (For instructions, refer to Modifying ehealth Cisco VPNSC Settings on page 37.) Modifying Data Import You can modify the settings for the import process if you find that ehealth is not importing all of the data that you want to monitor. To do so, access the setup program as described in Running the Setup Program on page 35 and specify new values for one or both of the following: The ehealth polling interval The maximum time to allow a data extraction to complete When you modify the polling interval, you should specify an interval that corresponds to the collection interval setting of the Cisco VPNSC system. For example, if Cisco VPNSC collects data once every hour, you should set the ehealth polling interval to one hour or more. However, if you specify a large value for the polling interval, the poller might not poll raw statistics files. 1 4 Modifying the Poller Configuration You can use the Poller Configuration dialog box to change the the speed and name of your Cisco response and router elements. If you change any other attributes, ehealth overwrites the changes the next time it imports configuration information. For more information, refer to the ehealth Administration Guide.

78 78 Chapter 4 Importing ehealth Cisco VPNSC Statistics Poller Configuration Changes. When the nhconfig command runs, either from the command line or as a scheduled job, it updates the poller configuration with information from the Cisco VPNSC database. If you make changes to the Poller Configuration or changes occur in the Cisco VPNSC database, note the following: If the information in the ehealth poller configuration does not match the information in the Cisco VPNSC database, the changes that you made in the Poller Configuration dialog box could be lost. If elements are deleted from the Cisco VPNSC database, you must delete those elements from ehealth using the Poller Configuration dialog box on the ehealth console. When you disable polling for a Cisco response or router element, ehealth will stop adding imported data for that element to the database. NOTE Do not change the agent type for Cisco response or router elements. Running ehealth Reports ehealth Cisco VPNSC enables you to run LAN/WAN reports on your Cisco router elements and Response and Router reports on the data that ehealth Cisco VPNSC collects. You must have the appropriate ehealth licenses to run reports on these elements. For licensing information, refer to the ehealth Installation Guide. For information about how to run these reports from the console or Web interface, refer to the ehealth Reports Guide and the ehealth Web Help.

79 Index A adding elements 41 C Cisco VPNSC administrator, granting permissions 29 licenses 29 middleware 29 network traffic 32 processing load 32 system requirements 28 time zones 29 commands nhconfig 41 nhschedule 50 nhvpnscsetup 36 configuring elements preparing to configure 40 running nhconfig command 40, 41 scheduling jobs 50 setting maximum extraction time 26 CORBA interface 28 D data files, definition 52 DataSetServer, granting permissions to 30 DCI file 53 disabling polling for an element 76 E ehealth changing polling interval 38 licenses 27 multiple systems 27 running reports 78 starting 32 system clocks 28 system requirements 26 time zones 29 user permissions 29 ehealth Cisco VPNSC licensing 33 running reports 78 setting up 34 element files about 53 definition 52 79

80 80 Index elements adding 41 configuring 41 disabling polling 76 grouping 42, 43, 46, 52 importing 41 modifying 43, 46 elements groups, creating 43 extraction process, setting maximum time 26 G gathering performance statistics 19 group lists customer 44, 47 domain 44, 47 response, creating 44 router, creating 47 grouping elements 42, 43, 46, 52 groups creating 43 response elements 43 router elements 46 types 43, 46 I import polling about 20 interval, changing 38 stopping 76 importing elements 41 statistics data 73 installing ehealth Cisco VPNSC 35 installvpnscn.log file 37 L License Request form 12 licenses Cisco VPNSC system 29 ehealth 27 request information 12 licensing ehealth Cisco VPNSC 33 log file, installvpnscn.log 37 M modifying elements 43, 46 N network traffic, impact on 32 nhconfig command about 41 scheduling 50 nhschedule command 50 O Orbix CORBA middleware 29 P performance considerations Cisco VPNSC 32 network traffic 32 performance statistics, gathering 19 poller configuration, managing 43, 46 Poller Controls dialog box 76 polling import 20 SNMP 20 polling interval, changing 38

81 Index 81 R reports, running 78 response adding information to ehealth 40 element groups, creating 43 group lists, creating 44 router adding information to ehealth 41 element groups, creating 46 group lists, creating 47 rules files, definition 52 S scheduling configuration jobs 50 setup program, running 35 SNMP polling 20 starting ehealth 32 statistics data collecting 75 importing 73 system requirements Cisco VPNSC 28 ehealth 26 T Telnet access 27 time zones 29 troubleshooting, log file 37 U user permissions, ehealth 29 V values, group types 43, 46 VpnInvServer, granting permissions to 30

82

83

84 CONTACT CONCORD COMMUNICATIONS AT: CONCORD COMMUNICATIONS, INC. NORTH AMERICA 600 NICKERSON ROAD MARLBORO, MASSACHUSETTS P F CONCORD COMMUNICATIONS EUROPE DELFTECHPARK XH DELFT THE NETHERLANDS P +31 (0) F +31 (0) CONCORD COMMUNICATIONS ASIA PACIFIC LEVEL 7, 53 WALKER STREET NORTH SYDNEY NSW 2060 AUSTRALIA P F FRANCE: +33 (0) GERMANY +49 (0) UK: JAPAN SINGAPORE: CONCORD.COM