ExtremeXOS Automation

Transcription

1 ExtremeXOS Automation Abstract: This paper will introduce the Extreme Networks automation framework. Extreme Networks has developed several product components to enable businesses to gain a competitive advantage by using automation tools to help run, administer, and maintain their critical network infrastructure while reducing staff and operational expense Extreme Networks, Inc. All rights reserved. Do not reproduce.

2 The Need for Automation Automation can enhance network deployments in critical ways that improve business capability and keep the network running smoothly while allowing management much more visibility into the health and wellness of the network a critical business asset today. Businesses, whether they are service providers, enterprises or any other type of organization, depend on their networks more every day. Automation can increase network uptime by automatically responding to and provisioning around events that occur in the network; this in turn can effectively create a more proactive network that can sense and respond to events in a completely dynamic manner. In addition, administrators can be much more heavily leveraged because they can enact many more significant changes quickly and with fewer errors. The Yankee Group has reported that human error caused 31 percent of North American enterprise network outages. Automation allows administrators to lower the humanmachine interaction levels to reduce mistakes often made during device configuration for deployment, or when making changes to the running network. This in turn can dramatically reduce the operational expense involved in running a network; administrators can do much more with less, and can do the work with fewer errors with the help of the automation framework. In addition, many capabilities that exist in networking equipment are not easily configured or used because they require administrators intervention to enable or disable advanced features. Automation can enable these advanced features in a simple and automated way, increasing the overall capabilities and sophistication of networks. Some of these methods are shown in this paper, such as iscsi auto provisioning based on traffic appearing on a port. Businesses benefit greatly from being able to understand what is happening in their network quickly and clearly by being able to see the network s status. Just like a weather report, CIOs and their network teams can use automation to gather key statistics about their network and the devices that run that network. This in turn can reduce remediation time for network outages and alert staff to issues before they become critical in nature. This keeps networks running and allows administrators to sleep at night. The benefits of automation from a business perspective are very clear and make a strong case for looking at automation as a competitive advantage. Technical Benefits of Automation Increased Network Awareness Through the use of automation it is possible for network engineering staff to increase network awareness. A primary area of deficiency in modern networks is direct knowledge of what exists on the wire. Through the use of Extreme Networks CLEAR-Flow, Command Line Interface (CLI) and dynamic scripting, ExtremeXOS API and dynamically loadable modules, network staff can increase the level of understanding about the network. This increased understanding can assist operators in issue resolution, risk mitigation and network control. With increased awareness also comes increased capability. Automated Responses to Common Issues Extreme Networks unique automation tools allow automated responses to common network issues. A primary example of this can be seen through the advanced use of CLEAR-Flow. Access control lists count, identify and classify traffic in real-time (e.g. utilizing hardware ASICs). CLEAR-Flow, through the use of regression analysis algorithms, can examine patterns and traffic behaviors. When a condition state becomes true, CLEAR-Flow can take automated action to mitigate, alert or react to the identified state. One example is the broadcast storm. On most networks this condition can bring services to a crawl or in some cases a complete halt. CLEAR-Flow allows for the dynamic classification of broadcast traffic and, through the use of regression analysis, measures the level of broadcast traffic within a broadcast domain. When the configured level reaches a threshold set within the rule, CLEAR-Flow takes the specified action. Such an action might be to send a syslog message to a receiver. This action could easily be modified to automatically apply Quality of Service, block and/or mirror, or any action allowed on the ExtremeXOS CLI. Rapid Remediation to Network Abuse In the case of a network that uses Server Message Block file sharing, a series of well-known User Datagram Protocol ports are used. Most commonly these are ports 135, 139 and 445. Through the previously discussed technologies you can identify and sample traffic state in near real time. At any given moment very high levels of SMB packets should not be observed on a user port, as this could easily be an infected endpoint device. Through increased automation awareness the network operator can differentiate between uplink and user ports. When an abnormal level of traffic is observed, this state can be automatically remediated. With Dynamic Scripting (e.g. Universal Port Profiles) Dynamic Access Control lists can be applied, Quality of Service profiles can be added and the port itself, in drastic cases, can be shut down. The traffic state can be remediated and services, other than the out-of-policy protocol, can continue to function Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 2

3 Automatic Provisioning and Protecting Critical Protocols Extreme Networks has developed a simple yet powerful approach to data center network convergence without compromising protection or performance guarantees. The iscsi feature consists of a dynamic policy that automatically identifies iscsi traffic on the network. Once identified, the switches prioritize the traffic and ensure that it is protected from other non-iscsi traffic on the network. The implementation of dynamic iscsi provisioning on the network switches is accomplished in two steps. The first step is to implement the policy at a network level by installing a global policy file on each switch in the network, which then uses CLEAR-Flow to identify iscsi traffic. The second step is to dynamically apply a group of parameters in an automated fashion at the port level once iscsi traffic is detected.. Many networks today rely on QoS alone to resolve congestion issues and prioritize different traffic types on a per port basis. Extreme Networks augments the benefits of QoS with its CLEAR-Flow engine to process iscsi traffic identified on the network. CLEAR-Flow is a feature which allows Extreme Networks switches to make forwarding decisions based on traffic type. Instead of simply looking at the source and destination of the traffic and forwarding it along the appropriate Layer 2 or Layer 3 path, CLEAR-Flow takes things a step further. It allows network administrators to specify certain types of traffic that require more attention. In this case the switch identifies traffic on source and destination TCP ports Once certain criteria for this traffic are met (100 iscsi frames per second), the switch immediately performs the following three actions: 1. Leverages QoS to assign the iscsi traffic to a high priority queue 2. Enables jumbo frames on the identified ports 3. Submits a log entry indicating that iscsi traffic has been identified and protected Once the iscsi traffic has been identified and prioritized it is protected against other types of traffic on the network, including broadcast storms and other traffic flow types that might compromise the performance of iscsi. This is made possible by placing all lower priority traffic into lower priority queues where they can be prioritized effectively under congested network conditions. In extreme situations, lower priority packets may be completely discarded in favor of iscsi traffic. This CLEAR-Flow enabled policy is configured as an access control list on the switch, which in this case permits all traffic and places iscsi traffic into a higher priority queue. control list, allowing hands-off administration. This allows for iscsi targets and initiators to be moved anywhere throughout the network infrastructure without the need for any further administration of the switch. This simple yet effective CLEAR-Flow policy provides powerful dynamic prioritization and protection for iscsi traffic on the network; further, the policy can be deployed across any number of connected devices where the traffic will be identified on all ports, including edge, uplink, and core. This ensures that the traffic is protected and prioritized along the entire path that the packets take through the network. Components of Extreme Networks Automation There are three main components of the Extreme Networks automation framework: CLI scripting, ExtremeXOS API, and ExtremeXOS Loadable Modules. Each of these components is powerful in its own right. We explain the different components and how they can be used. ExtremeXOS CLI Scripting CLI-based scripting allows you to create a list of commands that you can execute manually with a single command or automatically when a special event occurs. CLI-based scripting supports variables and functions, so you can write scripts that operate unmodified on multiple switches and in different environments. CLI-based scripting allows you to significantly automate switch management. Static Scripting Static scripting can be defined as user interaction required. For a static script to run, the operator will need to run at least one command (e.g. load script <script name>). Static scripting can have a series of inputs at launch or during run time. The $READ function, which allows for scripting questions, gives a script the ability to take input at the CLI during runtime. This allows in-depth scripting with interactive questions to enhance functionality. Dynamic Scripting Dynamic scripting enables automatic switch configuration in response to special events such as: User login and logoff Device connection to or disconnection from a port Time of day Event Management System event messages If the iscsi traffic were to stop at any time, the switch s CLEAR-Flow engine dynamically identifies that the traffic has completed, and removes the associated dynamic access 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 3

4 User Login and Logoff Triggers User login and logoff is achieved through the ExtremeXOS Network Login feature. The two types of user authentication triggers are labeled user-authenticate and userunauthenticated in the software. Profiles that respond to these triggers are called user-authenticate profiles or user-unauthenticated profiles. Typically, a user-authenticate profile is used to configure a port for a user and device that has just connected. Likewise, a user-unauthenticated profile is used to return the port to a default configuration after a user or device disconnects. Successful Network Login triggers the user-authenticate profile, and either an explicit logout, a session time-out, or a disconnect triggers the user-unauthenticated profile x Network Login 802.1x Network Login requires 802.1x client software on the device to be authenticated. At login, the user supplies a user name and password, which the switch passes to the RADIUS server for authentication. When the user passes authentication, the RADIUS server notifies the switch, and the user-authenticate profile is triggered. One advantage of 802.1x Network Login is that it can uniquely identify a user. A disadvantage is that not all client devices support 802.1x authentication. MAC-Based Network Login MAC-based Network Login requires no additional software, and it does not require any interaction with the user. When Network Login detects a device with a MAC address that is configured on the switch, the switch passes the MAC address and an optional password to the RADIUS server for authentication. When the device passes authentication, the RADIUS server notifies the switch, and the userauthenticate profile is triggered. One advantage of MAC-based Network Login is that it requires no special software. A disadvantage is that security is based on the MAC address of the client, so the network is more vulnerable to spoofing attacks. Device Connect or Disconnect Triggers Device triggers launch a profile when a device connects to or disconnects from a port. The two types of device triggers are labeled device-detect and device-undetect in the Network Login software. Profiles that respond to these triggers are called device-detect profiles or device-undetect profiles. Typically, a device-detect profile is used to configure a port for the device that has just connected. Likewise, a deviceundetect profile is used to return the port to a default configuration after a device disconnects. A variety of different devices can be connected to a port. When devices connect to the network, Extreme Networks Universal Port helps provide the right configuration at the port. Device triggers respond to the discovery protocols IEEE 802.1ab LLDP and ANSI/TIA-1057 LLDP-MED for Voice-over-IP (VoIP) phone extensions. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles. The combination of device triggers and LLDP enables the custom configuration of devices that connect to switch ports. For example, VoIP phones can send and receive information in addition to normal device identification information. The information sent through LLDP can be used to identify the maximum power draw of the device. The switch can then set the maximum allocated power for that port. There can only be one device-detect profile and one device-undetect profile per port. To distinguish between different connecting devices, you can use if-then-else statements in a profile along with detailed information provided through LLDP. Time-of-Day Based Triggers Time triggers launch a profile at a specific time of day or after a specified period of time. For example, you can use time triggers to launch profiles at the following times: Every 30 seconds One time after 20 minutes Three-hour intervals Midnight You might use a time trigger to launch a profile to disable guest VLAN access, shut down a wireless service, or power down a port after business hours. Time triggers enable profiles to perform timed backups for configurations, policies, statistics, and so forth. Events that need to happen on a regular basis or at a specific time can be incorporated into a time-of-day profile. A profile that uses a time trigger is called a time-of-day profile. Time-of-day profiles are not limited to non-persistence-capable CLI commands and can use any command in the ExtremeXOS CLI. Unlike the device-detect and user-authenticate triggers, time triggers do not have an equivalent function to the deviceundetect or user-unauthenticated triggers. If you need the ability to unconfigure changes made in a time-of-day profile, just create another time-of-day profile to make those changes Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 4

5 Event Management System Event-Message-Based Triggers Event Management System (EMS)-event triggers launch a profile when EMS produces a message that conforms to a predefined definition that is configured on the switch. Profiles that respond to EMS-event triggers are called EMS-event profiles. Typically, an EMS-event profile is used to change the switch configuration in response to a switch or network event. The EMS events that trigger Universal Port profiles are defined in EMS filters and can be specified in more detail with additional CLI commands. You can create EMS filters that specify events as follows: Component.subcomponent Component.condition Component.subcomponent.condition You can use the show log components command to display all the components and subcomponents for which you can filter events. If you specify a filter to take action on a component or subcomponent, any event related to that component triggers the profile. You can use the show log events all command to display all the conditions or events for which you can filter events. If you decide that you want to configure a profile to take action on an ACL policy change, you can add a filter for the ACL.Policy.Change event. Unlike the device-detect and user-authenticate triggers, EMS event triggers do not have an equivalent function to the device-undetect or user-unauthenticated triggers. If you need the ability to unconfigure changes made in an EMSevent profile, just create another static or dynamic profile to make those changes. ExtremeXOS API Extreme Networks XML APIs enable reliable and secure external device-to-device management communication. The API interface provides a mechanism to communicate with Extreme Networks switches using XML messages. Its standards-based SOAP/XML architecture makes it easy to integrate the network infrastructure with higher-level application and business software. The configuration and monitoring capabilities provided by the APIs let you create Service Oriented Architecture (SOA) solutions that bridge the gap between application and business logic with network configuration and events. You can further define an event that triggers a Universal Port profile by specifying an event severity level and text that must be present in an event message. When a specified event occurs, event information is passed to the Universal Port profile in the form of variables, which can be used to modify the switch configuration. EMS-triggered profiles allow you to configure responses for any EMS event listed in the show log components and show log events all commands. However, you must be careful to select the correct event and corresponding response for each profile. For example, if you attempt to create a Universal Port log target for a specific event (component.subcomponent.condition) and you accidentally specify a component (component), the profile is applied to all events related to that component. Using EMS-triggered profiles is similar to switch programming. They provide more control and therefore more opportunity for misconfiguration Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 5

6 Client Machine ExtremeXOS Switch XML API Client SOAP Interface Telnet/SSH HTTP/HTTPS CLI Master Web Server SOAP Interface XML Server (XMLD) Switch Modules Figure 1 The XML server (XMLD) shown in Figure 1 above is responsible for providing a gateway between the external interface and the switch modules. It enforces security; wraps, unwraps and validates messages; and performs the mechanical translations of results from the modules to the client machine. The XML APIs use the SOAP protocol over telnet/ssh or HTTP/HTTPS to exchange XML configuration messages between the client machine and the ExtremeXOS switch modules. By describing the XML API in WSDL and the interface through SOAP, developers can leverage existing public WSDL tools. For example, Apache Axis, Perl SOAP::Lite modules or Microsoft C# can be used to generate code automatically to build management applications. WSDL documents describe the Web services used. A WSDL binding describes how the service is bound to a messaging protocol, particularly the SOAP messaging protocol. A WSDL SOAP binding can be either a Remote Procedure Call (RPC) style binding or a document-style binding. A SOAP binding can also have an encoded use or a literal use. These style/use models are RPC/encoded, RPC/literal, document/ encoded, and document/literal. There is one additional pattern called the document/literal wrapped pattern. WSDLs for ExtremeXOS XML APIs use the document/literal and the document/literal wrapped pattern models. ExtremeXOS Loadable Modules ExtremeXOS has been designed from the ground up as an extensible operating system. This architecture is arranged in a manner that allows for third-party modules (e.g. applications) to be securely run within a predefined user space. A loadable module consists of a series of functions or add-ons that extend the capability of ExtremeXOS. An example is the Extreme Networks loadable Secure Shell module. This function, as well as any other extensible Loadable Module (XLM or XMOD) can be added to ExtremeXOS without the need for a system reboot. The co-developed Avaya Converted Network Analyzer (CNA) module is another example of the power that lies within the XLM architecture. This module loads onto a switch no system reboot required and feeds jitter and latency information at the switch level to Avaya CNA collector systems. Extreme Networks is also currently in development, in conjunction with several universities and other educational institutions, on the Openflow XLM. This module will directly interface with ExtremeXOS to allow Openflow controllers access to management and routing decisions. Automation Use Case Examples In the following section we show some examples of automation s use in today s networks. The power of automation becomes much clearer as you see real-world examples of how to use this technology. Power Over Ethernet Administrative Control In this case we will examine changing the behavior of a switch to add administrative control and additional security layers. Through dynamic scripting, Extreme Networks, in partnership with the customer (deployed in production today) was able to automatically identify Power over Ethernet Servicing. This examination occurs dynamically when an Ethernet port becomes active or changes state to inactive Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 6

7 Through this series of functions the customer is able to deny access on specific ports to devices that do not ask for Power over Ethernet. As a device comes active on a link, the switch dynamically examines the Power over Ethernet state. If power is not being supplied, the port is administratively disabled and a message is sent to network operations staff. This configuration is primarily for administrative control but does add another layer of security to the network. Although no security solution is perfect, this is an example of how to build in security as well as increase network awareness. create upm profile port_disable set var cli.out show inline-power stat port $EVENT.LOG_PARAM_0 set var poe_state $TCL(split ${CLI.OUT}) This field is for your first uplink port set var uplink_1 1 This field is for your second uplink port set var uplink_2 3 set var poe_control $TCL(regexp -nocase {searching} $poe_state) if (($poe_control!= 0) && ($EVENT.LOG_PARAM_0!= $uplink_1) && ($EVENT.LOG_PARAM_0!= $uplink_2)) then create log entry non_poe_port_activity_detected_$event.log_param_0 disable port $EVENT.LOG_PARAM_0 endif. create upm profile port_recover set var cli.out show inline-power stat port $EVENT.LOG_PARAM_0 set var poe_state $TCL(split ${CLI.OUT}) This field is for your first uplink port set var uplink_1 1 This field is for your second uplink port set var uplink_2 3 set var poe_control $TCL(regexp -nocase {delivering} $poe_state) if (($poe_control!= 0) && ($EVENT.LOG_PARAM_0!= $uplink_1) && ($EVENT.LOG_PARAM_0!= $uplink_2) create log entry POE_PORT_Activity_DETECTED_Enabling_$EVENT.LOG_PARAM_0 enable port $EVENT.LOG_PARAM_0 endif. create log filter poe_control create log filter poe_recover configure log filter poe_control add event vlan.msgs.portlinkstateup configure log filter poe_recover add event POE.port_delivering create log target upm port_disable create log target upm port_recover enable log target upm port_disable enable log target upm port_recover configure log target upm port_disable filter poe_control configure log target upm port_recover filter poe_recover enable log target upm port_disable enable log target upm port_recover enable upm profile port_disable enable upm profile port_recover 2010 Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 7

8 Extreme Networks etoggle iphone Application Through the use of the Extreme Networks switch-based API, an iphone application was developed. This software serves as an example of how the API can be used to increase control and simplify actions taken for network configuration. etoggle, the Extreme Networks iphone application for conference rooms, allows you to easily enable and disable ports on your Extreme Networks Ethernet switches, making public conference rooms more secure. You can set a personal identification number (PIN) to prevent unauthorized access to the application. The etoggle (version 1.0) source code is freely available to use as a template for creating your own iphone apps to control and monitor Extreme Networks Ethernet switches. NOTE This application only works with Ethernet switches from Extreme Networks. ExtremeXOS CLEAR-Flow Based iscsi Provisioning In this example using CLEAR-Flow and ExtremeXOS dynamic scripting, an iscsi policy was created with powerful dynamic prioritization and protection for iscsi traffic. This policy can be deployed across any number of connected devices and iscsi traffic will be identified on all ports, including edge, uplink, and core. This ensures that iscsi traffic is protected and prioritized along the entire path the packets take through the network. The results of deploying this dynamic policy are dramatic. During testing in Extreme Networks labs, a 10 Gigabit Ethernet link was completely saturated with traffic from a traffic generator. This provided a 100% congested link. When iscsi traffic was started without the dynamic policy, throughput was severely impeded and performance was dramatically degraded on the iscsi target, achieving less than 1% of its potential IOPS. Once the dynamic policy was deployed on the devices connecting the congested link, the iscsi IOPS achieved performance levels as if there were no other traffic on the link. IXIA Traffic Generator iscsi Targets iscsi Initiator Figure 2 iscsi Targets Summit X650 10G Switch (A) Congested Link Summit X650 10G Switch (B) Extreme Networks, Inc. All rights reserved. ExtremeXOS Automation 8

9 ExtremeXOS Loadable Module (XLM or XMOD) You can add functionality to your switch by installing modular software packages. Modular software packages are contained in files named with the file extension.xmod, while the core images use the file extension.xos. Modular software packages are built at the same time as core images and are designed to work in concert with the core image, so the version number of a modular software package must match the version number of the core image that it will be running with. For example, the modular software package for Secure Shell: (SSH) named as follows: bd10k ssh.xmod Can run only with the core image named: bd10k xos You can install a modular software package on the active partition or on the inactive partition. You would install on the active partition if you want to add the package functionality to the currently running core image without having to reboot the switch. You would install on the inactive partition if you want to have the functionality available after a switch reboot. Conclusion In this paper we described the components of Extreme Networks automation framework, how those components can be used, and demonstrated some realworld examples of applying this framework to enable businesses to increase their competitive advantage with their network. Open Standards, References, and Resources Extreme Networks References and Links Self Paced Extreme Networks Scripting Basics Self Paced Extreme Networks Scripting Advanced Implementing InSite SDK in C# Extreme Networks Concepts Guide for ExtremeXOS version ExtremeXOSConceptsGuideSoftwareVersion12_4_rev1.zip External Links Note These links do not represent the opinions of Extreme Networks nor are they the property of Extreme Networks. Use at your own risk. W3C Schools online tutorials (e.g. XML, SOAP, CSS, SQL) The XML Standards body Microsoft Visual C# MSDN perl.org for PERL Sun Java Documents Corporate and North America Extreme Networks, Inc Monroe Street Santa Clara, CA USA Phone Europe, Middle East, Africa and South America Phone Asia Pacific Phone Japan Phone Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks Logo, etoggle, ExtremeXOS and Summit are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. Apple, the Apple logo and iphone are trademarks of Apple Inc. All other trademarks or service marks are the property of their respective owners. Specifications are subject to change without notice. 1696_01 07/10