Q. What is Cisco® Configuration Assurance Solution (CAS)?
A. Cisco CAS is a vital software tool for improving network availability as well as application and service continuity. Cisco CAS automatically performs regular, systematic audits of the production IP network configuration to diagnose device misconfigurations, policy violations, inefficiencies, and security gaps. It uses a high-fidelity software model of the IT infrastructure, accurately simulating the behavior of routers, switches, and protocols, to enable a broad scope of analyses.
Q. What types of users will benefit from Cisco CAS?
A. Cisco CAS is suitable for any medium-sized or large enterprise that operates an IP-based network to support critical business applications. It provides operational decision support to network operations and engineering staff responsible for ensuring the integrity and security of the production IP network. Cisco CAS is unique in its ability to quickly and systematically analyze the configuration of the entire IP network from the level of the individual devices to the level of networkwide operations, and to predict the ability of the network to maintain integrity and security under failure conditions.
Q. Is Cisco CAS suitable for service provider networks?
A. Cisco CAS 1.0 does not incorporate support for service provider-centric technologies such as Multiprotocol Label Switching (MPLS) or Intermediate System-to-Intermediate System (IS-IS). Additionally, networks that have a large number of internal Border Gateway Protocol (I-BGP) speakers, like those of network service providers, are considered to be service provider class, and are not supported by Cisco CAS 1.0.
Q. Is Cisco CAS a combination of integrated software applications?
A. Yes. Cisco CAS comprises three components: the Audit and Analysis engine that actually builds this model, performs analysis, and provides visualization and reporting; a Virtual Network Data Server that enables the creation of a high-fidelity network model based on configuration, topology, and traffic information; and an integrated Web-based Report Server. The Report Server is a central repository for documents, charts, tables, and images.
Q. Does Cisco CAS perform policy checks against the source configuration file?
A. Yes. Cisco CAS performs template checking against the source configuration file. Cisco CAS is unique because it also performs checks of the detailed configuration instantiated in the high-fidelity software model. This enables analysis of connectivity and protocols-related issues. Cisco CAS also performs simulation-based configuration audits. For example, you can determine if application flows would be affected by node, link, or resource group failures.
Q. What technologies and protocols does Cisco CAS support?
A. The high-fidelity network model in Cisco CAS supports hundreds of technologies and protocols. The following is partial list, featuring primary examples:
• Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Routing Information Protocol (RIP), RIP Next Generation (RIPng)
• Ethernet, Gigabit Ethernet, Spanning Tree Protocol, Token Ring, SONET, Fiber Distributed Data Interface (FDDI), VLAN, and more
• IPv4, IP Multicast, Internetwork Packet Exchange (IPX), Hot Standby Router Protocol (HSRP)
• QoS-committed access rate (CAR)/Policing; Custom Queuing; Distributed Weighted Fair Queuing (DWFQ); Class-Based Weighted Fair Queuing (CBWFQ); Deficit Weighted Round Robin (DWRR); Modified Deficit Round Robin (MDRR); Modified Weighted Round Robin (MWRR); First-In, First-Out (FIFO); Low Latency Queuing (LLQ) with Rate Limit; Marking; Priority Queuing; Random Early Detection (RED); and Weighted RED (WRED)
• Voice over IP (VoIP), HTTP, FTP, Telnet, e-mail, video, others
Q. What kinds of configuration rules are provided with Cisco CAS?
A. Cisco CAS includes more than 400 configurable rules that address the following:
• Authentication, authorization, and accounting (AAA)
• Device administration (for example, blocking specified incoming services), Simple Network Management Protocol (SNMP), system logging
• IGRP, EIGRP, OSPF, BGP, RIP
• IP Multicast, HSRP, remote source-route bridging (RSRB), IP Security (IPSec), IPX, Data-Link Switching (DLSw), tunnel interfaces
• IP addressing and routing, Route Maps, access control lists (ACLs)
Q. What is the typical workflow when using Cisco CAS?
A. Users configure Cisco CAS to support their local configuration management practices. The following represents a high-level description of a possible scenario for a daily configuration audit. There may also be a weekly or monthly process that differs in terms of the scope of the target network(s), the analyses to be performed, etc., depending on the user's operational characteristics and practices.
• Create a daily baseline network model-Cisco CAS Audit and Analysis is scheduled to import the updated network data from Virtual Network Data Server to create a daily baseline model of the production network. The network model may comprise the entire network, or a subset based on groups defined in the Virtual Network Data Server by the system administrator (for example, "core" and "access"). This may depend on local operating parameters and practices, such as the scope of daily changes (for example, "branch" devices may be reconfigured less frequently than "core" devices and are consequently not subject to a daily audit process).
• Perform configuration audit-Cisco CAS is configured to perform a series of analyses after the network model has been created. The objective of many of these is to identify configuration problems. However, some are produced for reference purposes. For example, if a failure occurs in the network, it is useful to refer to a previously executed failure study to quickly assess the potential impact.
• Publish results and notify users-Cisco CAS is configured to automatically publish the results of its analyses to the integrated Web-based Report Server. Users can check the daily audit results to identify issues requiring attention. Optionally, users can be notified about critical errors through e-mail or pager.
• Repeat the work flow-In some cases, such as environments with a high rate of unplanned changes, the audit process may be repeated one or more times prior to the beginning of that night's change window. Alternatively, the user may have configured Cisco CAS to perform a series of audits of different network views over the course of the day, for more granular management and reporting.
Q. Is Cisco CAS customizable?
A. Yes, Cisco CAS is customizable in several respects:
• The rules that comprise its extensive portfolio of standard checks are provided in source code. They can be modified or new rules developed with the integrated authoring environment.
• The scope of an audit is defined by the user in terms of target devices and analyses, as well as frequency.
• The appearance of output reports can be customized with style sheets.
Q. Is Cisco CAS based on solutions from OPNET Technologies?
A. Yes, Cisco CAS is based on OPNET applications to provide comprehensive network operations support.
PRODUCT INTEGRATIONS
Q. With what other Cisco products does Cisco CAS integrate?
A. Cisco CAS Virtual Network Data Server obtains network data automatically through Telnet or Secure Shell (SSH) Protocol and SNMP from Cisco routers (running Cisco IOS® Software), Cisco Catalyst® switches (with Catalyst OS, Cisco IOS Software), and the Cisco PIX Security Appliance (with Cisco PIX OS). Data can be imported from CiscoWorks LAN Management Solution for supported devices (including Resource Manager Essentials and Campus Manager). Topology data can be imported from Cisco Network Connectivity Center. Traffic data can be imported from Cisco NetFlow FlowCollector.
The Virtual Network Data Server can be configured to integrate with Cisco Info Center to obtain real-time awareness of network events that may indicate a configuration change, and automatically update its data for the affected devices.
For topology and configuration information, the Virtual Network Data Server automatically reconciles conflicting or overlapping data based on user-configurable priorities.
Q. Does Cisco CAS provide multiple-vendor device support? How does support for these differ from support for Cisco devices?
A. Cisco CAS supports Check Point, Extreme, Foundry, Juniper, Nokia, and Nortel devices. In every case, support is more robust for Cisco devices. That is, the scope of supported configuration commands and device attributes is significantly broader for Cisco solutions.
INSTALLATION AND IMPLEMENTATION
Q. Does installation require multiple platforms?
A. Yes. As noted previously, Cisco CAS contains an Audit and Analysis engine, Virtual Network Data Server, as well as a Report Server, each on separate installation CDs. The Audit and Analysis engine as well as a library of technology, protocol, and device models are typically implemented on a single server. The Virtual Network Data Server is generally implemented on a dual-processor platform with the prerequisite database environment.
Q. Can the Virtual Network Data Server and prerequisite Oracle data systems be implemented on separate platforms?
A. Yes, these components can be implemented on separate platforms. However, the platforms should feature a fast FSB (~800 MHz) and be connected through a high-speed link (not over a WAN) that is unimpeded by a firewall. Implementing the database remote from the Virtual Network Data Server is not supported.
Q. Can other network-management applications be implemented on any of the platforms for Cisco CAS?
A. The Virtual Network Data Server and Audit and Analysis engine are each quite memory- and compute-intensive when performing scheduled operations (for example, updating the daily configuration baseline, or performing an audit). Consequently it is not advisable to implement them on the same platform with another application. The Report Server can be implemented on a server with other intranet applications.
Q. What Web browsers does the Web-based Report Server support?
A. The Web-based Report Server supports Microsoft Internet Explorer Version 6.
Q. What are the various licensing options?
A. All the components of Cisco CAS obtain a license from a License Server at the time of startup. It is recommended that a License Server be implemented for each component of Cisco CAS and on the same platform, to help ensure high availability.
Q. What skill level is required to implement and use Cisco CAS?
A. There are two types of Cisco CAS users, including administrators who configure its operation, and users who are "consumers" of its analyses. A basic working understanding is required of the network technologies, protocols, and devices and the configuration commands and variables that are to be analyzed in Cisco CAS in order to configure its operation and to interpret and respond to its results. In addition, the administrator will need to learn how to configure the solution components.
Q. How much time and effort is required to implement Cisco CAS? Are professional services required for implementation?
A. The Virtual Network Data Server component of Cisco CAS is integrated with the production network and management environment, and requires thoughtful planning, some assessment and configuration of target data sources to enable integration, custom configuration of the Virtual Network Data Server, and subsequent validation of the end-to-end workflow. Troubleshooting is often required to resolve unanticipated issues that result from target devices or network-management platforms not being configured properly, device credentials being inaccurate, source data being unreliable, etc.
Configuring the Audit and Analysis engine requires a working understanding of the organization's operating objectives for Cisco CAS and as well as current network-management practices. For example, the scope and frequency of various audits must be defined and reflected in the setup (for example, audit core devices daily and branch devices weekly). The configuration of the Audit and Analysis engine is menu-driven and relatively straightforward.
Cisco CAS requires professional services to accelerate solution deployment. Engagements vary depending on the scope and complexity of the target network and data sources, but are typically two to four weeks long. These services are priced, contracted, and delivered separately.
