Q. What are Cisco® Configuration Assurance Solution (CAS) and Cisco Configuration Assurance Solution-Service Provider (CAS-SP)?
A. Cisco CAS and Cisco CAS-SP are vital software tools for improving network availability as well as application and service continuity for enterprises and network service providers, respectively. Cisco CAS and Cisco CAS-SP automatically perform regular, systematic audits of the production IP network configuration to diagnose device misconfigurations, policy violations, inefficiencies, and security gaps. They use a high-fidelity software model of the network infrastructure, accurately simulating the behavior of routers, switches, and protocols, to enable a broad scope of analyses.
Cisco CAS-SP incorporates the same functionality as Cisco CAS and extends support to encompass service provider protocols and technologies, including Multiprotocol Label Switching (MPLS) and Intermediate System-to-Intermediate System (IS-IS).
Q. What types of users will benefit from Cisco CAS and Cisco CAS-SP?
A. Cisco CAS is suitable for any medium-sized or large enterprise that operates an IP-based network to support critical business applications. Cisco CAS-SP is suitable for network service providers that operate IP and IP/MPLS-based networks. They provide operational decision support to network operations and engineering staff responsible for ensuring the integrity and security of the production IP network. Cisco CAS and Cisco CAS-SP are unique in their ability to quickly and systematically analyze the configuration of the entire IP network from the level of the individual devices to the level of network-wide operations and to predict the ability of the network to maintain integrity and security under failure conditions.
Q. Are Cisco CAS and Cisco CAS-SP combinations of integrated software applications?
A. Yes. Cisco CAS and Cisco CAS-SP each comprises three components: the Audit and Analysis engine that actually builds the high-fidelity network model, performs analysis, and provides visualization and reporting; the Cisco Virtual Network Data Server (VNDS) that automatically maintains a detailed data model of the production network to enable the creation of this network model; and an integrated Web-based Cisco Report Server. The Cisco Report Server is a central repository for documents, charts, tables, and images. The optional Cisco CAS-Flow Analysis Module (CAS-FAM) for both Cisco CAS and Cisco CAS-SP enables simulation-based analyses. Cisco CAS-SP provides additional support for MPLS, IS-IS, IPv6, and Cisco IOS® Software XR-based devices such as Cisco 12000 XR and Cisco CRS-1.
Q. What role do Cisco CAS and Cisco CAS-SP play in the Cisco Proactive Automation of Change Execution (PACE) solution?
A. Cisco PACE combines products and services that accelerate operational success by helping IT organizations securely automate and control network changes and configurations. Cisco CAS and Cisco CAS-SP enable network configuration and topology baselining, providing vital information for change management. Cisco CAS and Cisco CAS-SP also assess and test for network security compliance and enforcement as well as perform post-deployment, network-aware configuration audit and analysis. For more information about Cisco PACE, please visit http://www.cisco.com/go/pace.
Q. Do Cisco CAS and Cisco CAS-SP perform policy checks against the source configuration file?
A. Yes. Cisco CAS and Cisco CAS-SP perform template checking against the source configuration file. Cisco CAS and Cisco CAS-SP are unique because they also perform checks of the detailed configuration instantiated in the high-fidelity software model. This enables analysis of connectivity and protocols-related issues to detect problems related to routing and addressing. With the optional Cisco CAS-Flow Analysis Module, Cisco CAS and Cisco CAS-SP also perform simulation-based configuration audits. For example, you can determine whether application flows would be affected by node, link, or resource group failures.
Q. What technologies and protocols do Cisco CAS and Cisco CAS-SP support?
A. The high-fidelity network model in Cisco CAS supports hundreds of technologies and protocols. The following is a partial list, featuring primary examples:
• Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Routing Information Protocol (RIP), RIP Next Generation (RIPng).
• Ethernet, Gigabit Ethernet, Spanning Tree Protocol, Token Ring, SONET, Fiber Distributed Data Interface (FDDI), VLAN, and more.
• IPv4, IP Multicast, Internetwork Packet Exchange (IPX), Hot Standby Router Protocol (HSRP).
• Quality of service (QoS)-committed access rate (CAR)/Policing; Custom Queuing; Distributed Weighted Fair Queuing (DWFQ); Class-Based Weighted Fair Queuing (CBWFQ); Deficit Weighted Round Robin (DWRR); Modified Deficit Round Robin (MDRR); Modified Weighted Round Robin (MWRR); First-In, First-Out (FIFO); Low Latency Queuing (LLQ) with Rate Limit; Marking; Priority Queuing; Random Early Detection (RED); and Weighted RED (WRED).
• Voice over IP (VoIP), HTTP, FTP, Telnet, e-mail, video, others.
In addition to the preceding, Cisco CAS-SP provides support for MPLS, IS-IS, and IPv6.
Q. Is Cisco IOS XR supported by Cisco CAS or Cisco CAS-SP?
A. Cisco IOS XR (including Cisco 12000 XR and Cisco Carrier Routing System 1 devices) are supported only in Cisco CAS-SP.
Q. What kinds of configuration rules are provided with Cisco CAS and Cisco CAS-SP?
A. Cisco CAS and Cisco CAS-SP include more than 450 configurable rules that address the following:
• Network security
• Authentication, authorization, and accounting (AAA)
• Device administration (for example, blocking specified incoming services), Simple Network Management Protocol (SNMP), system logging
• IGRP, EIGRP, OSPF, BGP, RIP
• IP Multicast, HSRP, remote source-route bridging (RSRB), IP Security (IPsec), IPX, data-link switching (DLSw), tunnel interfaces
• IP addressing and routing, route maps, access control lists (ACLs)
• MPLS, IS-IS, and IPv6 (supported through Cisco CAS-SP).
Q. What is the typical workflow when using Cisco CAS or Cisco CAS-SP?
A. Users configure Cisco CAS or Cisco CAS-SP to support their local configuration management practices. The following represents a high-level description of a possible scenario for a daily configuration audit. There may also be a weekly or monthly process that differs in terms of the scope of the target networks, the analyses to be performed, and so on, depending on the user's operational characteristics and practices.
• Create a daily baseline network model-Cisco CAS or Cisco CAS-SP Audit and Analysis can be scheduled to import updated network data from Cisco VNDS to create a daily baseline model of the production network. The network model may comprise the entire network or a subset based on groups defined in Cisco VNDS by the system administrator (for example, "core" and "access"). This may depend on local operating parameters and practices, such as the scope of daily changes (for example, "branch" devices may be reconfigured less frequently than "core" devices and are consequently not subject to a daily audit process).
• Perform configuration audit-Cisco CAS or Cisco CAS-SP is configured to perform a series of analyses after the network model has been created. The objective of many of these is to identify configuration problems. However, some are produced for reference purposes. For example, if a failure occurs in the network, it is useful to refer to a previously executed failure study to quickly assess the potential impact.
• Publish results and notify users-Cisco CAS or Cisco CAS-SP is configured to automatically publish the results of its analyses to the integrated Web-based Cisco Report Server. Users can check the daily audit results to identify issues requiring attention. Optionally, users can be notified about critical errors through e-mail or pager.
• Repeat the workflow-In some cases, such as environments with a high rate of unplanned changes, the audit process may be repeated one or more times prior to the beginning of that night's change window. Alternatively, the user may have configured Cisco CAS or Cisco CAS-SP to perform a series of audits of different network views over the course of the day for more granular management and reporting.
Q. Are Cisco CAS and Cisco CAS-SP customizable?
A. Yes, Cisco CAS and Cisco CAS-SP are customizable in several respects:
• The rules that compose its extensive portfolio of standard checks are provided in source code. They can be modified or new rules developed with the integrated authoring environment.
• The scope of an audit is defined by the user in terms of target devices and analyses, as well as frequency.
• The appearance of output reports can be customized with style sheets.
Q. Are Cisco CAS and Cisco CAS-SP priced according to the number of supported nodes?
A. Cisco CAS-SP is priced/licensed per instance; a single instance can support up to 5000 nodes.
Cisco CAS is priced in various node increments, starting with a base configuration of 50 managed nodes (without Cisco VNDS) or 100 nodes (includes Cisco VNDS). A base configuration of 100 nodes that includes Cisco VNDS can be upgraded with the addition of 300, 500, 1000, 2500, or 5000 nodes. A single instance of Cisco CAS can support up to 5100 nodes. Multiple-node upgrades can be combined on a single instance of Cisco CAS, as long as the maximum number of supported nodes is not exceeded.
Q. Are Cisco CAS and Cisco CAS-SP based on solutions from OPNET Technologies?
A. Yes, Cisco CAS and Cisco CAS-SP are based on OPNET applications to provide comprehensive network operations support.
Cisco VNDS and Cisco Report Server
Q. Is the Cisco VNDS installed with Cisco CAS functionally different from the one that is provided with Cisco CAS-SP?
A. No, there are no functional differences between the Cisco VNDS installed with Cisco CAS and Cisco CAS-SP.
Q. Is the Cisco VNDS installed with Cisco CAS or Cisco CAS-SP functionally different from the one that can be purchased as a standalone product for use with Cisco Network Planning Solution (NPS) or Cisco Network Planning Solution-Service Provider (NPS-SP)?
A. No, there are no functional differences between the Cisco VNDS installed with Cisco CAS and Cisco CAS-SP and the one that can be purchased as a standalone product for use with Cisco NPS or Cisco NPS-SP.
Q. Why would a user implement multiple instances of Cisco VNDS with a single instance of Cisco CAS or Cisco CAS-SP?
A. Depending on operational considerations such as network size, network operations center (NOC) location, and frequency of data update, a user might decide to implement multiple instances of the Cisco VNDS to improve performance, reachability, and scalability.
Q. Can a single instance of Cisco VNDS support Cisco CAS or Cisco CAS-SP and also support Cisco NPS or Cisco NPS-SP?
A. Yes, a single instance of Cisco VNDS can support multiple clients.
Q. Is the Cisco Report Server installed with Cisco CAS and Cisco CAS-SP functionally different?
A. No, there are no functional differences between the Cisco Report Server installed with Cisco CAS and Cisco CAS-SP.
Product Integrations
Q. With what other Cisco products do Cisco CAS and Cisco CAS-SP integrate?
A. Cisco VNDS obtains network data automatically through Telnet or Secure Shell (SSH) Protocol and SNMP from Cisco routers (running Cisco IOS Software), Cisco CRS-1 Carrier Routing System devices, Cisco Catalyst® switches (with Catalyst OS, Cisco IOS Software), and the Cisco PIX Security Appliance (with Cisco PIX OS). Data can be imported from CiscoWorks LAN Management Solution (LMS), including CiscoWorks Resource Manager Essentials and CiscoWorks Campus Manager, or CiscoWorks Network Compliance Manager for supported devices. Traffic data can be imported from Cisco CNS NetFlow Collection Engine.
Cisco VNDS can be configured to integrate with CiscoWorks Resource Manager Essentials, CiscoWorks Network Compliance Manager, or Cisco Info Center to obtain real-time awareness of network events that may indicate a configuration change and automatically update the data for the affected devices.
For topology and configuration information, the Cisco VNDS automatically reconciles conflicting or overlapping data based on user-configurable priorities.
Q. Do Cisco CAS and Cisco CAS-SP provide multiple-vendor device support? How does support for these differ from support for Cisco devices?
A. Through Cisco VNDS, Cisco CAS and Cisco CAS-SP support Check Point, Extreme, Foundry, Juniper, Nokia, Nortel, and Riverstone devices. In every case, support is more robust for Cisco devices. That is, the scope of supported configuration commands and device attributes is significantly broader for Cisco devices.
Installation and Implementation
Q. Does installation require multiple platforms?
A. Yes. As noted previously, Cisco CAS and Cisco CAS-SP contain an Audit and Analysis engine and Cisco VNDS, as well as Cisco Report Server, each on separate installation CDs. The Audit and Analysis engine and also a library of technology, protocol, and device models are typically implemented on a single server. The Cisco VNDS is generally implemented on a dual-processor platform with the prerequisite database environment.
Q. Can the Cisco VNDS and prerequisite Oracle data systems be implemented on separate platforms?
A. Yes, these components can be implemented on separate platforms. However, it is highly recommended that they be installed on the same dual-processor server. If they are implemented on separate platforms, then these should feature a fast (approximately 800 MHz) front-side bus (FSB) and be connected through a high-speed link (not over a WAN) that is unimpeded by a firewall. Implementing the database at a location remote from the Cisco VNDS is not supported.
Q. Can other network-management applications be implemented on any of the platforms for Cisco CAS or Cisco CAS-SP?
A. Cisco VNDS and Audit and Analysis engines are both quite memory and computation intensive when performing scheduled operations (for example, updating the daily configuration baseline, or performing an audit). Consequently it is not advisable to implement them on the same platform with another application. The Cisco Report Server can be implemented on a server with other intranet applications.
Q. What Web browsers does the Web-based Cisco Report Server support?
A. The Web-based Cisco Report Server supports Microsoft Internet Explorer Version 6 and Mozilla Firefox.
Q. How are Cisco CAS and Cisco CAS-SP licensed?
A. All the components of Cisco CAS or Cisco CAS-SP obtain a license from a license server at the time of startup. It is recommended that a license server be implemented for each component of Cisco CAS or Cisco CAS-SP and on the same platform to help ensure high availability.
Q. Is a separate license required for the optional Cisco CAS-Flow Analysis Module for Cisco CAS and Cisco CAS-SP?
A. Yes. Installation requires a separate license for the optional Cisco CAS-FAM, as well as a license for the underlying Cisco CAS or Cisco CAS-SP.
Q. What skill level is required to implement and use Cisco CAS or Cisco CAS-SP?
A. There are two types of users of Cisco CAS or Cisco CAS-SP: administrators who configure its operation and users who are "consumers" of its analyses. A basic working understanding is required of the network technologies, protocols, and devices and the configuration commands and variables that are to be analyzed in Cisco CAS in order to configure its operation and to interpret and respond to its results. In addition, the administrator will need to learn how to configure the solution components.
Q. How much time and effort is required to implement Cisco CAS or Cisco CAS-SP? Are professional services required for implementation?
A. The Cisco VNDS component of Cisco CAS and Cisco CAS-SP is integrated with the production network and management environment and requires thoughtful planning, some assessment and configuration of target data sources to enable integration, custom configuration of the Cisco VNDS, and subsequent validation of the end-to-end workflow. Troubleshooting is often required to resolve unanticipated issues that result from target devices or network-management platforms not being configured properly, device credentials being inaccurate, source data being unreliable, and so on.
Configuring the Audit and Analysis engine requires a working understanding of the organization's operating objectives for Cisco CAS/Cisco CAS-SP and current network-management practices. For example, the scope and frequency of various audits must be defined and reflected in the setup (for example, audit core devices daily and branch devices weekly). The configuration of the Audit and Analysis engine is menu driven and relatively straightforward.
Cisco CAS and Cisco CAS-SP require professional services to accelerate solution deployment. Engagements vary depending on the scope and complexity of the target network and data sources but are typically two to four weeks long. These services are priced, contracted, and delivered separately.
For more information about Cisco Configuration Assurance Solution and Cisco Configuration Assurance Solution-Service Provider, visit http://www.cisco.com/en/US/products/ps6364/index.html, contact your local account representative, or send an e-mail to the product marketing group at netwrk-ap-mktg@cisco.com.
