Introduction

This chapter provides general information on operations and maintenance. It is assumed that all of the components of this solution have been correctly installed, configured, and provisioned, and that a basic solution network is in service.

For an overview of the topics in each chapter, refer to Document Organization, page Document Organization.

Operation and Maintenance Tasks
Using IP Solution Center Version 3.0 for Operations and Maintenance
Using Cisco IOS Software for Operations and Maintenance

Note This guide is meant to provide a high-level view only, and does not attempt to cover all the features and details of the related applications. Always rely on the standard documentation for those applications for the details of installing, using, and troubleshooting. Links to the latest documentation are provided in the appropriate chapters of this guide. While this document has tried to be as current as possible, the documentation for applications is subject to revision. Information is subject to reorganization, section headings are subject to renaming, and hyperlinks are subject to change.

To properly operate and maintain the Cisco network-based IPSec VPN solution Release 1.5, make sure you have read the following documents:

These are available at the Network-Based IPSec VPN website, at the following URL:

Operation and Maintenance Tasks

There are a variety of tasks that we recommend you attend to on a routine basis. Other tasks can be performed as needed, although you may want to schedule certain critical tasks depending on the needs of your network. This section presents the following topics:

Routine Tasks

Table 1-1 identifies, at a high level, the tasks that service providers must perform on a daily, weekly, monthly, and annual basis to operate and maintain the health of their Cisco network-based IPSec VPN solution Release 1.5 network.

Table 1-1 Routine Operations and Maintenance Tasks

Frequency	Task	Notes
Daily	Monitor alarms from all platforms in network	View alarms on the platform directly, or use ISC Version 3.0.
Daily	Review system logs	View alarms on the platform directly.
Weekly	Back up all relevant data and configuration information for all network platforms.	The service provider must develop a process for determining relevant data and platforms.
Weekly	Visit Cisco websites regularly to see if solution release notes have been updated to recommend new software releases.	As new releases become available and caveats are added or resolved, the solution release notes are updated.
Monthly	In a maintenance window, test the ability of the solution components to failover from active to standby.	If failover is not tested regularly, redundant equipment is of little value.
Annually	Plan for the possibility of a major network upgrade of Cisco software.	Besides Cisco IOS software, changes in hardware, particularly in memory, may be required.
Annually	Review overall network traffic requirements to ensure that traffic is being served properly by existing network.	—

General Operations and Maintenance Guidelines

Develop a general strategy for monitoring the Cisco 7204 router and Cisco 7206 router using the ISC Version 3.0.
Use the software tools available on each platform to monitor and report critical data such as fault alarms.
Check equipment status.
Regularly monitor system log entries.
Regularly issue status queries, using either a variety of GUI element-management tools, or Cisco IOS software (see "Using Cisco IOS Software for Operations and Maintenance") or MML (Man Machine Language) commands entered at the CLI.
When you remove or add any solution components, read the most recent applicable hardware and software documents.
Be sure that you provide for redundancy before upgrading any solution components.

Table 1-2 lists general operations and maintenance guideline links for the hardware components of the Cisco network-based IPSec VPN solution Release 1.5.

Table 1-2 General Operations and Maintenance Guidelines for Solution Components

Component	Maintenance Guideline Links
Cisco 7204 router	http://www.cisco.com/univercd/cc/td/doc/product/core/7204/7204ig/main4icg.htm
Cisco 7206 router	http://www.cisco.com/univercd/cc/td/doc/product/core/7206/7206ig/addpr6ug.htm
AAA server	Any RADIUS server (such as Cisco Access Registrar) that understands Cisco AV pairs can be used. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfrad.htm#79543

Using IP Solution Center Version 3.0 for Operations and Maintenance

The Cisco IP Solution Center (ISC) Version 3.0 provides management of IPSec VPN services throughout the service life cycle including service provisioning and activation on customer-edge and provider-edge routers, service auditing and service-level agreement (SLA).

For service providers using the IPSec or MPLS transport framework, the Cisco ISC Version 3.0 provides a full complement of provisioning, monitoring, and administration tools that simplify the inherent complexities of managing a VPN infrastructure.

You can use ISC Version 3.0 to direct the operations of the following components of the Cisco network-based IPSec VPN solution Release 1.5:

You can also us the Cisco ISC Version 3.0 application to direct the operations of the following customer premise equipment:

For information on using the Cisco ISC Version 3.0, refer to Cisco ISC Version 3.0 documentation at the following URL: http://www.cisco.com/univercd/cc/td/doc/ .

Routine Maintenance

Defining IPSec Networks and Customers

Define the IPSec network elements

Defining target routers
Defining targets by importing device configuration files
Specifying the transport mechanism for multiple edge devices
Setting passwords for multiple edge devices
Specifying the IP address for the router's loopback interface
Setting SNMPv3 parameters for VPNSC target routers

Adding a new edge device to the network

Specifying device passwords, and SNMP and Telnet parameters
Specifying IP addresses for the new target
Specifying SNMPv3 parameters
Populating IP address information to the repository
Deleting targets from a network

Creating default policies
Defining a new IPSec VPN customer

Defining customer sites
Assigning an edge device to a site
Assigning the management interface
Defining devices as managed and SA agent enabled
Defining a device's secured, nonsecured, and tunnel endpoint interfaces
Creating customer-specific policies
Deleting a customer

Defining VPNs and Provisioning Service Requests

Creating a new IPSec VPN and provisioning a service request

Defining a service request for the VPN
Specifying edge devices in the service request
Assigning secondary edge devices

Deploying service requests

Redeploying after changing a deployed service request

Opening an existing service request
Getting detailed information on service requests
Decommissioning a VPN service

Creating a request to decommission a VPN service
Deploying and auditing the decommissioned VPN service request
Removing a VPN service from the repository

Editing a device's configuration file
Auditing IPSec VPN service requests

Provisioning the Cisco VPN 3002

Specifying a transport mechanism for configuration files
Setting passwords for multiple VPN 3000 devices
Performing additional setup tasks
Assigning VPN 3000 devices to their sites
Specifying a management interface
Defining the device's public and private interfaces
Specifying address pools for remote access service
Creating default policies
Defining VPN groups for remote access service
Configuring AA servers
Creating a new VPN
Creating a remote-access service request
Creating a LAN-to-LAN service request

Monitoring IPSec VPN Performance

Using Cisco IOS Software for Operations and Maintenance

Monitoring Network Performance Using Cisco IOS Commands

It is critical to monitor the operating environments of network devices, such as voltage, temperature, and airflow, and ensure that they are operating within specifications. Software components such as buffers and memory can have a significant impact on the protocols running on the device.

CPU utilization is a useful performance indicator on the Cisco devices. By measuring CPU use over time, a trend can be established to determine traffic patterns. Devices running constantly at high utilization levels can affect the overall performance of forwarding and processing packets. CLI commands on the Cisco devices can display the CPU utilization and information on running processes. You can access information returned on the CPU load by means of objects defined in MIB files.

Target Platforms

The Cisco IOS software CLI manages the following components of the Cisco network-based IPSec VPN solution Release 1.5:

Cisco IOS Software References

The following paragraphs provide references to URLs for Cisco IOS, system error messages, and debug commands.

Cisco IOS Software

System Error Messages

The system software sends these error messages to the console (and, optionally, to a logging server on another system) during operation. Not all system error messages indicate problems with your system. Some are purely informational, and others may help diagnose problems with communications lines, internal hardware, or the system software.

Debug Command Reference

For details on debugging commands, refer to Cisco IOS Debug Command Reference, Cisco IOS Release 12.2, at the following URL:

Table of Contents