Policy Management Tools

A policy management tool helps you manage your SLAs, policies, and rules to ensure that your network is configured properly to best meet these requirements. In addition, it needs to verify that your network is meeting these requirements and alert you when it is not, or when the network can reasonably be expected to not meet your user's needs in the area of bandwidth, for example.

Policy management tools provide many of the same capabilities that were covered in the earlier sections of this chapter and shown in Figure 9-1. The difference is the focus of the tool. Similar to the shift from the structured programming techniques to object-oriented programming, policy management tools make your agreements with the users of your network and the goals you have for your network the focus, instead of configuring and monitoring individual devices.

Currently, policy-based management tools are highly specific and implement their own forms of policy definition. There are efforts to standardize the specifications of policies. Until such a point of standardization, the policies in one application cannot be combined with those of another. After these standards are in place, you will be able to define policies in your knowledge base and apply them using one set of tools and check for compliance using another set of tools.

So, your tool should be able to take policies and turn them into the configurations required to implement these policies in your network. You also want a tool that can monitor a deployed set of policies and ensure that the intended policies are not being violated.

Policy-based configuration changes are the first set of applications to implement network-wide configuration changes. This means that the submission of a single policy presents the chance to misconfigure many devices in a network and threatens the reliability of the network. Therefore, it is important that the software developer do extensive testing in environments similar to yours. A bug in the policy software has the potential to destroy an entire network.

Because policy-based configuration requires that the software make configuration changes to devices, be sure that the software implement appropriate security measures that are applicable for your shop. Depending on how you run your network operations, different people may have different roles that necessitate varying access levels for devices.

Part of policy-based software is the grouping of devices into logical groups. A policy can then be applied to one or more groups rather than to a list of devices. There must be a way to exchange group membership information among other apps in order to keep the groups from getting out of sync. Your policy software should be able to either use groups of devices defined in your knowledge base or provide the definition of the groups it is used to your knowledge base so that other tools can share these definitions.

The criteria you need to use in choosing a policy management tool include the following:

• Takes policies and configures your network to implement them.

• Monitors compliance to your policies.

• The software is fully tested to ensure that it is low risk to use the tool in your environment.

• Can configure your devices using the security policies you have in place for your network devices.

• Defines and/or uses logical groupings of network devices.

The policy management tools are still evolving. Expect rapid change in these tools. Many of them today are able to do only part of the whole task of policy management. The following is a list of some of the current tools for policy management:

• Cisco Access List Manager

• Cisco QoS Policy Manager

• Cisco Service Level Agreement Manager

• Concord Network Health Modules Service Level Management

• Ganymede Pegasus

• InfoVista VistaViews

• Intellops ForeSight

• Jyra Service Level Monitor

• NextPoint S³ Service Level Manager