Cisco OL-27172-01 User Manual

Cisco Broadband Access Center 3.8 Administrator Guide

April 02, 2013

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-27172-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco Broadband Access Center 3.8 Administrator Guide

CONTENTS

Preface xv

Audience xv

Organization xvi

Conventions xvii

Product Documentation xviii

Related Documentation xviii

Obtaining Documentation and Submitting a Service Request xviii

xviii

CHAPTER

1 Broadband Access Center Overview 1-1

Features and Benefits 1-1

Supported Technology 1-3

CWMP Technology 1-3

TR-196 1-3

2 Broadband Access Center Architecture 2-1

Cisco BAC Deployment 2-1

Architecture 2-2

Regional Distribution Unit 2-4 Device Provisioning Engines 2-4

DPE Extension 2-5 DPE Licensing 2-5

Provisioning Groups 2-6

Discovery of ACS URL 2-6

Provisioning Group Scalability 2-7 Cisco BAC Process Watchdog 2-7 SNMP Agent 2-7 Logging 2-7 Access Registrar 2-8 RADIUS 2-8 Cisco Network Registrar 2-8 DHCP 2-8 LeaseQuery 2-9

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

iii

Contents

CHAPTER

3 Configuration Workflows and Checklists 3-1

Component Workflows 3-1

RDU Checklist 3-1 DPE Checklist 3-2

Technology Workflows 3-3

RDU Configuration Workflow 3-3

Preregistering Device Data in Cisco BAC 3-4

DPE Configuration Workflow 3-5

Configuring CWMP Service on the DPE 3-6 Configuring HTTP File Service on the DPE 3-7 Configuring HTTP Auth Service on the DPE 3-8

Provisioning Group Configuration Workflow 3-8

Configuring Home Provisioning Group Redirection Service on the DPE 3-9

4 CPE Management Overview 4-1

CWMP Overview 4-1

Cisco BAC Device Object Model 4-2

Property Hierarchy 4-4 Custom Properties 4-4

Discovering CPE Parameters 4-4

Multi-Instance Object Support 4-5

Configuration Template 4-6 Firmware Rules Template 4-10 Parameter Discovery 4-13 Display Live Data Operation 4-13 Instance Sorting 4-13

Instruction Generation and Processing 4-14

Device Configuration Synchronization 4-15

Device Deployment in Cisco BAC 4-16

Preregistered Devices 4-17 Unregistered Devices 4-17

Initial Provisioning Flows 4-18

For Preregistered Devices 4-18 For Unregistered Devices 4-19

Assigning Devices to Provisioning Groups 4-20

Explicit Assignment 4-20 Automatic Membership 4-20 Combined Approach 4-20

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Device Diagnostics 4-21

Configuring SNMP Trap for CPEs 4-21

Contents

CHAPTER

5 Configuration Templates Management 5-1

Overview 5-1

Features of Cisco BAC Templates 5-4

Parameters 5-6

Parameter List for Single Instance Object 5-7

Parameter List for Multiple Instance Objects 5-7 Notification 5-8

Configuring Notification 5-8 Access Control 5-9

Configuring Access Control 5-9 Prerequisites 5-9

Expressions 5-11

MaintenanceWindow 5-11

Configuring Prerequisites 5-13

Authoring Configuration Templates 5-14

Custom Properties 5-15 Using Parameter Substitution 5-16 Using Includes 5-17 Using Conditionals 5-19

CHAPTER

OL-27172-01

Using the Configuration Utility 5-22

Running the Configuration Utility 5-23 Adding a Template to Cisco BAC 5-23 Validating XML Syntax for a Local Template File 5-24 Validating XML Syntax for a Template Stored in Cisco BAC 5-24 Testing Template Processing for a Local Template File 5-25 Testing Template Processing for a Template Stored in Cisco BAC 5-26 Testing Template Processing for a Cisco BAC Template File and a Device 5-27

6 Firmware Management 6-1

Overview 6-1

Firmware Management Mechanisms 6-2

Firmware Rule Templates 6-2 Direct Firmware Management 6-4

Managing Firmware Files 6-5

Authoring Firmware Rules Templates 6-6

Cisco Broadband Access Center 3.8 Administrator Guide

Contents

Expression and Regular Expression 6-7 Internal Firmware File vs. External Firmware File 6-10

InternalFirmwareFile 6-10 ExternalFirmwareFile 6-11

Sample Firmware Rules Template 6-11

Using Template Constructs with Firmware Rule Templates 6-13

Using Parameter Substitution 6-14 Using Includes 6-14 Using Conditionals 6-15

CHAPTER

7 Parameter Dictionaries 7-1

Overview 7-1

Using Default Dictionaries 7-2

Custom Dictionaries 7-3

Parameter Dictionary Syntax 7-3

Sample Parameter Dictionary 7-4

Managing Parameter Dictionaries through User Interface 7-5

Adding Parameter Dictionaries 7-5 Viewing Parameter Dictionaries 7-6 Deleting Parameter Dictionaries 7-6 Replacing Parameter Dictionaries 7-6

8 CPE History and Troubleshooting 8-1

Device History 8-1

Configuring Device History 8-4

Enabling Device History 8-4 Viewing Device History 8-4 Configuring Device History Size 8-5

Device History Records 8-5

Device Faults 8-6

Retrieving Device Faults 8-7 Managing Chatty Clients 8-9

Device Troubleshooting 8-9

Configuring Device Troubleshooting 8-10

Enabling Troubleshooting for a Device 8-10 Disabling Troubleshooting for a Device 8-11 Viewing List of Devices in Troubleshooting Mode 8-11 Viewing Device Troubleshooting Log 8-12

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Contents

CHAPTER

9 Managing Cisco Broadband Access Center 9-1

Cisco BAC Process Watchdog 9-1

Using Cisco BAC Process Watchdog from the Command Line 9-2

Enabling SNMP Trap for Cisco BAC Process Watchdog 9-3

Administrator User Interface 9-4

Command Line Interface 9-5

Accessing the DPE CLI from a Local Host 9-6 Accessing the DPE CLI from a Remote Host 9-6

SNMP Agent 9-6

Cisco BAC Tools 9-7

10 Database Management 10-1

Understanding Failure Resiliency 10-1

Database Files 10-2

Database Storage File 10-2 Database Transaction Log Files 10-2 Automatic Log Management 10-3 Miscellaneous Database Files 10-3

CHAPTER

Disk Space Requirements 10-3

Handling Out of Disk Space Conditions 10-4

Backup and Recovery 10-4

Database Backup 10-4 Database Recovery 10-5 Database Restore 10-6

Changing Database Location 10-7

11 Monitoring Cisco Broadband Access Center 11-1

Syslog Alert Messages 11-1

Message Format 11-1 RDU Alerts 11-2 DPE Alerts 11-2 Watchdog Agent Alerts 11-4 Access Registrar Extension Point Alerts 11-5

Monitoring Servers by Using SNMP 11-5

SNMP Agent 11-6

MIB Support 11-6 Using the snmpAgentCfgUtil.sh Tool 11-6

Adding a Host 11-7

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

vii

Contents

Deleting a Host 11-7 Adding an SNMP Agent Community 11-8 Deleting an SNMP Agent Community 11-9 Starting the SNMP Agent 11-9 Stopping the SNMP Agent 11-9 Configuring an SNMP Agent Listening Port 11-10 Changing the SNMP Agent Location 11-10 Setting Up SNMP Contacts 11-10 Displaying SNMP Agent Settings 11-11 Specifying SNMP Notification Types 11-11

Monitoring Server Status 11-12

Using the Administrator User Interface 11-12 Using the DPE CLI 11-12

Monitoring Performance Statistics 11-14

Understanding perfstat.log 11-15 Using runStatAnalyzer.sh 11-15

CHAPTER

Monitoring STUN Statistics 11-17

Understanding stunstatistics.log 11-17

STUN Binding Information 11-18 Using dumpStunBindingInfo.sh 11-18

Traffic Profiling 11-18

12 Configuring CWMP Service 12-1

CWMP Service Configuration 12-1

Configuring Service Ports on the DPE 12-2

Connection Request Service 12-2

Configuring Connection Request Options 12-3

Configuring Authentication 12-3 Autogenerating Connection Request Passwords 12-4 Configuring Connection Request Methods 12-5 Configuring External URLs on DPE 12-10 Disabling Connection Requests 12-10 Configuring Reachability 12-11

Discovering Data from Devices 12-11

Configuring Data Discovery 12-12 Troubleshooting Data Discovery 12-13 Automatic IMEI Update 12-15

viii

Provisioning Group Scalability and Failover 12-16

Redundancy in Cisco BAC 12-16

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Local Redundancy 12-16

Regional Redundancy 12-16 DPE Load-Balancing 12-17

Using DNS Round Robin 12-17

Using a Hardware Load Balancer 12-17 Adding DPE to a Provisioning Group 12-18

Contents

CHAPTER

13 Configuring CWMP Service Security 13-1

Overview 13-1

Key and Certificate Management in Cisco BAC 13-2

Configuring SSL Service 13-3

Configuring DPE Keystore by Using the Keytool 13-3

Using the Keytool Commands 13-5

Generating Server Certificate Keystore and Private Key for a New Certificate 13-6

Displaying Self-Signed Certificate 13-7

Generating a Certificate-Signing Request 13-7

Importing Signing Authority Certificate into Cacerts Keystore 13-8

Importing the Signed Certificate into Server Certificate Keystore 13-9

Importing Certificates for Client Authentication 13-10

Configuring Security for DPE Services 13-11

Configuring SSL on a DPE 13-11

Enabling SSL for the CWMP Service 13-11

Enabling SSL for the HTTP File Service 13-12 Configuring CPE Authentication 13-13

Shared Secret Authentication 13-13

Client Certificate Authentication 13-16

External Client Certificate Authentication 13-16 Authentication Options in Cisco BAC 13-17

OL-27172-01

Configuring Security for RDU Services 13-18

RDU Authentication Mode Settings 13-19

TACACS+ Authentication and Authorization in RDU 13-19

Signed Configuration for Devices 13-20

Signature Expiration 13-20 Signature Regeneration 13-20 Configuration Interfaces 13-20 Monitoring the Signed Configuration Feature 13-21

Troubleshooting Signed Configuration Feature 13-22

Cisco Broadband Access Center 3.8 Administrator Guide

Contents

CHAPTER

14 CWMP Device Operations 14-1

Overview 14-1

Connection Modes for Device Operations 14-2

Immediate Mode 14-2 On-Connect Mode 14-3 Asynchronous Mode 14-5 Conditional Execution 14-6

Managing a Device’s Provisioning Group 14-6

Redirecting CPE to Home Provisioning Group 14-7 Correcting a Device’s Provisioning Group 14-8

15 Understanding the Administrator User Interface 15-1

Configuring the Administrator User Interface 15-1

Accessing the Administrator User Interface 15-2

Logging In 15-2 Logging Out 15-4

Understanding the Administrator User Interface Icons 15-4

CHAPTER

16 Using the Administrator User Interface 16-1

User Management 16-1

Administrator 16-1 Read/Write User 16-2 Read-Only User 16-2 Adding a New User 16-2 Modifying Users 16-3 Deleting Users 16-4

Device Management 16-4

Manage Devices Page 16-4 Searching for Devices 16-5 Device Management Controls 16-7

Viewing Device Details 16-7

Managing Devices 16-10

Adding Device Records 16-11 Modifying Device Records 16-11 Deleting Device Records 16-11 Viewing Device History 16-12 Regenerating Device Instructions 16-12 Relating and Unrelating Devices 16-13

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Performing Operations on Devices 16-14

Group Management 16-18

Managing Group Types 16-18

Adding a Group Type 16-19

Modifying Group Types 16-20

Deleting Group Types 16-20 Managing Groups 16-20

Adding a New Group 16-20

Modifying a Group 16-21

Deleting Groups 16-21

Relating/Unrelating Groups to Groups 16-22

Viewing Group Details 16-22

Viewing Servers 16-22

Viewing Device Provisioning Engines 16-22 Viewing Network Registrar Extension Point Details 16-25 Viewing Provisioning Groups 16-26 Viewing Regional Distribution Unit Details 16-27

Contents

CHAPTER

17 Configuring Broadband Access Center 17-1

Configuring the Class of Service 17-1

Adding a Class of Service 17-3 Modifying a Class of Service 17-3 Deleting a Class of Service 17-4

Configuring Custom Properties 17-5

Configuring Defaults 17-6

Selecting Configuration Options 17-6 CWMP Defaults 17-7 RDU Defaults 17-10 System Defaults 17-11 TACACS+ Defaults 17-13

Managing Files 17-15

Adding Files 17-17 Viewing Files 17-18 Replacing Files 17-18 Exporting Files 17-19 Deleting Files 17-19

OL-27172-01

Managing License Keys 17-20

Adding and Modifying a License 17-21

Managing DPE Feature Pack Extensions 17-21

Cisco Broadband Access Center 3.8 Administrator Guide

Contents

Writing a New Class for DPE Feature Pack Extensions 17-22 Managing RDU Extensions 17-23 Writing a New Class for RDU 17-24 Installing RDU Custom Extensions 17-25 Viewing RDU Extensions 17-26

Publishing Provisioning Data 17-26

Publishing Datastore Changes 17-26 Modifying Publishing Plug-In Settings 17-26

Configuring Lease Query 17-27

CHAPTER

18 Scripting Framework 18-1

Overview 18-1

Script’s Shared Scope 18-1

Extension Script 18-2

Integrating Extension Scripts in BAC 18-3

Adding Extension Points to the Device Property 18-3

Configuring Extensions for Unknown Devices 18-4

Verifying Extension Scripts Availability in DPE Cache 18-5

Verifying Status of the Extensions in DPE 18-5

19 RDU and DPE Connection Management 19-1

TCP Connection Management 19-1

Heart Beat 19-1

RDU Batch Concurrency 19-2

Non-concurrent Commands 19-2

Long-Running Batch 19-3

DPE-RDU Synchronization 19-3

CHAPTER

xii

20 Cisco BAC Support Tools and Advanced Concepts 20-1

Using the deviceExport.sh Tool 20-1

Using the disk_monitor.sh Tool 20-4

Using the resetAdminPassword.sh Tool 20-5

Using the runEventMonitor.sh Tool 20-5

Using the changeARProperties.sh Tool 20-8

Using the changeNRProperties.sh Tool 20-9

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Contents

CHAPTER

LOSSARY

NDEX

21 Troubleshooting Broadband Access Center 21-1

Troubleshooting Checklist 21-1

Logging 21-2

Log Levels and Structures 21-3 Configuring Log Levels 21-4 Rotating Log Files 21-4 RDU Logs 21-5

Viewing the rdu.log File 21-5

Viewing the audit.log File 21-5

The RDU Log Level Tool 21-5 DPE Logs 21-8

Viewing the dpe.log File 21-8 Access Registrar Logs 21-8

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

xiii

Contents

xiv

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Preface

The Cisco Broadband Access Center 3.8 Administrator Guide describes concepts and configurations related to Cisco Broadband Access Center, which is called Cisco BAC throughout this guide.

This chapter provides an outline of the other chapters in this guide, detailed information about related documents that support this Cisco BAC release, and demonstrates the styles and conventions used in the guide.

Note This document is to be used in conjunction with the documentation listed in Product Documentation,

page xviii.

Audience

This chapter contains the following information:

• Audience, page xv

• Organization, page xvi

• Conventions, page xvii

• Product Documentation, page xviii

• Related Documentation, page xviii

• Obtaining Documentation and Submitting a Service Request, page xviii

The Cisco Broadband Access Center 3.8 Administrator Guide is written for system administrators involved in automating large-scale provisioning for broadband access. The network administrator should be familiar with these topics:

• Basic networking concepts and terminology.

• Network administration.

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

Organization

This guide includes the following chapters:

Chapter Title Description

Chapter 1 Broadband Access Center Overview Describes Cisco BAC, its features and benefits.

Chapter 2 Broadband Access Center

Chapter 3 Configuration Workflows and

Chapter 4 CPE Management Overview Provides an overview of CPE management and

Chapter 5 Configuration Templates

Chapter 6 Firmware Management Describes the firmware management feature that

Chapter 7 Parameter Dictionaries Describes the use of Parameter Dictionaries.

Chapter 8 CPE History and Troubleshooting Describes how to troubleshoot CPE, using device

Chapter 9 Managing Cisco Broadband Access

Chapter 10 Database Management Describes how to manage and maintain the RDU

Chapter 11 Monitoring Cisco Broadband Access

Chapter 12 Configuring CWMP Service Describes how to configure the CWMP service for

Chapter 13 Configuring CWMP Service Security Describes how to enhance security options using

Chapter 14 CWMP Device Operations Describes the operations that you can perform on

Chapter 15 Understanding the Administrator

Chapter 16 Using the Administrator User

Chapter 17 Configuring Broadband Access

Chapter 18 Scripting Framework Describes DPE scriptable extension framework

Architecture

Checklists

Management

Center

User Interface

Interface

Center

Preface

Describes the systems architecture implemented in this Cisco BAC release.

Provides checklists to follow when configuring Cisco BAC for use.

describes key concepts supported within Cisco BAC.

Describes the configuration templates that Cisco BAC supports, and how to author custom configuration templates.

Cisco BAC supports.

information, made available through Cisco BAC.

Describes the various options that help manage Cisco BAC.

database.

Describes how to monitor the Cisco BAC servers.

use with Cisco BAC.

Cisco BAC.

the device using Cisco BAC.

Describes how to access Cisco BAC using the administrator user interface.

Describes administration activities, including searching for and viewing device information.

Describes the configuration activities that are performed using the Cisco BAC administrator application.

which facilitates creating extension scripts, adding extension scripts in Cisco BAC, and verifying the script status in the DPE.

xvi

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Preface

Conventions

This document uses the following conventions:

Chapter Title Description

Chapter 19 RDU and DPE Connection

Management

Chapter 20 Cisco BAC Support Tools and

Advanced Concepts

Chapter 21 Troubleshooting Broadband Access

Center

Glossary Defines terminology used in this guide and

Describes the RDU TCP connection management, RDU batch concurrency and RDU DPE synchronization.

Describes Cisco BAC tools intended to help configure, maintain speed, and improve the installation, deployment, and use of Cisco BAC.

Describes how to troubleshoot Cisco BAC servers.

generally applicable to the technologies being discussed.

Convention Indication

bold font Commands and keywords and user-entered text appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply

[ ] Elements in square brackets are optional.

{x | y | z } Required alternative keywords are grouped in braces and separated by

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

string A nonquoted set of characters. Do not use quotation marks around the string or

courier font Terminal sessions and information the system displays appear in courier font.

< > Nonprinting characters such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

Note Means reader take note.

values are in italic font.

vertical bars.

the string will include the quotation marks.

indicates a comment line.

OL-27172-01

Caution Means reader be careful. In this situation, you might perform an action that could result in equipment

damage or loss of data.

Cisco Broadband Access Center 3.8 Administrator Guide

xvii

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore,

you should also review the documentation on Cisco.com for any updates.

You can view the marketing and user documents for Cisco Broadband Access Center at:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps529/tsd_products_support_series_home.html

The following document gives you the list of user documents for Cisco Broadband Access Center 3.8:

http://www.cisco.com/en/US/docs/net_mgmt/broadband_access_center/3.8/documentation/overview/ Cisco_BAC38_DocOverview.html

Broadband Access Center Overview

This chapter provides an overview of Cisco Broadband Access Center (Cisco BAC).

Cisco BAC automates the tasks of provisioning and managing customer premises equipment (CPE) in a broadband service provider network.

With the high-performance capabilities of Cisco BAC, you can scale the product to suit networks of virtually any size, even those with millions of CPE. It also offers high availability, made possible by the product’s distributed architecture and centralized management.

Cisco BAC supports provisioning and managing of CPE by using the Broadband Forum’s CPE WAN Management Protocol (CWMP), a standard defined in the TR-069 specification. Cisco BAC integrates the capabilities defined in TR-069 to increase operator efficiency and reduce network-management problems.

Cisco BAC supports devices based on the TR-069, TR-098, TR-104, TR-106, TR-181, and TR-196 standards. These devices include Ethernet and ADSL gateway devices, wireless gateways, VoIP ATAs, and other devices compliant with CWMP. Cisco BAC also provides for runtime-extensible data models to support any upcoming data-model standards or any vendor-specific data models based on CWMP.

Cisco BAC provides such critical features as redundancy and failover. Cisco BAC can be integrated into new or existing environments through the use of a provisioning application programming interface (API) that lets you control how Cisco BAC operates.

You can use the provisioning API to register devices in Cisco BAC, assign device configuration policies, execute any CWMP operations on the CPE, and configure the entire Cisco BAC provisioning system.

This chapter includes the following sections:

• Features and Benefits, page 1-1

• Supported Technology, page 1-3

Features and Benefits

Cisco BAC helps service providers provision and manage the rapidly expanding number of home networking devices.

Cisco BAC supports mass-scale provisioning and managing of Femtocell Access Point (FAP) devices that function as mini 3G cell tower in customer premises and backhaul call using the customer’s internet connection. Apart from supporting the FAP devices, Cisco BAC also supports provisioning and managing of Digital Life Controller (DLC) devices based on TR-069 protocol.

This section describes the basic features and benefits that the Cisco BAC architecture offers:

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

1-1

Features and Benefits

Chapter 1 Broadband Access Center Overview

• Configuration management: Vastly simplified in Cisco BAC through configuration templates, which

provide an easy, yet flexible mechanism to assign configurations for CPE. You can use the template-processing mechanism to customize configurations for millions of devices by using a small number of templates.

By using these XML-based templates, you can set configuration parameters and values, and notification and access controls on a device. Configuration templates allow:

–

Conditionals, to include or exclude sections of a template based on, among others, Cisco BAC property values.

–

Includes, to include template content from other files.

–

Parameter substitution, to substitute Cisco BAC property values into template parameters.

–

Prerequisites, to evaluate whether the template is applicable to a device at given time.

• Firmware management: Maintaining and distributing sets of firmware image files to corresponding

CPE through the Cisco BAC system. A firmware rules template, associates the firmware image files to groups of devices. Cisco BAC uses the rules in the associated firmware rules template to evaluate the firmware that is downloaded to the device.

Using the firmware management feature, you can view firmware information on devices, add firmware images to the database, and apply the image files to specific CPE.

• Massive scalability: Enhanced by partitioning CPE into provisioning groups; each provisioning

group is responsible for only a subset of the CPE. A provisioning group is designed to be a logical (typically geographic) grouping of servers, usually consisting of one or more Device Provisioning Engines (DPEs).

A single provisioning group can handle the provisioning needs of up to 500,000 devices. As the number of devices grows past 500,000, you can add additional provisioning groups to the deployment.

• Standards-based security: Cisco BAC is designed to provide a high degree of security by using

CWMP, outlined in the TR-069 standard. The CWMP security model is also designed to be scalable. It is intended to allow basic security to accommodate less robust CPE implementations, while allowing greater security for those that can support more advanced security mechanisms.

Cisco BAC integrates the Secure Sockets Layer (SSL) version 3.0 and the Transport Layer Security (TLS) version 1.0 protocols into its CWMP ACS implementation. By using HTTP over SSL/TLS (also known as HTTPS), Cisco BAC provides confidentiality and data integrity, and allows certificate-based authentication between the various components.

• Easy integration with back-end systems, using Cisco BAC mechanisms such as:

–

The Cisco BAC Java API, which can be used to perform all provisioning and management operations.

–

The Cisco BAC publishing extensions, which are useful in writing RDU data into another database.

–

The Cisco BAC Data Export tool, with which you can write device information from the Cisco BAC system to a file.

1-2

–

The SNMP agent, which simplifies integration for monitoring Cisco BAC.

–

The DPE command line interface, which simplifies local configuration when you use it to copy and paste commands.

• Extensive server management: Cisco BAC provides extensive server performance statistics, thereby

enabling monitoring and troubleshooting.

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Chapter 1 Broadband Access Center Overview

• Device diagnostics and troubleshooting: You use this feature to focus on a single device and collect

diagnostics information for further analysis. Cisco BAC provides several features to assist diagnosis:

–

Device history—Provides a detailed history of significant events that occur in a device provisioning lifecycle.

–

Device faults—Detects devices with recurring faults, which can cause bottlenecks and affect network performance.

–

Device troubleshooting—Provides detailed records of device interactions with Cisco BAC servers for a set of devices that are designated for such troubleshooting.

–

Direct device operations—Operations such as IP Ping and Get Live Data can be run on the device for more insight.

• Multi-instance object support: This feature introduces support for discovering and updating the CPE

parameters associated with multiple object instances, without specifying the actual instance number. The multi-instance object support in the template, adds the flexibility to apply the configuration on selective object instances.

• Scriptable framework: This feature introduces the scriptable extension service which facilitates

running the Java scripts based DPE extensions. This feature also provides the support to load and unload the extensions dynamically without restarting the DPE.

Supported Technology

This Cisco BAC release supports the provisioning and managing of CPE only through CWMP, outlined in the TR-069 specification. However, virtually any data models based on TR-069, TR-098, TR-104, TR-106, TR-181, and TR-196 extensions are supported.

CWMP Technology

TR-069 is a standard for remote management of CPE. This standard defines CWMP, which enables communication between CPE and an autoconfiguration server (ACS).

CWMP details a mechanism that increases operator efficiency and reduces network management problems through its primary capabilities. These capabilities include:

• Autoconfiguration

• Firmware Management

• Status and Performance Monitoring

• Device Diagnostics and Troubleshooting

In addition to CWMP, the TR-069 specification defined a version 1.0 of the data model for Internet Gateway Device (IGD), which has since been expanded by TR-098. CWMP, as defined in TR-069, works with any data model extended from CWMP, including those defined in TR-098, TR-104, TR-106, TR-181, and TR-196, upcoming new ones, or those that are vendor specific.

TR-196

OL-27172-01

TR-196 standard provides the data model for the Femto Access Point (FAP) for remote management purposes using the TR-069 CWMP.

Cisco Broadband Access Center 3.8 Administrator Guide

1-3

Supported Technology

Chapter 1 Broadband Access Center Overview

The Cisco BAC template-based mechanism to assign configurations for devices is enhanced to support the TR-196 devices in the service provider's network. Cisco BAC provides two additional parameter dictionary files to support the following TR-196 data models:

• TR-196 Amendment 1

• TR-196 Issue 2 and TR-181 Issue 2 Amendment 2

Cisco BAC also provides a Generally Available (GA) scriptable extensions targeting residential 3G features of above TR-196 data models. You can use the corresponding properties to configure the extension and the TR-196 data model to be used for any device.

The support for discovering multiple objects instances associated with a parameter, is also available for TR-196 devices.

1-4

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Broadband Access Center Architecture

This chapter describes the system architecture implemented in this Cisco Broadband Access Center (Cisco BAC) release.

This chapter includes the following sections:

• Cisco BAC Deployment, page 2-1

• Architecture, page 2-2

Cisco BAC Deployment

Cisco BAC provisions devices are based on the TR-069, TR-098, TR-104, TR-106, TR-181, and TR-196 standards. This includes Ethernet and ADSL gateway devices, wireless gateways, VoIP ATAs, and other devices compliant with the CPE WAN Management Protocol (CWMP).

Figure 2-1 represents a typical, fully redundant, CWMP deployment in a Cisco BAC network.

CHAP T ER

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

2-1

Architecture

Operations

Support

Systems

Redundant

BAC RDU

Server

Central Location

Access

Network

284384

Target

Subscriber

Provisioning Group 1

BAC DPE

Servers

CAR RADIUS

Servers

CNR DHCP

Servers

Load

Balancer

STUN

Server

Provisioning Group [n]

BAC DPE

Servers

CAR RADIUS

Servers

CNR DHCP

Servers

Load

Balancer

CHMS Server

Chapter 2 Broadband Access Center Architecture

Figure 2-1 CWMP Deployment in Cisco BAC

Architecture

This section describes the basic Cisco BAC architecture including:

Cisco Broadband Access Center 3.8 Administrator Guide

2-2

• Regional Distribution Unit (RDU) that provides:

–

The authoritative data store of the Cisco BAC system.

–

Support for processing application programming interface (API) requests.

–

Monitoring of the system’s overall status and health.

See Regional Distribution Unit, page 2-4, for additional information.

• Device Provisioning Engines (DPEs) that provide:

–

Interface with customer premises equipment (CPE).

–

Configuration and firmware policy instructions cache.

–

Autonomous operation from the RDU and other DPEs.

–

CPE WAN Management Protocol (CWMP) service.

–

IOS-like command line interface (CLI) for configuration.

–

Hypertext Transfer Protocol (HTTP) file service.

See Device Provisioning Engines, page 2-4, for additional information.

OL-27172-01

Chapter 2 Broadband Access Center Architecture

• STUN server:

–

Supports a UDP based connection request mechanism defined in TR069 Annex G to allow Cisco BAC to initiate a session with a CPE that is operating behind a NAT Gateway.

• Cisco Management Heartbeat Server (CMHS) server:

–

A new connection request method that allows Cisco BAC to send connection requests to DLC devices through the CMHS server, using BAC north bound API interfaces or BAC Admin UI.

• Client API that provides total client control over the system’s capabilities.

• Provisioning Groups that provide:

–

Logical grouping of DPE servers, CAR-RADIUS servers and CNR-DHCP servers in a redundant cluster.

–

Redundancy and scalability

See Provisioning Groups, page 2-6, for additional information.

• The Cisco BAC process watchdog that provides:

–

Administrative monitoring of all critical Cisco BAC processes.

–

Automated process restart capability.

–

Ability to start and stop Cisco BAC component processes.

–

Ability to send the SNMP trap if any BAC process fails to start or stop, or stops unexpectedly. SNMP trap is a mechanism that the trap receiver uses to get the information about the process or component failure. A SNMP trap is also sent if Cisco BAC process watchdog fails to start on any of the servers that run Cisco BAC components. Cisco BAC process watchdog reports all the critical conditions of BAC components through SNMP trap.

Architecture

See Cisco BAC Process Watchdog, page 2-7, for additional information.

OL-27172-01

Cisco Broadband Access Center 3.8 Administrator Guide

2-3

Architecture

Chapter 2 Broadband Access Center Architecture

• An administrator user interface that provides:

–

Support for adding, deleting, and modifying CWMP devices; searching for devices, retrieving device details, and running device operations.

–

Support for configuring global defaults and defining custom properties.

–

Ability to view additional performance statistics.

–

Management of firmware rules and configuration templates.

See Administrator User Interface, page 9-4, for additional information.

• An SNMP agent that supports:

–

Third-party management systems.

–

SNMP version v2.

–

SNMP Notification.

See SNMP Agent, page 2-7, for additional information.

• Cisco Network Registrar servers that provide:

–

Dynamic Host Configuration Protocol (DHCP).

See Cisco Network Registrar, page 2-8, for additional information.

Regional Distribution Unit

The Regional Distribution Unit (RDU) is the primary server in the Cisco BAC provisioning system. It is installed on a server running the Solaris 10 or Linux 5.x operating system.

The functions of the RDU include:

• Managing preprovisioned and discovered data from devices.

• Generating instructions for DPEs and distributing them to DPE servers for caching.

• Cooperating with DPEs to keep them up to date.

• Processing API requests for all Cisco BAC functions.

• Managing the Cisco BAC system.

The RDU supports the addition of new technologies and services through an extensible architecture.

Cisco BAC currently supports one RDU per installation. Use of clustering software from Veritas or Sun is recommended for providing RDU failover. Use of RAID (Redundant Array of Independent Disks) shared storage is recommended in such a setup.

Device Provisioning Engines

The Device Provisioning Engine (DPE) communicates with the CPE on behalf of the RDU to perform provisioning or management functions.

The RDU generates instructions that the DPE must perform on the device. These instructions are distributed to the relevant DPE servers, where they are cached. These instructions are then used during interactions with the CPE to perform tasks, such as configuration of devices, firmware upgrades, and data retrieval.

Each DPE caches information for up to 500,000 devices, and multiple DPEs can be used to ensure redundancy and scalability.

2-4

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Chapter 2 Broadband Access Center Architecture

The DPE manages these activities:

• Synchronization with RDU to retrieve the latest set of instructions for caching.

• Communication with CPE using HTTP and HTTPS for file download service.

• Authentication and encryption of communication with CPE.

• Authenticate and Authorize CPE by processing the request from RADIUS server.

The DPE is installed on a server that is running the Solaris 10 or Linux 5.x operating system. The DPE is configured and managed by using the CLI, which you can access locally or remotely using Telnet. See the Cisco Broadband Access Center 3.8 DPE CLI Reference, for specific information on the CLI commands that a DPE supports.

See these sections for other important information:

• DPE Licensing, page 2-5

• DPE-RDU Synchronization, page 19-3

Also, familiarize yourself with the concept of instruction generation, which is described in Instruction

Generation and Processing, page 4-14.

Architecture

DPE Extension

DPE Licensing

Note For licensing purposes, a registered DPE is considered to be one node.

The DPE extension interface provides several levels of extensibility that range from ability to make minor changes to existing behavior via an extension to a complete overhaul of DPE behavior that allows it to perform any logic with HTTP or CWMP. It can even function independent of the RDU. The DPE extension simply augments the existing CWMP behavior.

However, when DPE is extended in such a way that RDU is either not required or is not used to store all device records, alternative licensing is needed. The Feature Pack licensing feature, described in DPE

Licensing, page 2-5, provides the alternative licenses.

Licensing controls the number of DPEs (nodes) that you can use. If you attempt to install more DPEs than you are licensed to have, those new DPEs will not be able to register with the RDU, and will be rejected. Existing licensed DPEs remain online.

Whenever you change licenses, by adding a license, extending an evaluation license, or through the expiration of an evaluation license, the changes take immediate effect.

When you delete a registered DPE from the RDU database, a license is freed. Since the DPEs automatically register with the RDU, you must take the DPE offline if the intention is to free-up the license. Then, delete the DPE from the RDU database by using the RDU administrator user interface.

OL-27172-01

Note The functions enabled using a specific license, continue to operate even when the corresponding license

is deleted from the system.

Cisco Broadband Access Center 3.8 Administrator Guide

2-5

Architecture

Cisco BAC now provides a mechanism to license DPE extension feature packs. The feature pack licenses indicate the count of the devices that can be processed by the feature pack extension. The feature pack licenses can be added to the RDU through Cisco BAC admin UI or API independently with or without CWMP / DPE licenses.

DPEs that are rejected during registration because of licensing constraints, do not appear in the administrator user interface. To determine the license state, you need to examine the log files of the RDU and the DPE.

Provisioning Groups

A provisioning group is designed to be a logical (typically geographic) grouping of servers that usually consist of one or more DPEs, CNR-DHCP servers and CAR-RADIUS servers. Each DPE in a given provisioning group, caches identical sets of instructions from the RDU; thus enabling redundancy and load balancing.

A single provisioning group can handle the provisioning needs of up to 500,000 devices. As the number of devices grows past 500,000, you can add additional provisioning groups to the deployment.

Chapter 2 Broadband Access Center Architecture

Note The servers for a provisioning group are not required to reside at a regional location, they can just as

easily be deployed in the central network operations center.

For more information, see:

• Discovery of ACS URL, page 2-6

• Provisioning Group Scalability, page 2-7

Discovery of ACS URL

In the distributed architecture that Cisco BAC provides, the RDU is the centralized aggregation point that never directly interacts with a CPE. Any required interactions with the CPE are delegated to the provisioning group.

Each device identifies the provisioning group to which it connects by the URL of a single autoconfiguration server (ACS); in other words, the DPE. Until the URL is updated, the device contacts the DPE at the same URL.

All redundant DPEs in a given provisioning group, must share a single ACS URL. The RDU has to be aware of the URL that is associated with each provisioning group and, by extension, of all DPEs in that provisioning group. The RDU uses its knowledge of the provisioning group’s ACS URL to redirect devices to a new provisioning group, when required.

The RDU automatically learns the provisioning group’s ACS URL from DPE registrations; or the ACS URL is configured on the provisioning group object, using the API or the administrator user interface. For information on configuring the ACS URL, see Provisioning Group Configuration Workflow,

page 3-8.

The CPE can determine the ACS (DPE) URL in one of two ways:

• By preconfiguring the URL on the device. This ACS URL is the configured URL of the Cisco BAC

server that is associated with each provisioning group. The URL is preconfigured on the device before it is shipped to the customer, and is also known as the assigned URL.

2-6

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Chapter 2 Broadband Access Center Architecture

• By discovering the URL via DHCP. This ACS URL is returned in response to a DHCP Discover, a

DHCP Request, or a DHCP Inform. This mechanism is limited to deployments of primary Internet gateway devices, because it requires the ability to make DHCP requests to the WAN side.

Note Assigning a URL using preconfiguration is a more secure mechanism than one discovered

using DHCP.

Provisioning Group Scalability

Provisioning groups enhance the scalability of the Cisco BAC network by making each provisioning group responsible for only a subset of devices. This partitioning of devices can be along regional groupings or any other policy that the service provider defines. When the size of the provisioning group is restricted, the DPEs can be more effective in caching the necessary information.

To scale a deployment, the service provider can:

• Upgrade existing DPE server hardware.

• Add DPE servers to a provisioning group.

Architecture

• Add provisioning groups.

Cisco BAC Process Watchdog

The Cisco BAC process watchdog is an administrative agent that monitors the runtime health of all Cisco BAC processes. This watchdog process ensures that if a process stops unexpectedly, it is automatically restarted.

The Cisco BAC process watchdog can be used as a command line tool to start, stop, restart, and determine the status of any monitored processes.

See Cisco BAC Process Watchdog, page 9-1, for additional information on how to manage the monitored processes.

SNMP Agent

Cisco BAC provides basic SNMP v2-based monitoring of the RDU and the DPE servers. The Cisco BAC SNMP agents support SNMP informs and traps. You can configure the SNMP agent on the DPE by using snmp-server CLI commands, and on the RDU by using the SNMP configuration command-line tool.

See Monitoring Servers by Using SNMP, page 11-5, for additional information on the SNMP configuration command line tool, and the Cisco Broadband Access Center 3.8 DPE CLI Reference, for additional information on the DPE CLI.

Logging

OL-27172-01

Logging of events is performed at the DPE and the RDU. In some unique situations, DPE events are additionally logged at the RDU to give them higher visibility. Log files are located in their own log directories and can be examined by using any text processor.

Cisco Broadband Access Center 3.8 Administrator Guide

2-7

Architecture

You can compress the files for easier e-mailing to the Cisco Technical Assistance Center or system integrators for troubleshooting and fault resolution. You can also access the RDU and the DPE logs from the administrator user interface.

For detailed information on log levels and structures, and how log files are numbered and rotated, see

Logging, page 21-2.

Access Registrar

CAR is a RADIUS (Remote Authentication Dial-In User Service) server that enables multiple dial-in Network Access Server (NAS) devices to share a common authentication, authorization, and accounting database.

For additional information on Access Registrar, see the User Guide for Cisco Access Registrar 5.0 and

Installation Guide for Cisco Access Registrar 5.0.

RADIUS

Chapter 2 Broadband Access Center Architecture

CAR is based on a client/server model, which supports AAA (authentication, authorization, and accounting). The client is the Network Access Server (NAS) and the server is CAR. The client passes user information onto the RADIUS server and acts on the response it receives.

The server, on the other hand, is responsible for receiving user access requests, authenticating and authorizing users, and returning all necessary configuration information that the client can then pass on to the user.

Cisco BAC now supports RADIUS for device authentication. CAR provides an extension mechanism to allow customization of RADIUS requests and responses. Cisco BAC handles the Authentication and Authorization request through this extension.

Cisco Network Registrar

Cisco Network Registrar provides the DHCP functionality in Cisco BAC. The DHCP extension points on Network Registrar integrate Cisco BAC with Network Registrar. Using these extensions, the CNR registers itself with Cisco BAC.

Note Cisco Network Registrar (CNR) is re-branded to Cisco Prime Network Registrar starting with the 8.0

release.

For additional information on Cisco Prime Network Registrar, see the Cisco Prime Network Registrar

8.1 User Guide, Cisco Prime Network Registrar 8.1 CLI Reference Guide, and Cisco Prime Network Registrar 8.1 Installation Guide.

DHCP

2-8

The DHCP server automates the process of configuring IP addresses on IP networks. The protocol performs many of the functions that a system administrator carries out when connecting a device to a network. DHCP automatically manages network-policy decisions and eliminates the need for manual configuration. This feature adds flexibility, mobility, and control to networked device configurations.

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

+ 292 hidden pages