Computer networks have become ubiquitous in the home, office, and industrial environment. As computer networks have grown ever complex, automated mechanisms for organizing and managing the networks have emerged. These mechanisms are generally implemented in the form of one or more computer programs, and are generically known as network management systems or applications.
FIG. 1 is a simplified diagram of a network 100 that is managed by a network management station 10. The network 100 comprises one or more network devices 102, such as switches, routers, bridges, gateways, and other devices. Each network device 102 is coupled to another network device 102, or to one or more end stations 120. Each end station 120 is a terminal node of the network 100 at which some type of work is carried out. For example, an end station 120 is a workstation, a printer, a server, or similar device.
Each network device 102 executes an operating system 110. An example of such an operating system is the Internetworking Operating System (IOS) commercially available from Cisco Systems, Inc. Each network device 102 also executes one or more applications 112 under control of or embedded within the operating system 110. The operating system 110 supervises operation of the applications 112 and communicates over network connections 104 using an agreed-upon network communication protocol, such as Simple Network Management Protocol (SNMP).
Each device 102 stores information about its current configuration, and other information, in a one or more information bases (IBs) such as one or more Management Information Bases (MIBs) 114. Information in an MIB 114 is organized in a manner appropriate for that IB, for example, in one or more MIB variables. The network management station 10 can use means appropriate to each kind of network device 102 and send it appropriate commands to read or alter information in its information bases. For example, network management station 10 can send "fetch" and "set" commands to the device 102 in order to retrieve or set values of MIB variables. Examples of MIB variables include sysObjectID and sysDescr.
Preferably the network management station 10 is a general-purpose computer system of the type shown and described further herein in connection with FIG. 3. The network management station 10 executes one or more software components that carry out the functions shown in block diagram form in FIG. 1. For example, the network management station 10 executes a basic input/output system (BIOS) 20 that controls and governs interaction of upper logical layers of the software components with hardware of the network management station. An example of a suitable BIOS is the Phoenix ROM BIOS. The network management station 10 also executes an operating system 30 that supervises and controls operation of upper-level application programs. An example of a suitable operating system is the Microsoft Windows NT.RTM. operating system. The network management station 10 may also execute other operating systems that may not require a BIOS 20, such as UNIX-type operating systems, microkernel-based operating systems, etc.
The network management station 10 executes an asynchronous network interface (ANI) program 50 under control of the operating system 30. The ANI 50 provides an interface to the network 100 and communicates with the network using SNMP or another agreed-upon protocol. The ANI 50 provides numerous low-level services and functions for use by higher-level applications.
The network management station 10 executes a network management system 40 that interacts with an information base 60 containing information about the managed network 100. This information base may be one or more data bases, one or more directories, one or more flat-files, or any other convenient storage mechanism or mechanisms. The network management system 40 is an example of a network management application. Using a network management application, a manager can monitor and control network components. For example, a network management application enables a manager to interrogate devices such as host computers, routers, switches, and bridges to determine their status, and to obtain statistics about the networks to which they attach. The network management application also enables a manager to control such devices by changing routes and configuring network interfaces. Examples of network management applications are CiscoWorks, CiscoWorks 2000, and CiscoView, each of which is commercially available from Cisco Systems, Inc.
The ANI 50 and network management system 40 need not execute or reside on the same physical computer. They may execute on different machines.
The behavior of some network management applications or network devices 102 may be governed by one or more abstract policies. A network management policy expresses a business goal for use of the network; the network management application can convert the policy into instructions to network devices, such as switches, routers, firewalls, and other hardware and software, to implement the policy. An example of a policy is: "All administrative assistants may use the World Wide Web only between 11 a.m. and 3 p.m., Monday through Friday." A system that can receive and act on such policies is sometimes called a policy-based network management system.
Policy-based management is used in other, specific contexts within the broad field of network management. For example, Cisco Centri Firewall software product, commercially available from Cisco Systems, Inc. of San Jose, Calif., is a policy-driven product. The use of policies to control a firewall is disclosed in co-pending U.S. patent application Ser. No. 60/074945, filed Feb. 17, 1998, entitled "Graphical Network Security Policy Management," and naming Scott L. Wiegel as inventor.
Other information about policy-based networking is described in CiscoAssure Policy Networking: Enabling Business Applications through Intelligent Networking, http://www.cisco.com/warp/public/734/capn/assur_sd.htm (posted Jun. 13, 1998); CiscoAssure Policy Networking End-to-End Quality of Service, http://www.cisco.com/warp/public/734/capn/caqos_wp.htm (posted Jun. 24, 1998); Delivering End-to-End Security in Policy-Based Networks, http://www.cisco.com/warp/public/734/capn/deesp_wp.htm (posted Sep. 11, 1998); User Registration and Address Management Services for Policy Networking, http://www.cisco.com/warp/public/734/capn/polnt_wp.htm (posted Sep. 11, 1998); CiscoAssure User Registration Tool, http://www.cisco.com/warp/public/734/capn/caurt_ai.htm (posted Oct. 8, 1998).
The ease by which policy-based network management systems permit a user or administrator to create network management policies is also a disadvantage of such systems. When a large number of policies is developed, a risk of damaging the network, through conflicting policies or non-conflicting policies that achieve different goals, is created. There is a need for a system, mechanism or process of preventing conflicting policies from damaging a network.
For example, conflicting policies may leave a network or other policy-based system in an inconsistent state, or may make it difficult or impossible to understand the effects of the set of policies. A set of policies may be difficult or impossible to understand even if it is possible to understand the effect of each individual policy in isolation. These problems exist, in part, because past systems have provided no formal way to define the structure of a policy or a policy conflict. Past systems may provide a grammar in which a policy must be expressed, but in past approaches there is no formal definition of a policy, or of a conflict, or of how to resolve a conflict
Based on the foregoing, there is a clear need in this field for a formal way to define a policy.
There is also a need to formally define and determine when one policy conflicts with another policy.
There is a further need to recognize a policy conflict and provide a way for an administrator or other user of the system to resolve the policy conflict before the conflicting policies damage the system under management.
There is a particular need for such a system, mechanism or process that can be used in the context of a network management application that manages a network of data communication devices or computer devices.