Professional Documents
Culture Documents
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Administration of Cisco Prime LAN Management Solution 4.1 1998 - 2011 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
Audience
CHAPTER
1-1 1-2
Understanding the System Dashboard 1-7 Cisco Prime Product Updates 1-7 Critical Message Window 1-8 Device Credentials and AAA Information Log Space Usage 1-10 Process Status 1-11 System Backup Status 1-11 User Login Information 1-12 Job Information Status 1-12 Audit Trail Information 1-13 Job Approval 1-14 Syslog Collectors Information 1-15 Supported Device Finder Portlet 1-16 VRF Collector Summary 1-19 Collection Summary Portlet 1-19
2
1-9
CHAPTER
Setting up Security
2-1
Managing Security in Single-Server Mode 2-1 Setting up Browser-Server Security 2-2 Enabling Browser-Server Security From the LMS Server
2-3
-iii
Chapter
Disabling Browser-Server Security From the LMS Server 2-3 Setting up Local User Policy 2-4 Setting up Local Users 2-6 About User Accounts 2-6 Understanding Security Levels 2-7 Importing and Exporting Local Users 2-7 Importing Local Users Using CLI 2-8 Importing Users From ACS 2-9 Adding and Modifying a Local User 2-9 Adding Local Users Using CLI 2-11 Assigning Roles on NDG Basis 2-13 Modifying Your Profile 2-13 Creating Self Signed Certificates 2-14 Creating a Self Signed Certificate From the User Interface 2-15 Working With Third Party Security Certificates 2-16 Managing Security in Multi-Server Mode 2-16 Setting up Peer Server Account 2-17 Setting up System Identity Account 2-18 Setting up Peer Server Certificate 2-19 Enabling Single Sign-On 2-20 Single Sign-On Setup 2-20 Navigating Through the Single Sign-On Domain Changing the Single Sign-On Mode 2-22
2-21
Setting up the Authentication Mode 2-24 Authentication Using Login Modules - Overview 2-24 Setting the Login Module to Pluggable Authentication Modules Managing Roles
2-36
2-26
Managing Cisco.com Connection 2-39 Setting up Cisco.com User Account Setting Up the Proxy Server 2-40
3
2-40
CHAPTER
3-1 3-2
Managing Processes 3-3 LMS Back-end Processes 3-6 Server Back-end Processes 3-7 Inventory, Config and Image Management Processes 3-11 Network Topology, Layer 2 Services and User Tracking Processes 3-14 IPSLA Performance Management Processes and Dependency Processes 3-15
-iv
OL-20721-01
Chapter
3-15
Backing Up Data 3-19 Scheduling a Backup 3-20 Restoring Data 3-21 Changing the Database Password 3-23 Effects of Backup-Restore on DCR 3-25 Master-Slave Configuration Prerequisites and Restore Operations Effects of Backup-Restore on Groups 3-28 Licensing Cisco Prime LMS Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources
3-34 3-34 3-35 3-37 3-42 3-44 3-29 3-31
3-27
3-34
CHAPTER
Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery
4-1
4-1
Configuring Device Selector 4-5 Selecting Devices for Device Management Tasks 4-7 Searching Devices 4-8 Performing Simple Search 4-8 Performing Advanced Search 4-9 Device Selector Settings 4-11 Understanding Device Groups 4-11 Customizing Device Grouping 4-13 Customizing Display Order of Device Groups 4-15 Administering Device and Credential Repository 4-16 Changing DCR Mode 4-16 Configuring Device Polling 4-19 Configuring Device Polling Settings 4-19 Deleting Unreachable Devices from DCR 4-21 Configuring User Defined Fields 4-21
-v
Chapter
Adding User Defined Fields 4-22 Renaming User Defined Fields 4-22 Deleting User Defined Fields 4-23 Configuring Default Credentials 4-23 Using Default Credentials 4-23 Important Notes on Default Credentials 4-24 Default Credentials Behavior in Multi-Server Setup Configuring Default Credential Sets 4-25 Configuring Default Credential Set Policy 4-28
5
4-24
CHAPTER
Managing Groups
Groups in Single-Server and Multi-Server Setup Groups in Single Server Scenario 5-3 Groups in Multi-Server Scenario 5-4
Device Group Administration 5-4 Creating Groups 5-6 Specifying Group Properties 5-7 Defining Group Rules 5-8 System Defined Attributes 5-13 Assigning Group Membership 5-16 Viewing Group Details 5-17 Modifying Group Details 5-18 Refreshing Groups 5-19 Deleting Groups 5-20 Exporting Groups 5-20 Sample Export Groups Output File 5-21 Exporting Groups From User Interface 5-21 Importing Groups 5-22 Important Notes on Importing Groups 5-23 Importing Groups From User Interface 5-23 Overview of Subnet Based Groups 5-24 Accessing Subnet Based Groups 5-24 Understanding Subnet Based Groups 5-25 Creating Groups Based on Subnet 5-25 DCR Mode Changes and Group Behavior 5-25 Unregistering a Slave 5-27 Behavior of IP Address Range Based Device Groups in Multi-Server Setup Port and Module Group Administration
5-28
5-27
-vi
OL-20721-01
Chapter
Creating Port and Module Groups 5-29 Entering the Port and Module Group Properties Details 5-30 Selecting Group Source 5-30 Defining Rule Expression for Port or Module Groups 5-32 Understanding the Summary 5-40 Viewing Port and Module Group Details 5-40 Editing Port and Module Groups 5-42 Deleting Port and Module Groups 5-43 Working with Fault System-defined Groups LMS System-defined Groups 5-44 Fault System Defined Groups 5-45 Working with Customizable Groups
5-46 5-44
Managing Fault Groups 5-47 Editing and Creating Fault Groups 5-48 Editing a Fault Group 5-49 Creating a Fault Group 5-52 Understanding Rules 5-55 Finalizing Fault Group Membership 5-58 Viewing the Fault Group Summary 5-59 Viewing Fault Group Details 5-59 Viewing Fault Membership Details 5-60 Refreshing Fault Membership 5-61 Deleting Fault Groups 5-62 Understanding Collector Group Rules 5-62 IPSLA Collector Group Administration Process 5-65 Understanding IPSLA Collector Group Administration
5-66
Working with User-Defined Collector Groups 5-67 Creating and Modifying User-Defined Collector Groups 5-67 Setting Collector Group Properties 5-67 Defining Collector Group Rules 5-69 Assigning Collector Group Membership 5-71 Viewing the Collector Group Summary 5-72 Deleting User-Defined Collector Groups 5-73 Viewing User-Defined Collector Groups 5-73 Viewing Collector Group Details 5-73 Viewing Membership Details 5-74 Refreshing User-Defined Collector Group Membership 5-75 Operation-Based Collector Groups (System-Defined)
5-76
-vii
Chapter
CHAPTER
6-1 6-1
CHAPTER
7-1
Understanding User Tracking 7-1 Using User Tracking 7-2 Accessing UT Data 7-2 Various Acquisitions in User Tracking
7-3
Using User Tracking Administration 7-4 Viewing User Tracking Acquisition Information 7-6 Configuring User Tracking Acquisition Actions 7-7 Using User and Host Acquisition 7-8 Modifying UT Acquisition Settings 7-8 Configuring Rogue MAC List 7-16 Modifying UT Acquisition Schedule 7-19 Modifying Ping Sweep Options 7-20 Configuring UT Subnet Acquisition 7-21 Deleting User Tracking Purge Policy Details 7-22 Configuring UT Acquisition in Trunk for End Host Discovery Importing Information on End Host Users 7-24 Understanding Dynamic Updates 7-24 MAC User-Host Information Collector (MACUHIC) Process User Tracking Manager (UTManager) Process 7-26 UTLite 7-26 Viewing Dynamic Updates Process Status 7-27 Enabling SNMP Traps on Switch Ports 7-27 SNMP MAC Notification Listener 7-29 Configuring SNMP Trap Listener 7-30 HPOV as Primary Listener 7-30 LMS Fault Monitor Module as Primary Listener 7-32 Configuring Dynamic User Tracking 7-33 Using User Tracking Utility 7-35 Understanding UTU 7-35 Hardware and Software Requirements for UTU Downloading UTU 7-36 Installing UTU 7-37 Installing UTU in Silent Mode 7-37
7-23
7-26
7-36
-viii
OL-20721-01
Chapter
Installing UTU in Normal Mode 7-38 Accessing UTU 7-39 Configuring UTU 7-40 Searching for Users, Hosts or IP Phones Using UTU Uninstalling UTU 7-46 Upgrading to UTU 2.0 7-46 Re-installing UTU 2.0 7-47
8
7-41
CHAPTER
8-1
Using the Inventory Job Browser 8-2 Viewing Job Details 8-6 Creating and Editing an Inventory Collection or Polling Job 8-7 Stopping, Cancelling or Deleting an Inventory Collection or Polling Job Inventory Collection Settings Secondary Credentials
8-10 8-9
8-9
Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System Changing the Schedule for System Inventory Collection or Polling 8-11 Changing the Schedule for PSIRT/EOX System 8-12
8-11
PSIRT or End-of-Sale or End-of-Life Data Administration 8-14 Changing the Data Source for PSIRT/EOS/EOL Reports 8-14 Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com 8-15 Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location Administering VRF Lite 8-17 Using VRF Lite Collector Settings 8-17 Scheduling VRF Lite Collector 8-18 Modifying VRF Lite SNMP Timeouts and Retries
8-15
8-19 8-20
Configuring Fault Management Rediscovery Schedules 8-21 Suspending and Resuming a Rediscovery Schedule 8-21 Adding and Modifying a Rediscovery Schedule 8-22 Configuring Event Forensics
8-23 8-24
Performance Management SNMP Timeouts and Retry Settings IPSLA Application Settings 8-27 Copying IPSLA Configuration to Running-Config Managed Source Interface Setting 8-28 Setting Up Archive Management
8-29 8-28
8-26
-ix
Chapter
Preparing to Use the Archive Management 8-29 Entering Device Credentials 8-29 Modifying Device Configurations 8-31 Enabling rcp 8-31 Enabling scp 8-32 Enabling https 8-32 Configuring Devices to Send Syslogs 8-32 Modifying Device Security 8-33 Router Commands 8-33 Switches Commands 8-34 Content NetworkingContent Service Switch Commands 8-34 Content NetworkingContent Engine Commands 8-34 Cisco Interfaces and ModulesNetwork Analysis Modules 8-34 Security and VPNPIX Devices 8-35 Moving the Configuration Archive Directory 8-35 Enabling and Disabling the Shadow Directory 8-36 Configuring Exclude Commands 8-37 Configuring Fetch Settings 8-39 Understanding Configuration Retrieval and Archival 8-39 Schedule Periodic Configuration File Archival 8-39 Schedule Periodic Configuration Polling 8-40 Manual Updates (Sync Archive function) 8-40 Using Version Summary 8-40 Timestamps of Configuration Files 8-41 How Running Configuration is Archived 8-41 Change Audit Logging 8-42 Defining the Configuration Collection Settings
8-42
Configuring Transport Protocols 8-45 Requirements to Use the Supported Protocols 8-45 Supported Protocols for Configuration Management Applications Defining the Protocol Order 8-48 Overview: Common Syslog Collector
8-49 8-50
8-48
Viewing Status and Subscribing to a Common Syslog Collector Viewing Common Syslog Collector Status 8-50 Subscribing to a Common Syslog Collector 8-51 Testing Syslog Collector Subscription 8-52 Understanding the Syslog Collector Properties File 8-54 Timezone List Used By Syslog Collector 8-57
-x
OL-20721-01
Chapter
CHAPTER
9-1 9-1
Configuring RMON 9-5 Modifying the Parameters 9-6 Enabling RMON on All Ports in Selected Devices 9-7 Enabling RMON on Selected Ports in Selected Devices Disabling RMON 9-8 Configuring Topology Settings 9-8 Viewing Restricted Topology 9-9
10
9-7
CHAPTER
10-1 10-2
Configuring Event Sets and Notification Groups for Subscriptions 10-6 Configuring Event Sets 10-6 Configuring Fault Notification Groups 10-7 Setting Up a Fault Notification Group as Static or Dynamic 10-8 Managing Fault SNMP Trap Notifications 10-9 Adding an SNMP Trap Notification Subscription 10-10 Editing an SNMP Trap Notification Subscription 10-11 Suspending an SNMP Trap Notification Subscription 10-12 Resuming an SNMP Trap Notification Subscription 10-12 Deleting an SNMP Trap Notification Subscription 10-13 Managing Fault E-Mail Configurations 10-13 Managing Fault E-Mail Notification Subscriptions 10-13 Adding and Editing an E-Mail Notification Subscription Managing Fault E-Mail Subject Customization 10-16 Managing Fault Syslog Notifications 10-17 Adding a Syslog Notification Subscription 10-18 Editing a Syslog Notification Subscription 10-20 Suspending a Syslog Notification Subscription 10-21 Resuming a Syslog Notification Subscription 10-21 Deleting a Syslog Notification Subscription 10-21 Configuring Fault SNMP Trap Receiving and Forwarding 10-22 Enabling Devices to Send Traps to LMS 10-22 Enabling Cisco IOS-Based Devices to Send Traps to LMS 10-23
10-14
-xi
Chapter
Enabling Catalyst Devices to Send SNMP Traps to LMS 10-23 Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs Updating the SNMP Trap Receiving Port 10-24 Configuring SNMP Trap Forwarding 10-25 Performance SNMP Trap Notification Groups Creating a Trap Receiver Group 10-26 Editing a Trap Receiver Group 10-28 Deleting a Trap Receiver Group 10-29 Filtering Trap Receiver Groups 10-30 Performance Syslog Notification Groups 10-31 Creating a Syslog Receiver Group 10-32 Editing a Syslog Receiver Group 10-33 Deleting a Syslog Receiver Group 10-34 Filtering Syslog Receiver Groups 10-35 Defining Automated Actions 10-36 Creating an Automated Action 10-37 Editing an Automated Action 10-39 Guidelines for Writing Automated Script 10-41 Enabling or Disabling an Automated Action 10-41 Exporting or Importing an Automated Action 10-42 Deleting an Automated Action 10-42 Automated Action: An Example 10-43 Verifying the Automated Action 10-44 Defining Syslog Message Filters 10-45 Creating a Filter 10-46 Editing a Filter 10-46 Enabling or Disabling a Filter 10-47 Exporting or Importing a Filter 10-47 Deleting a Filter 10-48 Inventory and Config Collection Failure Notification 10-48 Configuring Trap Notification Messages 10-50 Examples for Collection Failure Notification 10-50 Fields in a Trap Notification Message 10-51 IPSLA Syslog Configuration
11
10-51 10-25
10-24
CHAPTER
11-1
-xii
OL-20721-01
Chapter
Setting the Purge Policy 11-4 Performing a Forced Purge 11-5 Config Change Filter 11-7 Defining Exception Periods 11-7 Creating an Exception Period 11-8 Enabling and Disabling an Exception Period Editing an Exception Period 11-9 Deleting an Exception Period 11-9
11-8
Defining Change Audit Automated Actions 11-10 Understanding the Automated Action Window 11-10 Creating an Automated Action 11-11 Editing an Automated Action 11-13 Enabling and Disabling an Automated Action 11-13 Exporting and Importing an Automated Action 11-14 Deleting an Automated Action 11-14 Software Management Administration Tasks 11-15 Viewing/Editing Preferences 11-15 Selecting and Ordering Protocol Order 11-19 How Recommendation Filters Work for an IOS Image Setting Change Report Filters
12
11-22
11-20
CHAPTER
Managing Jobs
12-1 12-1
Configuring Default Job Policies 12-5 Defining the Default Job Policies 12-6 Configuring NetShow Job Policies 12-11 Defining Default Job Policies 12-12 Purging Configuration Management Jobs Defining Protocol Order 12-14 Masking Credentials 12-15 Job Approval Workflow 12-16 Specifying Approver Details 12-16 Creating and Editing Approver Lists 12-17 Assigning Approver Lists 12-18 Setting Up Job Approval 12-18 Approving and Rejecting Jobs 12-20 Using Device Selector
12-23
12-13
12-15
-xiii
Chapter
12-25
Using Advanced Search 12-26 Using the All Tab 12-30 Using the Search Results Tab 12-32 Using the Selection Tab 12-32 Editing Device Attributes 12-33 Attribute Error Report 12-36 Device Attributes Export File Format 12-36
13
CHAPTER
13-1
Performing Software Updates 13-2 Viewing the List of Installed Applications and Packages Selecting Software Updates 13-3 Downloading Software Updates 13-4 Performing Device Update 13-4 Viewing Package Map 13-5 Viewing Device Map 13-5 Checking for Updates 13-6 Deleting Packages 13-7 Scheduling Device Package Downloads Scheduled Job Event Log
13-10 13-9 13-8
13-2
Using the Software Center CLI Utility 13-10 Querying Updates on the LMS Server 13-11 Installing Device Packages 13-12 Uninstalling Device Packages 13-12 Downloading Software Updates 13-13 Downloading Device Updates 13-13 Listing Dependent Device Packages 13-14 Listing Device Packages Version 13-15
14
CHAPTER
Discrepancies and Best Practices Deviations Interpreting Discrepancies 14-2 Trunking Related Discrepancies 14-2 Trunk Negotiation Across VTP Boundary Native VLANs Mismatch 14-4 Trunk VLANs Mismatch 14-4
14-1 14-1
14-3
-xiv
OL-20721-01
Chapter
Trunk VLAN Protocol Mismatch 14-4 VLAN-VTP Related Discrepancies 14-5 VTP Disconnected Domain 14-5 No VTP Server in Domain with at least One VTP Client Link Related Discrepancies 14-6 Link Duplex Mismatch 14-6 Link Speed Mismatch 14-8 Link Trunk/NonTrunk Mismatch 14-9 Port Related Discrepancy 14-10 Port is in Error Disabled State 14-10 Device Related Discrepancy 14-11 Devices With Duplicate SysName 14-11 Spanning Tree Related Discrepancy 14-11 Port Fast Enabled on Trunk Port 14-11 Interpreting Best Practices Deviations 14-12 Channel Ports Related Best Practices Deviations 14-13 Non-channel Port in Desirable Mode 14-13 Channel Port in Auto Mode 14-14 Spanning Tree Related Best Practices Deviations 14-15 BPDU Filter Disabled on Access Ports 14-16 BPDU-Guard Disabled on Access Ports 14-17 BackboneFast Disabled in Switch 14-18 UplinkFast not Enabled 14-20 Loop Guard and Port Fast Enabled on Ports 14-22 Trunk Ports Related Best Practices Deviations 14-23 Non-trunk Ports in Desirable Mode 14-23 Trunk Ports in Auto Mode 14-25 VLAN Related Best Practices Deviations 14-25 VLAN Index Conflict 14-26 VLAN Name Conflict 14-26 Link Ports Related Best Practice Deviation 14-26 UDLD Disabled on Link Ports 14-27 Access Ports Related Best Practice Deviation 14-28 CDP Enabled on Access Ports 14-28 Cisco Catalyst 6000 Devices Related Best Practice Deviation High Availability not Operational 14-29 Customizing Discrepancies Reporting and Syslog Generation
14-5
14-29
14-30
-xv
Chapter
CHAPTER
15
Report Setting
15-1 15-1
Specifying User Tracking Report Purge Policy Specifying Domain Name Display Set Report Publish Location
16
15-2 15-2
CHAPTER
Purge Settings
Purging VRF Management Reports Jobs and Archived Reports Purging Configurations from the Configuration Archive Syslog Administrative Tasks 16-4 Setting the Syslog Backup Policy Setting the Syslog Purge Policy 16-6 Performing a Syslog Forced Purge
16-5 16-2
16-7
Purging Configuration Management Jobs 16-8 Scheduling a Configuration Management Purge Job 16-10 Enabling a Configuration Management Purge Job 16-11 Disabling a Configuration Management Purge Job 16-11 Performing an Immediate Purge for Configuration Management Jobs Performance Purge Jobs Performance Purge Data
16-12 16-14 16-17
16-12
16-18 16-20
CHAPTER
Debugging Options
17-1 17-1
Maintaining Log Files 17-2 Maintaining Log Files on Solaris/Soft Appliance 17-3 Maintaining Log Files on Windows 17-3 About Cisco Prime Common Services Log Files 17-4 Viewing and Maintaining LMS Log File Details 17-6 Fault Management Log Files 17-8 Performance Debugging Settings 17-9 IPSLA Debugging Settings 17-11 Config and Image Management Debugging Settings Configuring Logging
17-17 17-18 17-13
-xvi
OL-20721-01
Chapter
Setting Debugging Options for Topology and User Tracking 17-20 Setting up Debugging Options for Data Collection 17-20 Setting up Debugging Options for Network Reports 17-23 Setting Debugging Options for Device Groups 17-24 Setting Debugging Options for Topology 17-24 Debugging Options for User Tracking Server 17-25 Debugging Dynamic Updates 17-26 Debugging Options for User Tracking Reports 17-29 Debugging Options for Dynamic User Tracking Console 17-29 Debugging Options for CiscoView 17-30 Setting VRF Lite Debugging Options 17-30 VRF Lite Server Debugging Settings 17-31 VRF Lite Collector Debugging Settings 17-32 VRF Lite Client Debugging Settings 17-33 VRF Lite Utility Debugging Settings 17-33
18
CHAPTER
18-1
Understanding Admin Tasks 18-1 Understanding System Tasks 18-2 Understanding Trust Management Tasks Understanding Network Tasks 18-8 Understanding Collection Tasks 18-13
18-7
Understanding Report Tasks 18-17 Understanding Fault and Event Report Tasks 18-18 Understanding Report Archives Tasks 18-19 Understanding Report Designer Tasks 18-19 Understanding Inventory Report Tasks 18-20 Understanding Audit Report Tasks 18-20 Understanding Technology Report Tasks 18-21 Understanding Performance Report Tasks 18-21 Understanding System Report Tasks 18-23 Understanding Switch Port Report Tasks 18-24 Understanding Configuration Tasks 18-25 Understanding Configuration Archive Tasks 18-25 Understanding Configuration Tools Tasks 18-26 Understanding ConfigCLI Tasks 18-28 Understanding Configuration Workflows Tasks 18-29 Understanding Configuration Job Browsers Tasks 18-30 Understanding Compliance Tasks 18-30
-xvii
Chapter
Understanding Monitor Tasks 18-31 Understanding Performance Settings Tasks 18-31 Understanding Fault Settings Tasks 18-33 Understanding Threshold Settings Tasks 18-33 Understanding Troubleshooting Tools Tasks 18-34 Understanding Monitoring Tools Tasks 18-35 Understanding Inventory Tasks 18-36 Understanding Group Management Tasks 18-36 Understanding Job Browsers Tasks 18-37 Understanding Device Administration Tasks 18-37 Understanding Inventory Tools Tasks 18-38 Understanding Work Center Tasks 18-38 Understanding Smart Install Tasks 18-39 Understanding Auto Smartports Tasks 18-39 Understanding Identity Tasks 18-39 Understanding EnergyWise Tasks 18-40
19
CHAPTER
Solaris Patches
19-1
19-1 19-1
CHAPTER
20
APPENDIX
Setting Up Local Users Through CLI A-2 Adding Local Users A-2 Importing Local Users A-3 Importing Users From ACS A-4 Changing Cisco Prime User Password Through CLI Managing Processes Through CLI A-5 Viewing Process Details Through CLI A-5 Viewing Brief Details of Processes A-6 Viewing Processes Statistics A-7 Starting a Process A-7 Stopping a Process A-7 Working With Third Party Security Certificates
A-8 A-4
-xviii
OL-20721-01
Chapter
Uploading Third Party Security Certificates to LMS Server A-8 Using the SSL Utility Script to Upload Third Party Security Certificates
A-12
Setting up Browser-Server Security A-13 Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms A-13 Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms A-14 Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms A-14 Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms A-15 Backing up Data Using CLI
A-16
Using LMS Server Hostname Change Scripts A-16 Running the Hostname Change Script A-19 Using DCR Features Through CLI A-21 Viewing the Current DCR Mode Using CLI Viewing Device Details A-22 Changing DCR Mode Using CLI A-22
A-21
Using Group Administration Features Through CLI Exporting Groups Through CLI A-24 Importing Groups Through CLI A-25 Deleting Stale Groups Using CLI
A-26
A-23
User Tracking Command Line Interface A-26 Exporting Switch Port Usage Report A-30 Using Lookup Analyzer Utility
A-31
Understanding UTLite A-33 Installing UTLite Script on Active Directory A-35 Installing UTLite Script on Windows A-36 Installing UTLite Script on NDS A-36 Uninstalling UTLite Scripts From Windows A-37 Uninstalling UTLite Scripts From Active Directory A-38 Uninstalling UTLite Scripts From NDS A-38 User Tracking Debugger Utility A-38 Understanding Debugger Utility A-38 Using Debugger Utility A-39 Configuring Switches to Send MAC Notifications to LMS Server Administration Command Line Interface A-40 SNMP Configuration on Devices A-42
A-39
-xix
Chapter
APPENDIX
B-1
Troubleshooting Guidelines B-1 Troubleshooting User Tracking B-1 Troubleshooting the Cisco Prime LMS Server Verifying Server Status B-3 Troubleshooting Suggestions B-5
B-2
Frequently Asked Questions B-6 User Tracking FAQs B-7 VRF Lite FAQs B-9 Cisco Prime LMS Server FAQs B-14 General B-15 Security B-22 Software Center B-25 Event Distribution Services and Event System Services Backup and Restore B-27 Database B-28 Apache and Tomcat B-30 Fault Management FAQs B-36 Device Performance Management FAQs B-37 IPSLA Performance Management FAQs B-38
C
B-26
APPENDIX
C-1 C-1
The cmexport Command C-2 Running cmexport Command C-2 cmexport Arguments and Options C-3 Mandatory Arguments C-4 Optional Arguments C-4 Function-Specific Options C-5 Displaying Help C-5 Uses of cmexport C-5 cmexport User Tracking
C-6 C-9 C-12
cmexport Discrepancy Command cmexport Manpage C-14 Command Line Syntax C-14 Commands C-14 Arguments and Options C-15
-xx
OL-20721-01
Chapter
Mandatory Arguments C-15 Function-Specific Options C-16 Accessing Help C-16 DEE Developers Reference C-16 Schema for User Tracking Data C-17 User Tracking Schema for Switch Data C-18 User Tracking Schema for Phone Data C-19 User Tracking Schema for Subnet Data C-19 Schema for Topology Data C-20 Schema for Discrepancy Data C-21 Using Servlet to Export Data from LMS C-22
D
APPENDIX
General Security
D-1
Server Security D-2 ServerImposed Security D-2 Files, File Ownership, and Permissions D-2 Runtime D-3 Remote Connectivity D-4 Access to Systems Other Than the Cisco Prime LMS Server Access Control D-4 System Administrator-Imposed Security D-5 Connection Security D-5 Security Certificates D-5 Terms and Definitions D-6
E
D-4
APPENDIX
Configuring Switches With MAC Notification Commands Device Operating System Version-Specific Commands
-xxi
Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.1 groups all the activities and tasks that a user with Network or System Administrator privileges needs to perform. This preface details the related documents that support the Admin feature, and demonstrates the styles and conventions used in this guide. This preface contains:
Audience
This guide is for users who are skilled in network administration and management, and for network operators who use this guide to make configuration changes of devices using LMS. The network administrator or operator should be familiar with the following:
Basic Network Administration and Management Basic Solaris System Administration Basic Windows System Administration Basic Soft Appliance System Administration Basic LMS Administration
Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1 Conventions Used
Item Commands and keywords Variables for which you supply values Displayed session and system information Information you enter
font font
boldface screen
xxiii
Preface
Table 1
Item Variables you enter Menu items and button names Selecting a menu item in paragraphs Selecting a menu item in tables
Convention
italic screen
font
boldface font Option > Network Preferences Option > Network Preferences
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.
Product Documentation
Note
We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 2 describes the product documentation that is available.
Table 2 Product Documentation
Document Title Administration of Cisco Prime LAN Management Solution 4.1 (this document)
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/admin/admin.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Context-sensitive online help Getting Started with Cisco Prime LAN Management Solution 4.1
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/getting_started/gsug.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/configuration_management/cmug.ht ml PDF version part of Cisco Prime LMS 4.1 Product DVD.
xxiv
OL-20721-01
Preface
Table 2
Document Title Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.1
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/monitoring_troubleshooting/mntug. html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/inventory_mgmt/inventory.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/work_centers/wc.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/Reports/rptmgt_ug.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/in stall/guide/install.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/na vigation/guide/nav_guide.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/da tabase_schema4.1/guide/dbviews.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Open Database Schema Support in Cisco Prime LAN Management Solution 4.1
xxv
Preface
Table 2
Document Title Release Notes for Cisco Prime LAN Management Solution 4.1
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/re lease/notes/lms40rel.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/de vice_support/table/lms40sdt.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Supported Devices Table for Cisco Prime LAN Management Solution 4.1
xxvi
OL-20721-01
Notices
The following notices pertain to this software license.
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
4.
xxvii
Notices
5. 6.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). The word cryptographic can be left out if the routines from the library being used are not cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com).
xxviii
OL-20721-01
Notices
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
xxix
CH A P T E R
Overview of Administration
This guide is intended for Local Area Network (LAN) administrators and management professionals who perform LAN configurations and monitor LAN performance. The Admin menu in the LMS 4.1 groups all the activities and tasks that a user with Network or System Administrator privileges can perform. This section explains:
How the guide is organized? Administration Tasks Understanding the System Dashboard
1-1
Overview of Administration
Chapter
Description
Overview of Administration (This chapter) Provides information on the organization of Administration with Cisco Prime LMS user guide, and describes the System Dashboard portlets in LMS. Chapter 2, Setting up Security Describes the security mechanisms that help to prevent unauthenticated access to LMS server, Cisco Prime applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. Describes how to use administrative features to ensure that the server is performing properly. You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server. Chapter 4, Administering Discovery Describes how to configure discovery settings, and perform administrative tasks Settings and Device and Credential Repos- in DCR. itory Chapter 5, Managing Groups Describes how to use the Grouping feature in LMS. LMS 4.1 has a more robust device grouping which can support 600 device groups. The other grouping services that are available in LMS are:
Chapter 6, Administering Data Collection Chapter 7, User Tracking and Dynamic Updates
Describes how to use Data Collection. Describes how to use User Tracking and Dynamic Updates. User Tracking allows you to track end stations. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.which
Chapter 9, Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform ing Settings to monitor and troubleshoot your network using LMS. Chapter 10, Notification and Action Settings Describes how to configure the the administrative tasks involved in setting up notification, syslog settings. You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs. Chapter 11, Administering Change Audit Describes how to perform Change Audit tasks and set your preference to and Software Management download images.
1-2
OL-20721-01
Chapter 1
Table 1-1
Chapter Chapter 12, Managing Jobs Chapter 13, Working With Software Center Chapter 14, Discrepancies and Best Practices Deviations Chapter 15, Report Setting Chapter 16, Purge Settings Chapter 17, Debugging Options Chapter 18, Understanding LMS Tasks Appendix A, CLI Tools Appendix C, Data Extraction Engine
Description Describes how to manage jobs in LMS, and set up job approval for certain modules in LMS. Describes how to use the Software Center to check for software and device support updates, download them to their server file system along with the related dependent packages, and install the device updates. Describes how to use the Discrepancies Reporting module of LMS to view the discrepancies and best practices deviations in your network. Describes how to configure some settings for generating reports and set a report publish location. Describes how to configure the purge settings of all modules in LMS. Describes how to configure the debugging settings of all modules in LMS. You can also view the details of all the log files. Describes all LMS tasks. Describes all the CLI utilities that are available for the administrator in LMS 4.1. Describes how to export User Tracking, Topology, and Discrepancy application data using Data Extraction Engine
Appendix D, Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS. Security
Administration Tasks
The System Administration tasks are grouped into:
Authentication Mode Setup Backup Cisco.com Settings Debug Settings Group Management License Management Log Rotation Server Monitoring SMTP Default Server Device Management Functions Software Center System Preferences User Management
1-3
Overview of Administration
Change Audit Settings Discovery Settings PSIRT, EOS and EOL Settings Configuration Job Settings Device Credential Settings Best Practises Deviation Settings Display Settings Monitor and Troubleshoot Notification and Action Settings Purge Settings Resource Browser Software Image Management Config Data Collection Fault Inventory Performance Syslog User Tracking VRF Lite Trust Management
Local Server Multi Server
Apart from the system administration and network administration tasks, you can also perform:
Job Management
Job Browser Job Approval
System Dashboard. For more information, see Understanding the System Dashboard Device Status Dashboard. This section is explained in the Inventory Online Help.
1-4
OL-20721-01
Chapter 1
IPv6 Supported Features The following features in Common Services supports IPv6:
Device Discovery Common Services Device Discovery allows you to discover devices from IPv6 networks, using CDP and Ping Sweep On IP Range Device Discovery modules.
DCR and Grouping Services DCR supports IPv6 and stores the expanded format of IPv6 Addresses that are discovered by the CDP and Ping Sweep On IP Range modules.
You can now create group rules based on IPv6 management addresses. LMS supports IPv6 Addressing scheme in following Device Discovery pages:
Seed Device Setting Page SNMP Settings Page Filter Settings Page
In the Device Troubleshooting home page, the existing IP Address field supports IPv6 Addresses. Inventory, Config and Image Management The following features/technologies in Inventory, Config and Image Management supports IPv6:
Assigning an IPv6 Address to a Layer 3 device or VLAN Retrieving software files from a device Distributing different versions of software to a device Scheduling retrieval of software from a device Retrieving configuration files from a device Distributing a new configuration to a device Distributing a historical configuration file to a device Scheduling distribution of configuration files to a device Provisioning Auto Smart Ports on ASP-capable devices Medianet Provisioning Identity on Identity-capable devices Configuring Syslogs
CiscoView
CiscoView allows you to enter an IPv6 Address of a device to display the device view for configuring and remote monitoring.
1-5
Overview of Administration
IPv6 Supported Features The following features in Network Topology, Layer 2 Services and User Tracking supports IPv6:
Data Collection The following tasks related to Data Collection are supported in the IPv6 environment:
SNMP Timeout and Retry configuration for IPv6 devices Viewing Data Collection Metrics and reports for IPv4/IPv6 devices Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks Device based debugging for IPv6 devices
Topology The following tasks related to Topology are supported in the IPv6 environment:
Setting an IPv6 Address as the preferred Management Address
CiscoView from Topology Services - Device Dashboard and Add to Critical Poller
Selecting IPv6 devices for Device Type Topology Filter
Network Topology, Layer 2 Services and User Tracking Reports IP Address fields in all these reports except User Tracking reports can now display IPv6 Addresses. You can sort the reports based on IP Addresses (IPv4 and IPv6). VLAN Configuration The following VLAN related configurations are supported in the IPv6 environment:
Configure VLAN Delete VLAN Create Private VLAN Delete Private VLAN Configure Port Assignment Configure Promiscuous Ports Create Trunk Modify Trunk Attributes
1-6
OL-20721-01
Chapter 1
The data in these portlets does not appear based on any role-based authorization, both device-level or user-level authorization.
Cisco Prime Product Updates Critical Message Window Device Credentials and AAA Information Log Space Usage Process Status System Backup Status User Login Information Job Information Status Audit Trail Information Job Approval Syslog Collectors Information Supported Device Finder Portlet VRF Collector Summary Collection Summary Portlet
1-7
Overview of Administration
Authentication mode fallback Authentication mode from which the user fallbacks to the Cisco Prime Local module. This message appears when the user is in fallback mode.
License expiration Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
Delete the unwanted logs files from the NMSROOT directory. Use the log rotate functionality, to rotate the logs to other drives. Remove unwanted files from the NMSROOT drive.
Note
The Authentication modes appear in the Critical Message Window portlet (in red) if you do not have full privileges in the Device Credential and AAA Information portlet.
1-8
OL-20721-01
Chapter 1
Table 1-2
Description Displays the utilization of the drive for Windows, Solaris and Soft Appliance. For Windows: Drive is where the product is installed. For example, 'C' drive in case of "C/Program Files/CSCOpx" For Solaris/Soft Appliance: The portlet displays the File System utilization of the following: /opt - Product Installed location /var - Log file details location.
Processes xyz are down. For example:ESS, EssMonitor, Proxy and so on.
Displays the processes that are down. All the processes that are down are displayed in red in the portlet. However, when Fault processes such as DFMCTMStartup and Data Purge are down, they are not displayed in the Critical Message Window portlet.
Description Mode selected to authenticate the LMS server when logging into the LMS application. For example, TACACS+, MS Active Directory.
If the status is displayed in green, authentication is successful in the local or external server. The status is in red when you log into the Cisco Prime application in fallback mode.
Authorization Mode
Mode used to authorize the user after authentication. From LMS 4.1, only the Cisco Prime Local mode is used to authenticate users, and authorize them to access Cisco Prime LMS. ACS mode is not available. SSO mode, such as Stand alone, Master/Slave.
1-9
Overview of Administration
Table 1-3
Description Number of devices. Click on the number to view the DCR Device Management page details. DCR mode such as Standalone, Master, Slave. For more information about DCR mode, see DCR Architecture in Inventory Management Online Help. For more information on changing the DCR mode, see Changing DCR Mode.
Status of the device polling. The status can be either enabled or disabled. If the status is enabled, then it displays the scheduled jobs along with the Job ID. For example Job ID: 1034.
Total number of devices that are not reachable. Click the unreachable device link to view the report. Time at which the next polling is scheduled.
Description Name of the log file such as syslog.log, EDS.log upm_base.log, and so on. The asterisk (*) displayed along with some log file name denotes that there are multiple files available.
Displays the location of the logfile. For instance, var/adm/CSCOpx/log. Current size of the log file in kilo bytes.
1-10
OL-20721-01
Chapter 1
You can click the portlet name in the title bar of the portlet to navigate to Log File status report page (Reports > System > Status > Log File). For more information on the list of log files, see Maintaining Log Files.
Process Status
In Process Status portlet, you can manage all the activities or jobs. Table 1-5 lists the Process Status portlet details.
Table 1-5 Process Status Portlet
Description Status of the process, such as Failed to start, Running normally and Shutdown. Number of processes in each state. You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page (Reports > System > Status > Process). You can click the link displayed in the portlet to start or stop the process.
Description Date and time at which the backup was scheduled. You can click the link corresponding to the Backup Schedule to view/schedule the respective Backup Job details in LMS 4.1.
Date and time when the last backup was completed. Status of the last backup. Location of the last backup.
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
1-11
Overview of Administration
Table 1-7
Description Number of users who have logged in. You can click the number of logged-in users to view the Who is Logged on Report page (also available from Reports > System > Users > Who is Logged On).
Users
Log-in details of all users and the number of sessions opened by each user.
Note
You can send broadcast messages to logged-in users by clicking the Send Message to all users link displayed in the User Login Information and the users will receive the message within 60 seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report page. For more information on setting up local users, see Setting up Local Users.
Field Job ID
Description Unique ID assigned to the job by the system, when the job is created. The Job IDs are displayed in ID.No.of.Instances format in periodic jobs. For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job whose ID is 1002. When you click the Job ID, the job details, if available, are displayed.
Job Type
Type of the job. For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.
1-12
OL-20721-01
Chapter 1
Table 1-8
Field Status
Description Status of the scheduled jobs that are completed. The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected. The status of the succeeded jobs are displayed in green and the Failed, Crashed, Cancelled, and Rejected jobs are displayed in red.
Description of the job provided by the job creator. It can contain alphanumeric characters. Name of the user who created the job. Date and time at which the job is scheduled to run.
Description Name of the person who performed the change. This is the name entered when the person logged in. It can be the name under which the LMS application is running, or the name under which the Telnet connection is established.
Name of the LMS component involved in the network change. For example, Change Audit, Device Management, ICServer, NetConfig, and NetShow. Date and the time at which the changes were performed on the LMS server. Brief summary of the change that occurred on the LMS server. You can click the portlet name in the title bar to navigate directly to the Report Generator page.
1-13
Overview of Administration
Job Approval
In Job Approval portlet, you can view the list of all jobs. To configure Job Approval portlet, see Configuring the Job Approval portlet. Table 1-10 lists the Job Approval portlet details.
Table 1-10 Job Approval Portlet
Field Job ID
Description ID of the job that has been given for approval. The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so on, the job IDs are in the number x format. The x represents the number of instances of the job. For example, 1001.3, indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the job details.
Description of the job. Date and time for which the job is scheduled. The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it, the job is moved to its rejected state and will not run. For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other instances are also considered as approved. You are notified by e-mail, when a job approved by you is created. This portlet enforces the approval process by sending job requests through e-mail to people on the approved list. You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details page in LMS. In the Job Approval portlet, you can view the list of Job details. You can configure the Job Approval portlet to set the number of records to be displayed in the portlet, and refresh time both manually and automatically.
Configuring the Job Approval portlet
Click the Configuration icon. You can: Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Select the number of records to be displayed in the portlet from the Show Last Records drop-down list. Click Save to view the portlet with the configured settings.
1-14
OL-20721-01
Chapter 1
Description Host name or the IP address on which the collector is installed. Status of the Remote Syslog Collector. For example, whether it is connected. Number of packets received. To configure Syslog Collectors Information:
Step 1 Step 2
Move the mouse over the title bar of the Syslog Collector Click the configuration icon. You can:
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to view the respective columns in the Syslog Collector portlet.
FilteredNumber of filtered messages. Filters are defined with the option Message Filters
1-15
Overview of Administration
Locate the supported devices in the LMS applications Get the latest updates on devices that are supported and those that will be supported in the upcoming releases. Raise a request through mail to support a new device that is not supported. IP Address Host Name Display Name Model Name SysObjectID
You can search the support of devices added to the DCR using the following search options:
If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
If the requested device is supported in later releases, and not available with your present installation, the following message appears:
Not supported in Installed version <<version number>>. Support available in version << version number>>
Note
If the device is not currently supported with your existing package, you can install the latest IDU from Cisco.com to get the device support. If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2
Click the click here link and a popup box appears: The popup box has the following information:
OK button to raise a request for the unsupported device. Disclaimer: Please note that all efforts will be made to provide support to this request, however we are unable to commit to a time-line at this moment. Links to the latest device updates Link to the Supported Devices Table
Step 3
Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or Model name. The SysobjectID or the Model Name appears based on the entries made in the portlet.
1-16
OL-20721-01
Chapter 1
The default mail client is launched. The To field and Subject field has the following address and entries:
To field: lms-dev-supreq@external.cisco.com Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
Enter Yes against the respective application names for which device support is required. Click Send to send a request.
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application. To search using the IP Address:
Step 1 Step 2
Select the IP Address from the drop-down list. Enter an IP Address in the IP Address field and click Submit. All applications are displayed, regardless of whether they are installed or not. The supported servers are also displayed.
If the requested device is supported in the later releases and you have not installed it, the following support details are displayed:
Supported in LMS 3.2. Click here to download
If the requested devices is in the roadmap of next recent releases, the following supported details message is displayed.
Support expected by Sept 08.
If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.
1-17
Overview of Administration
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications. To search using the Host Name:
Step 1 Step 2
Select the Host Name from the drop-down list. Enter a Host Name in the Host Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. The LMS applications are:
Inventory, Config and Image Management Network Topology, Layer 2 Services and User Tracking Fault Management IPSLA Performance Management Device Performance Management
For more information on the server supported details, see Step 2 of IP Address.
Display Name
You can use the Display Name option to search the devices that are supported in the LMS applications. To search using the Display Name:
Step 1 Step 2
Select the Display Name from the drop-down list. Enter a Display Name in the Display Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application. To search using the SysObjectID:
Step 1 Step 2
Select the SysObjectID from the drop-down list. Enter a SysObjectID in the SysObjectID field and click Submit. All LMS functions are displayed, regardless of whether they are installed or not. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
1-18
OL-20721-01
Chapter 1
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application. To search using the Model Name:
Step 1 Step 2
Select the Model Name from the drop-down list. Enter a Model Name in the Model Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
Note
You can also use a wildcard search, (*), to search for the model name.
RunningIndicates that the VRF collector is running. IdleIndicates that the VRF collector is not running.
VRF Collector Last Completion Time Total VRFs Discovered VRF Supported Devices [H/W and S/W Supported]
Indicates the time when the VRF collection is completed. Total number of VRFs discovered. Click the number to launch the Virtual Network Manager Report. Number of VRF-supported devices. These devices have both VRF-supported hardware and software. Click the number to launch the VRF Readiness report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but S/W Update Required] these devices do not have the supported IOS image for VRF. Click the number to launch the VRF Readiness report.
1-19
Overview of Administration
Table 1-13
Inventory Collection Config Archive EnergyWise Collection Device Discovery Fault Discovery Topology Data Collection UT Major Acquisition VRF Collection In Inventory Collection, Succedded will give the count of devices that were successfully inventory collected at least once. In Config Archive, partial success state devices will not be shown in Succeeded or Failed columns. In Inventory Collection, Failed will give the count of devices which are recently failed. A device which was previously successfully inventory collected and recently failed will have entry in the both column. We should not compare this with DCR device count.
Succeeded
Failed
Indicates the time when the collection is completed. Status of the Collector. The two states are:
RunningIndicates that the collector is running. IdleIndicates that the collector is not running.
Schedule
Click the Schedule link next to the respective collector to launch the corresponding page. You can now schedule the collector.
1-20
OL-20721-01
Chapter 1
Move the mouse over the title bar of the Collection Summary Portlet. Click the configuration icon. Select the Auto Refresh check box. Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Click Save to view the portlet with the configured settings.
Note
The data in the above portlets is not populated based on device-level or user-level authorization. Role-based access control is not applicable to the portlets.
1-21
CH A P T E R
Setting up Security
LMS 4.1 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. You can specify the user authentication mode using the Authentication Mode Setup. This section explains the following:
Managing Security in Single-Server Mode Managing Security in Multi-Server Mode Setting up the Authentication Mode Managing Roles Managing Cisco.com Connection
Browser-Server Security Mode Setup: LMS 4.1 Server uses Secure Socket Layer encryption to provide secure access between the client browser and management server and also among the management server and the devices. You can enable or disable SSL depending on your need to use secure access between the client browser and management server. Local User Policy Setup: Set up username and password policies for local users using this option. Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a user, or view a users settings using this option. Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections between the client browser and the management server.
You can set up browser-server security, add and modify users, and create self signed certificate using the features that come under Single-Server Management in the Security Settings user interface. The Single-Server Management page displays the mode of server security and the information on self signed certificate.
2-1
Setting up Security
Select Admin > Trust Management > Local Server The Browser-Server Security Mode Setup page appears. Click Single-Server Management in TOC. The Single-Server Management page displays the mode of server security and the information on self signed certificate.
Step 2
Setting up Browser-Server Security Setting up Local User Policy Setting up Local Users Creating Self Signed Certificates
Enabling Browser-Server Security From the LMS Server Disabling Browser-Server Security From the LMS Server
2-2
OL-20721-01
Chapter 2
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Select the Enable option to enable SSL. Click Apply. Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI: On Windows:
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
On Solaris/Soft Appliance:
a. b. Step 6
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes:
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Select the Disable option to disable SSL. Click Apply. Log out from your Cisco Prime session, and close all browser sessions.
2-3
Setting up Security
Step 5
Restart the Daemon Manager from the LMS Server CLI: On Windows:
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
On Solaris/Soft Appliance:
a. b. Step 6
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes:
The URL should begin with http instead of https to indicate that connection is not secure. Change the port number suffix from 443 to 1741.
The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.
Start the local username with a number Include special characters in local username Specify the length of local username Specify the length of local user password Include at least characters from lowercase, uppercase, digits and special characters in password. Same as the username, or the username in reverse Have the same character repeated three times, in sequence A variant of the word Cisco
You can apply only one local user policy at a time. You cannot define policies for each local user. The local user policy you set up applies to all users including the administrative users. The local usernames that begin with numbers and contain special characters are not subject to the security limitations of authentication and authorization in LMS Servers integrated with pluggable authentication modules such as Active Directory.
2-4
OL-20721-01
Chapter 2
Select Admin > System > User Management > Local User Policy Setup. The Local User Policy Setup page appears. Select Allow Special Characters in username to allow special characters in the username. You can include the following special characters in the username: Special Character ~ @ # _ ' / \ . space Description Tilde Commercial At character Number sign Underscore Apostrophe Hyphen Solidus or Leading slash Trailing slash Period Non-breaking space
Step 2
Note
You can add the special characters including hyphen and period in local username only when you have selected this check box. You cannot start a local username with special characters except _ (Underscore).
Step 3
Select Allow Username to start with numbers to allow the first character of a local username to be a numeral. You can enter any number between 0 to 9 in the username as the first character if you have enabled this option.
Step 4
Enter the minimum and maximum length of username of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum username length field that is greater than the number in maximum username length field.
Step 5
Enter the minimum and maximum length of password of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum password length field that is greater than the number in maximum password length field.
Step 6
2-5
Setting up Security
Import users Export users Modify your profile Add a local user Edit user profiles Delete local users
You can also set up local users and reset Cisco Prime password through CLI. This section explains:
About User Accounts Understanding Security Levels Importing and Exporting Local Users Importing Local Users Using CLI Importing Users From ACS Adding and Modifying a Local User Adding Local Users Using CLI Assigning Roles on NDG Basis Modifying Your Profile
guestAfter authentication and authorization, user will have the default role. After a fresh installation, the default role is Help Desk. You can change the default roles, see Managing Roles for more information. adminThis login provides the user access to all CiscoWorks tasks.
However, as an administrator, you can create additional unique login IDs for users in your company.
Note
The LMS Server Administrator can set the passwords for admin and guest users during installation. Contact the LMS Server Administrator if you do not know the password for admin.
2-6
OL-20721-01
Chapter 2
Note
When you import local users, if there are no roles associated with the users, the default role will be associated with them. You can also export the local users to an output file. You can import local users from the client through CLI. See, Importing Local Users Using CLI for more information. You can import local users from ACS through CLI. See, Importing Users From ACS for more information. Before you import users from the client, you must install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information.
2-7
Setting up Security
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. You can do one of the following:
Step 2
Import:
Click Import Users. You can import only files in the XML format. Click Browse and select a file from the client. Click Submit. To return to the Local User Setup page, click Cancel.
Export:
Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is saved in the client. Click Cancel to return to the Local User Setup page.
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) Protocol Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. Hostname Hostname or IP address of the remote LMS Server. Portnumber Port Number of the remote LMS Server. Username Remote LMS Server login Username. Password Remote LMS Server login Password.
where,
For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
2-8
OL-20721-01
Chapter 2
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) Filename Output of executing CSUtil.exe. Password Default password assigned to all the importing users.
where,
Go to Start > Run in the ACS server. Enter services.msc in the Run command and click OK It will list all the services registered. Select CSAuth and right click to get the Stop option. Click Stop to stop the CSAuth service Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI. The output file which we got by running the CSUtil.exe should be given as the input while importing users.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files, when you use the import local user CLI commands:
The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages, and other information that you can use for troubleshooting.
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Click Add or Edit.
Step 2
2-9
Setting up Security
The User Information dialog box appears with the following fields: Field Username Description Enter the username. The value is case-insensitive. You can control the length of the username, start the username with a number, or include special characters in the local username. To do this, you must set up the username and password policy in the Local User Policy Setup page. See Setting up Local User Policy for information. Password Enter the password. You can control the length of the password when you set up policies for local users. See Setting up Local User Policy for information. Verify Password E-mail Authorization Type Re-enter the password. Enter the e-mail ID. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Select the radio button corresponding to the authorization type. You can choose from:
Full AuthorizationSelect this radio button to enable full authorization to the user. Enable Task AuthorizationSelect this radio button to enable a role, and the privileges and tasks associated with the roles, to the user. After you select this option, you have to select the desired role from the list of Roles. This is applicable for all devices. Enable Device AuthorizationSelect this radio button to enable authorization to device groups. After you select this option, you have to:
Select the device group from the Device Group. Select the role you want to associate with the device group. The user
group can perform the tasks that are assigned to the chosen roles on the chosen device groups. Roles Select the check box corresponding to the role to specify the roles to be assigned to the user from the Roles pane. The user group can perform the tasks that are assigned to the chosen role on all devices and device groups. The following roles are available:
Help Desk Approver Network Operator Network Administrator System Administrator Super Admin
Enter the network device login credentials for LMS to communicate with the network devices. Enter the username.
2-10
OL-20721-01
Chapter 2
Description Enter the password. Re-enter the password. Enter the enable password. Re-enter the enable password.
Click OK. To return to the Local User Setup page, click Cancel.
Note
You can use this CLI command for both system and user-defined roles. Each local user information should be represented in the following format in the text file: Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword where,
Username Local username. The local username is case-insensitive. Password Password for the local user account name. You can leave this field blank in the text file and enter the password in the command line when you run the CLI utility. Note that you should enter the password either in the command line or in the input text file. If you mention the password in both the places, the local user will be added with the password specified in the command line. On adding the user by giving password in the command line prompt, default role will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Roles Roles to be assigned to the local user. You should assign one or more of the following roles to the user separated by comma.
Help Desk Approver System Administrator Network Administrator Network Operator Super Admin
DeviceUnameDevice login username DevicePasswordDevice login password DeviceEnPassword Device enable password.
2-11
Setting up Security
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System Administrator:admin:roZes123:roZes
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows) Filename Absolute path of the filename containing local users information. Password Common password for all user accounts specified in the input text file. This command line parameter is optional if you have specified the passwords for local users in the input text file. Note that you should enter the password either in the command line or in the input text file. If you specify this parameter, the local users are added to Cisco Prime only with this password irrespective of the password entries specified in the input text file.
where,
For example, enter the following command to add local users mentioned in the input file localuser.txt with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add C:\files\localuser.txt admin
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you use the import local user CLI command:
The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages and other information that you can use for troubleshooting.
Deleting Stale Users From LMS Portal
This section describes how to delete stale users from LMS Portal. When you delete the user names from Cisco Prime Common Services application, they are deleted only from the Common Services database and not from LMS Portal database. The usernames remain in LMS Portal as stale users.
2-12
OL-20721-01
Chapter 2
Go to the following link: http://server-name:portno/cwportal/c/portal/StaleUserDeletion. In the URL, enter a server name and launch the URL in the browser window. The Portal Stale User Deletion page is displayed. Click the Delete Stale Users button. The stale users are deleted from the Portal database.
Step 2
Step 3
If you have assigned a Network Device Group to your AAA client (LMS Server and network devices), you must assign that device group to a role. You cannot have role and device group combinations assigned to a user without assigning the Network Device Group to your AAA client.
You can assign only one role to a user, to operate on an NDG. If a user requires privileges other than those associated with the current role, to operate on an NDG, a custom role should be created. All necessary privileges to enable the user to operate on the NDG should be given to this role. For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1, you can create a new custom role with Network Operator and Approver privileges, and assign the role to the user to operate on NDG1.
You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen. To assign the proper role, the network access server (NAS) should be added to device groups other than DEFAULT.
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Click Modify My Profile to modify the credentials of the logged in user and the network device login credentials. Enter the user login details like username, password, and e-mail address. The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.
Step 2 Step 3
2-13
Setting up Security
Step 4
Enter the network device login credentials for LMS to communicate with the network devices. Enter the values for username, password, and enable password. Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Step 5
Note
If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break. The peers need to re-import the certificate in this scenario. This section explains the following:
Creating a Self Signed Certificate From the User Interface Working With Third Party Security Certificates
2-14
OL-20721-01
Chapter 2
Select Admin > Trust Management > Local Server > Certificate Setup. The Certificate Setup page appears. Enter the values required for the fields described in the following table: Field Country Name State or Province City Organization Name Organization Unit Name Server Name Usage Notes Two character country code. Two character state or province code or the complete name of the state or province. Two character city or town code or the complete name of the city or town. Complete name of your organization or an abbreviation. Complete name of your department or an abbreviation. DNS name, IP Address, or hostname of the computer. Enter the server name with a proper and resolvable domain name. This is displayed on your certificate (whether self-signed or third party issued). Local host or 127.0.0.1 should not be given. Email Address E-mail address to which the mail has to be sent.
Step 2
Step 3
Click Apply to create the certificate. The process generates the following files:
server.keyPrivate key of the server. server.crtSelf- signed certificate of the server. server.pk8Private key of the server in PKCS#8 format. server.csrCertificate Signing Request (CSR) file.
You can use the CSR file to request a security certificate, if you want to use a third party security certificate. If the certificate is not a Self signed certificate, you cannot modify it. To return to the CiscoWorks home page, click Cancel.
2-15
Setting up Security
Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform certain tasks. These users should be set up to enable communication among multiple LMS Servers. System Identity Setup: Enables communication among multiple LMS Servers based on a trust model addressed by Certificates and shared secrets. System Identity setup should be used to create a trust user on slave or regular servers for communication to happen in multi-server scenarios. Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL. Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server.
The Current Multi-Server Settings page displays the mode of server security and the information on self signed certificate. To open the Current Multi-Server Settings page:
Step 1 Step 2
Select Admin > Trust Management > Multi Server. Click Current Multi-Server Setting in TOC. The Current Multi-Server Settings page displays the Single Sign-On details.
2-16
OL-20721-01
Chapter 2
This section has the following information that helps you to understand better, the features that enable secure communication between peer servers in a multi-server domain: This section contains:
Setting up Peer Server Account Setting up System Identity Account Setting up Peer Server Certificate Enabling Single Sign-On
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Click Add. The Peer Server Account Setup page appears. Enter the username in the Username field. Enter the password in the Password field. Re-enter the password in the Verify field. Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 2
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. Click Edit. The Peer Server Account Setup page appears. Enter the password in the Password field. Re-enter the password in the Verify field. Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
2-17
Setting up Security
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Select the check box corresponding to the user you want to delete. Click Delete. The confirmation dialog box appears. Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 2 Step 3
Step 4
The user is a Local User with all privileges. If the user is not present, or if the user does not have all privileges, an error message appears. The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.
For peer to peer communication to work in a multi-server domain, you have to configure the same System Identity User on all the machines that are part of the domain. For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on all the other servers, S2, S3, and S4, to enable communication between them. See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage of this features.
2-18
OL-20721-01
Chapter 2
Select Admin > Trust Management > Multi Server > System Identity Setup Enter the username in the Username field. Enter the password in the Password field. Re-enter the password in the Verify field. Click Apply. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave.
Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Peer Server Certificate page appears with a list of certificates imported from other servers. Click Add. Enter the IP address/hostname of peer LMS Server in the corresponding fields. If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address. Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the peer LMS Server is 443. Click OK. To return to the Peer Server Certificate page, click Cancel.
Step 2 Step 3
Step 4 Step 5
2-19
Setting up Security
Select the check box corresponding to the certificate you want to delete. Click Delete. The confirmation dialog box appears. Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
Step 3
You can also view the details of the client certificates. For this, select the check box corresponding to the certificate and click View.
Single Sign-On Setup Navigating Through the Single Sign-On Domain Changing the Single Sign-On Mode
One of the LMS Servers should be set up as the Authentication Server (AS). Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is maintained by the certificate management framework in LMS. Each LMS Server should setup a shared secret with the authentication server. The System Identity user password acts as a secret key for Single Sign-On.
The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server (RS) is called the Slave. You must perform the following tasks if the server is configured either as Master or as Slave:
Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same. Configure the Master Self Signed Certificate in Slave.
Single Sign-On uses System Identity user password as the secret key to provide confidentiality and authenticity between Master and Slave. We recommend that you have the same user name and password for both Master and Slave. The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise it would not be considered as a valid certificate.
2-20
OL-20721-01
Chapter 2
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On, authentication always takes place from the Single Sign-On Master server (Authentication Server-AS). Hence, you need to provide the username and password as configured in Single Sign-On AS. Authorization happens at the respective servers. If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active Directory (AD), and AS is configured for Cisco Prime Local, then authentication happens as per the credentials in Cisco Prime Local (AS) and vice versa. For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is Cisco Prime Local: When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS) and you get authenticated according to the username and password configured in AD. However, authorization happens only in server B. The privileges for the logged in user in any server within the Single Sign-On domain will depend upon the user roles configured in that server. If the user is present only in the Single Sign-On Authentication Server and not in the Regular Server, then that user gets authenticated according to the credentials in the authentication server, but has only HelpDesk privileges in the Regular Server. We recommend that you:
Add the user across all servers within the Single Sign-On domain. Assign appropriate roles to the user, in each of the LMS Servers.
See Setting up System Identity Account for more information on how to set up System Identity User. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave. To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it would not be considered as a valid certificate.
You can register the links of the servers part of the Single Sign-On domain, in any of the servers, using the Link registration feature. The registered links will appear either under Third Party or Custom tools, depending on what you specify during registration. If you click on the registered link, it launches the page corresponding to the registered link.
2-21
Setting up Security
You must specify the URL, with the context while registering the server link. For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the CiscoWorks home page of server ABC.
Launching a New Browser Instance
After logging into any of the servers that are part of the Single Sign-On domain, you can open a new browser instance from that server, and provide the URL of any other server of the Single Sign-On domain, to which you need to navigate.
Note
We recommend that you do not use the IP address of the servers that are part of Single Sign-On or localhost, while specifying the URL. For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Login to ABC. Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser window. Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new browser instance. This launches the CiscoWorks home page of XYZ, directly.
Master modeThe Single Sign-On Authentication Server does the authentication and sends the result to the Regular Server. Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular servers. Login requests for all the Single Sign-On regular servers will be served from the Master.
Slave modeSingle Sign-On Regular server for which authentication is done at the Master. While logging into regular server, if the authentication server is not reachable, the following message appears:
SSO unreachable
2-22
OL-20721-01
Chapter 2
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If the server is configured as an Single Sign-On Regular server (Slave), you should provide the following details:
Master server name The Master server name must be DNS resolvable. If you change the name of the Single Sign-On Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution to reflect in the Slave. If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master server, you must ensure that you enter either the fully qualified domain name or hostname of the Master consistently in all the Slave servers. Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave and hostname of the Master in another Single Sign-On Slave of the same Master server.
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Select Standalone (Normal) radio button. Click Apply. To return to the CiscoWorks home page, click Cancel.
Step 2 Step 3
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign On mode. Select the Master (SSO Authentication Server) radio button. Click Apply. To return to the CiscoWorks home page, click Cancel.
Step 2 Step 3
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Select the Slave (SSO Regular Server) radio button. Enter the Master server name and port number. If you select the Slave mode, ensure that you specify the Master server name and port. The default port is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.
Step 2 Step 3
2-23
Setting up Security
Step 4
The System Identity user password of the Slave matches that of the Master. The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common Name (CN) in the certificate matches with the Master server name. The Master is up and running on the specified port.
In case any of these checks fail, you are prompted to perform these steps before proceeding. To return to the CiscoWorks home page, click Cancel.
Authentication Using Login Modules - Overview Setting the Login Module to Pluggable Authentication Modules
After you select and configure a login module, all authentication transactions are performed by that module. To assign a user to a different role, such as the System Admin role, you must configure the user locally. Such users must have the same user ID locally, as they have in the alternative authentication source. Users log in with the user ID and password associated with the current login module.
2-24
OL-20721-01
Chapter 2
By default, Cisco Prime LMS uses LMS Server authentication (Cisco Prime Local) to authenticate users, and authorize them to access Cisco Prime LMS. After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. It dictates how much, and what type of system access you have. The LMS Server authorization scheme has the following default or predefined roles. You can also create user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing Roles for more information. The predefined roles are listed here in order from the least privileged to most privileged:
Help Desk Can access network status information only. Can access persisted data on the system and cannot perform any action on a device, or schedule a job that will reach the network. Approver Can approve all LMS tasks. Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. Network Administrator Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. System Administrator Can perform all Cisco Prime system administration tasks. Super Admin Can perform all Cisco Prime operations including administration and approval tasks. By default, this role has full privileges.
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role). The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options
Fallback options allow you to access the software if the login module fails, or you accidentally lock yourself or others. There are three login module fallback options. These are available on all platforms. The following table gives you the details: Option Allow all Cisco Prime Local users to fallback to the Cisco Prime Local login. Only allow the following user to fallback to the Cisco Prime Local login if preceding login fails: username. Description All users can access Cisco Prime using the Local login if the current login module fails. Specified users can access Cisco Prime using the Local login if the current login module fails. Use commas between user names.
Allow no fallbacks to the Cisco Prime Local login. No access is allowed if the current login module fails.
2-25
Setting up Security
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional information in the log files that you can use for troubleshooting. Turn debugging on only when requested to do so by your customer service representative. Enabling debugging does not alter the behavior of the modules. Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the following locations:
Changing Login Module to Cisco Prime Local Changing Login Module to KerberosLogin Changing Login Module to Local Unix System Changing Login Module to Local NT System Changing Login Module to MS Active Directory Changing Login Module to RADIUS Changing Login Module to TACACS+
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. The Authentication Mode Setup page displays the current login module, and the available login modules. The available login modules are:
Step 2
Cisco Prime Local IBM SecureWay Directory KerberosLogin Local Unix System Local NT System MS Active Directory Netscape Directory RADIUS TACACS+
2-26
OL-20721-01
Chapter 2
The login username is case sensitive when you use the following login modules:
Step 3 Step 4
KerberosLogin Local Unix System Netscape Directory RADIUS (only on Solaris) TACACS+ (only on Solaris)
Select a login module. Click Change. The Login Module Options popup window appears. Enter the corresponding login module information. See the respective login module section for login module options. Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 5
Step 6
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the Cisco Prime Local radio button. Click Change. The Login Module Options popup window appears. Set the Debug option to False. Set it to True for debugging purposes, when requested by your customer service representative. Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2 Step 3
Step 4
Step 5
Kerberos provides strong authentication for client-server applications by using secret-key cryptography. To change the Login Module to KerberosLogin:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the KerberosLogin radio button. Click Change. The Login Module Options popup window appears with the following details:
Step 2 Step 3
2-27
Setting up Security
Description KerberosLogin Kerberos login module. Kerberos login module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Realm
The Kerberos realm name. Although the realm can be any ASCII string, the convention is to make it the same as your domain name, in upper-case letters. For example, SERVER.COM. The Kerberos Key Distribution Center. For example, my_kdc.server.com. Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
This option is available only on Unix systems. To change the login module to Local Unix System:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the Local Unix System radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Debug Description Local UNIX System. Cisco Prime native Solaris module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 2 Step 3
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
2-28
OL-20721-01
Chapter 2
This option is available only on Windows To change the login module to Local NT System:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select Local NT System radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Debug Description Local NT System. Cisco Prime native NT login module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Domain Login fallback options Set to localhost. Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 2 Step 3
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP). Before a user logs in, the user account should be set up in the LDAP server. When you change the login module to MS Active Directory, you should configure any one of the following options to integrate LMS Server with Active Directory server for authentication services:
Distinguished Name (DN) A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix), User login, and Usersroot. You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to RDN-Prefix when the user logs into Cisco Prime. For example, a distinguished name could be represented as: cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and Usersroot is ou=org1 dc=embu, dc=cisco. A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
2-29
Setting up Security
You can specify more than one usersroot value. Each usersroot value should be separated by a semicolon.
User Principal Name (UPN) User principal name is composed of two parts, User login and User Principal Name Suffix (UPN-Suffix). The User Principal Name suffix configured in Cisco Prime is appended to the login name when the user logs into Cisco Prime. The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name created by an administrator and used just for log in purposes. For example, a User Principal Name could be represented as user1@mydept.mycompany.com, where user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.
Domain name You should configure the Active Directory domain name in Cisco Prime that contains a set of users which needs to be integrated, for a domain based authentication. For example, if you want the users of MyDomain domain in MS Active Directory server to be authenticated in LMS Server, you should specify MyDomain in this field. Each domain also has a pre-Windows 2000 domain name for use by computers running operating systems released earlier than Windows 2000 operating systems. Similarly each user account has a pre-Windows 2000 user login name. The user account in the DomainName\UserName format used to log into the operating systems released earlier than Windows 2000 operating systems is called Security Account Manager (SAM) account. You can also configure SAM account in the LDAP server and enter the same name in Cisco Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime attempts to authenticate the Active Directory server using the User Principal Name string. When both the Distinguished Name based authentication and the User Principal Name based authentication fails, LMS Server tries to authenticate using the Domain name. To change login module to MS Active Directory:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select MS Active Directory radio button. Click Change.
Step 2 Step 3
2-30
OL-20721-01
Chapter 2
The Login Module Options popup window appears with the following details: Field Selected Login Module Description Description Name of the login module (MS Active Directory) you have selected in the Authentication Mode setup page. Brief description about the login module you have selected. For the MS Active Directory login module, the description displayed is Cisco Prime MS Active Directory module. Server Usersroot Name of the LDAP server. Default set to ldap://ldap.company.com. User objects in MS Active Directory. Default set to cn=users, dc=servername, dc=company, dc=com. For example, if users in the Active Directory have ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN) strings, you should specify the same in this field to integrate the LMS Server with the MS Active Directory server. You can also enter multiple usersroot values separated by semicolon. For example, you can enter ou=myDept, dc=myCompany, dc=com; ou=Dept1, ou=Dept2, dc=myCompany, dc=com. When you integrate your LMS Server with MS Active server, you should configure this field for a Distinguished Name based authentication. If you are using Windows 2008 Active Directory, you have to provide the complete Usersroot information (including cn=Username). This is because Windows 2008 Active Directory implementation has disabled anonymous search requests. Otherwise, if your Active Directory Server allows anonymous binds, you need to specify only dc=servername, dc=company, dc=com. RDN-Prefix String prefixed with login username to form a Relative Distinguished Name (RDN). Default is set to cn=. For example when you have configured this field as cn= and log into the server as MyUser, the RDN formed is cn=MyUser. When you integrate your LMS Server with MS Active server, you must configure this field for a Distinguished Name based authentication. UPN-Suffix String suffixed with login username, usually the domain in which the user account is located to form a User Principal name. You should configure this field for a UPN based authentication. For example, if the UPN of Active Directory users who need to be integrated with Cisco Prime are user1@mydept.mycompany.com, user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you should mention @mydept.mycompany.com in this field.
2-31
Setting up Security
Field AD-Domain
Description Active Directory domain. You should configure this field for a domain based authentication. Users of the specified domain in MS Active Directory server are authenticated when you integrate the LMS Server with MS Active Directory server.
Debug
Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Set the option for fallback to the Cisco Prime Local module if the alternative service fails. You can set any of the following options:
Allow all Cisco Prime local users to fallback to the Cisco Prime Local login. Allow only the specified users to fallback to the Cisco Prime Local login. When you select this option, you should enter one or more Cisco Prime local usernames separated by commas. This is the default login fallback option. Do not allow any fallback to the Cisco Prime Local login.
Note
You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You cannot leave all the three fields blank.
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with an Active Directory username and the corresponding password. MS Active Directory server provides authentication services to LMS Server by the default simple authentication mechanism. To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1 Step 2 Step 3
Edit the Account Options of a user in the MS Active Directory Server and enable the Store password using reversible encryption option. Reset the password of the user to authenticate properly. Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is your Cisco Prime Installation directory. You must change the following line in the cam.properties file from:
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
2-32
OL-20721-01
Chapter 2
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property. You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4
Note
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user accounts. You cannot log into LMS Server with the User login name. Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same name. For example, to assign the System Administrator privileges to a MS Active Directory users User1 and User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the RADIUS radio button.
Step 2
2-33
Setting up Security
Step 3
Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Server Port Key Debug Description RADIUS. Cisco Prime RADIUS module. Set to module type servername, radius.company.com. Set to 1645. Attempt to override it only if your authentication server was configured with a non-default port. Enter the secret key. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select TACACS+ radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Server Port Description TACACS+. Cisco Prime TACACS+ login module. Set to module type tacacs.company.com Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port. Secondary Server Secondary Port Set to module type tacacs.company.com. This is the secondary fallback server. Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port.
Step 2 Step 3
2-34
OL-20721-01
Chapter 2
Description Set to module type tacacs.company.com. This is the tertiary fallback server. Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port.
Key Debug
Enter the secret key. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Note
The values True or False should not be entered in the Server, Secondary Server and Tertiary Server fields, the corresponding Port fields or the Key field.
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after the change, automatically uses the new module. Changes to the login module are logged in the following files:
or
Step 2
/etc/init.d/dmgtd stop
2-35
Setting up Security
Step 3
or
/etc/init.d/dmgtd start
Enter a username in the User ID field. Enter the corresponding password in the Password field. Click Login or press Enter. You are now logged into LMS Server.
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. The LMS authorization scheme provides you with the following system-defined roles.
Help Desk Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network. Approver Can approve all tasks. Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. Network Administrator Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. System Administrator Can perform all Cisco Prime system administration tasks. Super Admin Can perform all Cisco Prime operations including the administration and approval tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.1, Help Desk will be the default role. If you do not want to use the system-defined roles, you can create custom roles and associate tasks to them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool, see, Removing Custom Roles Using CLI. To manage roles:
Step 1
Select Admin > System > User Management > Role Management Setup. The Role Management Setup Page appears with the available roles, their descriptions, and the default role.
Note
2-36
OL-20721-01
Chapter 2
Step 2
You can do the following: Description Click Add to add user-defined roles. The Role Management Page appears. To add a role:
1. 2.
Button Add
Enter the role name and description. Select the tasks that have to be assigned to the new role. The task can be identified using the search option. The search uses the task name and the task description to perform a complete search. The search results and All tab contents are synchronized. Any selections made on search results will reflected in all tab. For more details see Searching LMS Tasks.
3.
Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.1, see Understanding LMS Tasks. Edit Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit a role:
1. 2. 3.
Modify the role description if required. Select or deselect the check box corresponding to the required tasks. Click OK to save the changes, or click Cancel to return to the Role Management Setup Page. Select one or more user-defined roles and click Delete to delete the roles. Click OK to confirm or Cancel to return to the Role Management Setup Page.
Delete
To delete a role:
1. 2.
If the deleted role is assigned to any user, then it will remove the association of this role with the user. Copy You can use this option to modify a system-defined role. To copy a role:
1. 2. 3. 4.
Select a role from the roles and click Copy. The Role Management Page appears. Enter the role name and description. Select or deselect the check box corresponding to the tasks. Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
Export
You can export roles only in the XML format. The file will be saved in the client. To export roles: Select the user-defined roles that you want to export and click Export. A message appears prompting you to open or save the LMSRoleExport.xml file.
2-37
Setting up Security
Button Import
Description You can import roles only in the XML format. To import roles:
1. 2. 3. 4.
Click Import. Click Browse and select a file from the client. Specify if you want to to overwrite, merge or backup the existing roles when you import roles: Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
OverwriteRoles with the same names will be overwritten. MergeRoles with the same names will be updated with details of the existing role and details of the imported role. BackupRoles with the same names will be overwritten. The existing role will be renamed as CopyOf<Role name>. Do not have any role assigned to them. Have logged in using an external authentication server, like PAM, and are not available in the local database.
Set as Default
When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles. If there is no default role configured, then authorization will fail for users who:
Do not have any role assigned to them. Have logged in using an external authentication server, like PAM, and are not available in the local database. Select a role from the roles listed in the Role Management Setup Page. Click Set as Default. The selected roles will be the default roles.
Clear Default
Click Clear Default to clear the default role. After you clear the default role, authorization will fail for any user assigned without this role.
Note
After adding roles you must assign one or more roles to your users, select Admin > System > User Management > Local User Setup.
2-38
OL-20721-01
Chapter 2
Specify the exact task name or the first few characters of the task name in the search text box and click the search icon. The task name is case-insensitive. For example enter admin or *admin or admin* or *change* in the search text box.
admin will search for the task and task description that contains the exact term admin. *admin will search for the task and task description that ends with the term admin either in task name or description. admin* will search for the task and task description that begins with the term admin either in task name or description. *change* will search for the task and task description that contains the term change.
Note Step 2
You are not allowed to use any other wildcard character apart from *. Click the Search Results tab to see the corresponding search result. In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree will be in the expanded state. You will note that when you select or unselect a particular set of tasks in the Search Results tab, the same set of tasks will be automatically selected or unselected in the All tab.
You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles. To do this: On Windows, run: NMSRoot\bin\ResetToFactoryRole.pl On Solaris/Soft Appliance, run: NMSRoot/bin/ResetToFactoryRole.pl
To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings > Connection Management. The Cisco.com Connection Management page displays the current Proxy Server settings.
2-39
Setting up Security
Select Admin > System > Cisco.com Settings. Click User Account Setup in the TOC list. The User Account Setup page appears. Enter your Cisco.com Username, and Cisco.com Password. Re-enter the password in the Verify Password field. Click Apply.
Select Admin > System > Cisco.com Settings. Click Proxy Server Setup in the TOC list. The Proxy Server Setup page appears. Enter the Proxy Server host name or IP address, and the port number. Optionally, you can enter the Username and Password for accessing the proxy server. If you have entered your password, re-enter the same password in the Verify Password field. Click Apply.
Step 3
Step 4
2-40
OL-20721-01
CH A P T E R
Using Daemon Manager Managing Processes Backing Up Data Licensing Cisco Prime LMS Using Daemon Manager Managing Processes Backing Up Data Licensing Cisco Prime LMS Configuring a Default SMTP Server Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources Modifying System Preferences Configuring Log Files Rotation Modifying System Preferences Configuring Disk Space Threshold Limit Effects of Third Party Backup Utility and Virus Scanner Configuring TFTP
3-1
Maintains the startup dependencies among processes. Starts and stops processes based on their dependency relationships. Restarts processes if an abnormal termination is detected. Monitors the status of processes.
The Daemon Manager is useful to applications that have long-running processes that must be monitored and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start transient jobs. Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you start the Daemon Manager. If the System resources are less than the resources required to install the application, the Daemon Manager restart displays warning messages that are logged into dmgtd.log. You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance
Log in as root. Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Enter /etc/init.d/dmgtd start to start the Daemon Manager.
Go to the command prompt. Enter net stop crmdmgtd to stop the Daemon Manager. Enter net start crmdmgtd to start the Daemon Manager.
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute before you start the Daemon Manager. If the System resources are less than the required resources to install the application, Daemon Manager restart displays warning messages that are logged into syslog.log.
3-2
OL-20721-01
Chapter 3
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The process management tools enable you to manage these backend processes to optimize or troubleshoot the LMS Server. You can do the following activities:
View the details of all processes Filter and show only processes of a specific state Start the processes Stop the processes
All mandatory processes are started when you start the system. See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS. You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for more information.
Note
Your role and privileges determine whether you can use this option. This section contains the following:
Process States Viewing Process Details Viewing Processes of a Specific State Starting a Process Stopping a Process
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories: State Running normally Description Processes are started and are running normally. Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received
This indicates that the processes are started automatically at boot and are running normally. Never started Failed to run Administratively shutdown Processes that cannot start automatically and are to be started by operator or administrator. Processes that failed to start because of an error in the system. Processes that are stopped by the system or by the administrator.
3-3
Description Terminated transient processes. Processes that are created or started by Daemon Manager whenever required are called transient processes.
Waiting to Initialize
Viewing Process Details
Processes that are yet to run normally and are in initialization phase.
Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. You can see the following information of a Cisco Prime process in the Process Management window: Column ProcessName Description Name of the process. Describes how the process is registered. See LMS Back-end Processes for more information on process description. For information on suite-specific processes, see the relevant Online help. You cannot view the details of Apache and Tomcat processes or restart them from the user interface. But you can view the details of these processes in Process Status report (Reports > System > Status > Process). ProcessState ProcessId ProcessRC ProcessSigNo ProcessStartTime ProcessStopTime Process status and a summary of the log file entries for the process. If the process fails, this column is highlighted in red. Unique number by which the operating system identifies each running program. Return code. 0 represents normal program operation. Any other number represents an error. See the error log for details. Signal number. 0 represents normal program operation. Any other number is the last signal delivered to the program before it terminated. Time and date on which the process was started. Time and date on which the process was stopped.
3-4
OL-20721-01
Chapter 3
Step 2
Click the ProcessName link of a process to view its details. The Process Details popup window appears with the following information: Column Process Path Flags Startup Dependencies Description Name of the process. File Location. Flags used to register the process with the Daemon Manager. Method used to start the process (manual or automatic). Other processes that are running, and that are required for this process to run.
Step 3
Click OK.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the updated information of the processes.
Viewing Processes of a Specific State
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select a process state from the Show Only process state. You can select any one of the following process states:
Step 2
Never started Waiting to initialize Running normally Failed to run Transient terminated Administrator has shut down this server Program started No mgt msgs received
See Process States for description of each of these process states. The details of processes of the selected state appears.
3-5
Starting a Process
To start a process:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select the check box corresponding to the process. Click Start.
Step 2 Step 3
Stopping a Process
To stop a process:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select the check box corresponding to the process. Click Stop.
Step 2 Step 3
EnergyWise ConfigUtilityService On Solaris/Soft Appliancevar/adm/CSCOpx/log On WindowsNMSROOT\log, where NMSROOT is your Cisco Prime default installation directory.
Log files for most of the processes are located in the following locations:
You can also manage the Cisco Prime processes through CLI. You can perform the following activities through CLI:
Viewing Process Details Through CLI Viewing Brief Details of Processes Viewing Processes Statistics Starting a Process Stopping a Process
3-6
OL-20721-01
Chapter 3
Server Back-end Processes Inventory, Config and Image Management Processes Network Topology, Layer 2 Services and User Tracking Processes IPSLA Performance Management Processes and Dependency Processes Device Performance Management Module Processes Fault Management Processes
Description Apache web server used on both UNIX and Windows systems. This hosts the base CiscoWorks home page and all major applications. You cannot view the details of this process or restart this process from the user interface (from Process Management page).
Dependent Process
Log Files NMSRoot\MDC\ Apache\logs (On Windows) /opt/CSCOpx/MDC/ Apache/logs (On Solaris/Soft Appliance)
CmfDbEngine
NMSRoot/MDC/log/ daemons.log (On Solaris/Soft Appliance only) NMSRoot\log\ CmfDbMonitor.log (On Windows) /var/adm/CSCOpx/log /CmfDbMonitor.log (On Solaris/Soft Appliance)
CmfDbMonitor
Monitors the CmfDbEngine process and Running periodically checks for connectivity and normally SQL errors.
CMFOGSServer
Device grouping service in CS that provides grouping capability based on device attributes stored in DCRServer.
3-7
Table 3-1
Cisco Prime LMS 4.1 Server Back-end Processes and their Descriptions
Description Transient process created by Daemon Manager. This process initiates Device Discovery.
Dependent Process
Log Files NMSRoot\log\ CSDiscovery.log (On Windows) /var/adm/CSCOpx/log /CSDiscovery.log (On Solaris/Soft Appliance)
CSRegistryServer Registry Server for other CS processes Running such as DCRServer and CMFOGSServer normally and provides the backbone for inter-process communication for DCRServer and CMFOGSServer. Sometimes, the Tomcat process may start this process. In such cases, the process status is displayed as follows:
Administrator has shut down this server
You can ignore this error message. DCRServer Device List and Credential Repository Server that provides the repository for shared device list and credentials to be used across applications. Running normally TomcatMonitor, CmfDbMonitor, EssMonitor NMSRoot\log\ DCRServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) Transient Terminated NMSRoot\log\ DCRDevicePoll.log (On Windows) /var/adm/CSCOpx/log /DCRDevicePoll.log (On Solaris/Soft Appliance) diskWatcher Monitors disk space availability on the LMS Server. See Configuring Disk Space Threshold Limit for more information. Running normally NMSRoot\log\ diskWatcher.log (On Windows) /var/adm/CSCOpx/log /diskWatcher.log (On Solaris/Soft Appliance)
DCRDevicePoll
Transient process created by Daemon Manager. This process initiates Device Polling.
3-8
OL-20721-01
Chapter 3
Table 3-1
Cisco Prime LMS 4.1 Server Back-end Processes and their Descriptions
Description
Log Files NMSRoot\log\ EDS.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Legacy Event Distribution engine. This Running is currently used by some applications to normally send and receive event messages.
EDS-GCF
EDS - Generic Consumer Framework process. It is an extension to EDS that allows Generic Event Consumers to provide a pluggable event interface.
Running normally
EDS, CmfDbMonitor
NMSRoot\log\ EDS-GCF.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ESS.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ EssMonitor.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) No log files
ESS
Program started - Event Services Software. The new engine that handles distribution of events No mgt msgs received between processes. This is slated to eventually replace EDS.
EssMonitor
Monitors ESS process to check if events Running normally related functionality works properly. This process shuts down automatically when the ESS process fails or does not function properly.
ESS
EventFramework
Event management bus, LMS uses this to Program started - EssMonitor facilitate event transmissions between No mgt msgs daemons. received Enables the rotation of log files function- Never started ality using logrot.
/var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ jrm.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Job and Resource Manager. This allows scheduling of jobs to be run at specific times. It also allows locking and unlocking of resources.
3-9
Table 3-1
Cisco Prime LMS 4.1 Server Back-end Processes and their Descriptions
Description
Dependent Process
Log Files NMSRoot\log\ LicenseServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Provides Licensing functionality for Program started - evaluation and file based licensing mech- No mgt msgs anisms. received
NameServiceMonitor
Name Service agent that monitors Running objects and messages and acts as a Normally gateway between the JacORB clients and the Name Server.
NameServer
NameServer
Object Request Broker for the JacORB framework used in Cisco Prime.
Tomcat
Java servlet engine used on Windows, Solaris and Soft Appliance systems hosting applications based on the Cisco Prime desktop. You cannot view the details of this process or restart this process from the user interface (from Process Management page).
TomcatMonitor
Monitors the health of the Tomcat process and shuts down automatically when Tomcat fails or does not function properly.
Running normally
Tomcat
3-10
OL-20721-01
Chapter 3
Log Information NA
Description System service: the database engine for Inventory, Config and Image Management applications. Configuration Management service performs the following tasks,
ConfigMgmtServer
EssentialsDM
dcmaservice.log
Collects the configuration for the LMS managed devices on request from jobs or user Interface. Archives new version if there is a difference between the fetched configuration and the latest configuration in archive. Parses the configuration based on configlet rules and generates differences between the configurations. Logs change record for every new version of archived running configuration. Detects config changes on the device and triggers configuration collection Caches the device and NetConfig template mapping information. Populates the database with NetShow system-defined command sets and NetShow commands by retaining them from device packages.
ConfigUtilityService EssentialsDM
cfgutilservice.log
ConfigUtilityService parses the archived configurations of the devices for assessing the technology readiness of the devices. It does config and CLI parsing. ConfigUtilService also performs OGS grouping attributes updates at the end of Inventory collection.
SyslogCollector
ESS
SyslogCollector.log
Filters and sends the syslog objects to various SyslogAnalyzer services subscribed to it.
3-11
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Log Information
Description
EssentialsDM_Server.log It publishes a dummy Common Services Transport Mechanism (CSTM) service name to synchronize publishing of service names with CSTM. All other LMS services that publish service names with CSTM are made dependant on this service either directly or indirectly. After adding devices to LMS, this service triggers for Inventory and Configuration collection. System service that monitors the accessibility of the LMS database engine that helps to ensure that the system is not started until the database engine is ready.
EnergyWise
EssentialsDM ICServer
EnergyWise.log EnergyWiseUI.log EnergyWiseConfiguratio n.log EnergyWiseMonitoring.l og EnergyWiseCollection.lo g EnergyWiseNative.log EnergyWiseComplianceC heck.log EnergyWiseNativeCompl iance.log EnergyWise_Purge.log EnergyWiseNativePolicy. log
EnergyWise endpoint and device collection EnergyWise monitoring EnergyWise compliance check Auto-push of EnergyWise policies on the devices.
CTMJrmServer
CTMJrmServer.log
This service is a proxy to the JRM service. This is used by LMS to connect to the JRM service. It hides all the direct interaction with JRM. Change Audit program that provides back-end database services for applications that want to log network changes and for Change Audit reports and Automated actions
ChangeAudit
ChangeAudit.log
3-12
OL-20721-01
Chapter 3
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Description This is a service that collects and stores Inventory information from the device using SNMP. It also detects changes that occurred between the last time Inventory was collected for a device, and the current Inventory collection.
SyslogAnalyzer
It takes the filter definition from the user and sends it to the various Syslog Collectors it is subscribed to. Receives the syslogs from the Syslog collector and inserts them into the database and also takes automated actions from the user. Port and Module group administration service. This is used for managing Port and Module groups. System service: Database engine for Topology and Identity Services. System service: Collects device information for Topology and Identity Services. System service: Receives and processes SNMP traps for Dynamic UT System service: Receives and processes the UTLITE data UTMajor Acquisition is a transient process. System service: Collects end hosts information. System service: Queries external system for Dynamic UT
PMCOGSServer
LMSOGSServer
PMCOGSServer.log
Vnmserver.log
System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling System service: Collects information from Wlse Device
WlseUHIC
ANIDbEngine
wlseuhic.log
If you stop or restart any of these processes you must stop and restart their dependency processes. See Table 3-2 for the list of dependent processes. You can stop and restart the process using Admin > System > Server Monitoring > Processes.
3-13
Dependency (Sequential) None EDS ANIDbEngine EssMonitor ANIDbEngine EssMonitor ANIDbEngine ANIServer
Description System service: Database engine for Topology and Identity Services. System service: Collects device information for Topology and Identity Services. System service: Receives and processes SNMP traps for Dynamic UT System service: Receives and processes the UTLITE data UTMajor Acquisition is a transient process. System service: Collects end hosts information. System service: Queries external system for Dynamic UT
UTManager
utm.log
VNMServer
ANIDbEngine
Vnmserver.log
System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling System service: Collects information from Wlse Device
WlseUHIC
ANIDbEngine
wlseuhic.log
3-14
OL-20721-01
Chapter 3
Description Provides core function of managing IPSLA Performance Management Devices, Collectors and Operations in LMS.
IPMOGSServer IPSLA Performance Management group administration service. This is used for managing IPSLA Performance Management collector groups. It is also used for IPSLA Performance Management Collector selector. IpmDbEngine IPSLA Performance Management Database Engine service. It is used for managing and storing IPSLA Performance Management related information on the database
Program Started
IPMOGSServer.log, IPMOGSClient.log
Program Started
dmgtd.log
Description
Dependent Process
None This is the Device Performance Management database engine process. If this process is down, you will not be able to access Device Performance Management module of LMS, and polling, threshold monitoring, and trendwatch monitoring will fail.
3-15
Table 3-5
Process Name
Description
DCRServer, Started Responsible for the Polling UPMDbMonitor engine, Threshold monitoring and Poller Management features of LMS. If this process is down, poller management, threshold management, trendwatch management will fail.
Dependency None
Data PurgeStarts as scheduled in the GUI and jrm purges the Fault History database.
3-16
OL-20721-01
Chapter 3
Table 3-6
Name DfmBroker
Description
Dependency
Fault Management Broker maintains a registry None about Fault Management domain managers, that register the following information with the broker when its initialization is complete:
Application name of the domain manager Hostname on which the domain manager is running TCP port at which the HTTP server is listening
When a client needs to connect to the domain manager, it first connects to the broker to determine the hostname and TCP port the HTTP service of that server is listening. It then disconnects from the broker and establishes a connection to the domain manager. The DfmBroker log file is located at NMSROOT/objects/smarts/local/logs/brstart.log . DFMLogServer Controls Fault Management logs. None None Program Started Program Started DfmLogService.lo g, daemons.log MultiProcLogger.l og, daemons.log DFMOGSServer.l og DFM.log, DFM1.log
DFMMultiProcLog Handles processes with multiple threads. ger DFMOGSServer Fault Grouping Service Server evaluates group membership. Infrastructure device domain manager, a program that provides backend services for Fault Management. Services include SNMP data retrieval and event analysis. The DfmServer log is NMSROOT/objects/smarts/logs/DFM.log. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log. DFMCTMStartup Handles interprocess communication.
DfmServer/DfmSe rver 1
None
Administrato DFMCTMStartup. log, daemons.log r has shut down this server Program Started Running Normally Program Started EPM.log EPM.log daemons.log
Event Promulgation Module (EPM) database engineRepository for the EPM module. Sends events to notification services. Fault History database engineRepository for alerts and events.
3-17
Table 3-6
Description Fault History purge task. Fault History server, a program that runs backend services for Fault History. Provides inventory and device information to the Detailed Device View (DDV); updates the DDV with events. Provides inventory and device information to the Detailed Device View (DDV); updates the DDV with events. Synchronizes voice device inventory with infrastructure device inventory. Handles all inventory events, such as adding and deleting devices. Inventory database engineRepository for devices. Notification Server monitors alerts and sends notifications based on subscriptions.
Dependency None EPMServer, EPMDbEngine, FHDBEngine InventoryCollect or Inventory Collector 1 ESS, TISServer, DFMOGSServer
Default State Log Files Transient terminated Running Normally Program Started Program Started Running Normally/Pr ogram Started Program Started Running Normally FHCollector.log, FHUI.log FHServer.log
Interactor
Interactor.log
Interactor 1
Interactor1.log
PTMServer PMServer
Polling and thresholds server. PMServer is used for the Partition Manager funtionality for the Fault Management module of LMS. When you add a device to the Fault Management module, it is always added to the default partition 0. All the debug logs related to PMServer can be found at NMSROOT/log/dfmLogs/PM
TISServer
Inventory server.
EssMonitor, INVDbEngine
Program Started
TISServer.log
3-18
OL-20721-01
Chapter 3
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges to use this option. You cannot back up the database while restoring the database. LMS uses multiple databases to store client application data. These databases are backed up whenever you perform a backup. Backup requires enough storage space on the target location for the backup to start. If your current license count is lower than your earlier license count, and you restore the data now, devices that exceed the current licence count will be moved to Suspended state.
Caution
You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes, storing the backup data in this location may corrupt the Cisco Prime installation. This section explains:
Scheduling a Backup Restoring Data Changing the Database Password Effects of Backup-Restore on DCR Master-Slave Configuration Prerequisites and Restore Operations Effects of Backup-Restore on Groups
3-19
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up Data Using CLI for more information. To schedule a backup:
Step 1
Select Admin > System > Backup. The Backup Job page appears. Enter the appropriate information in the following fields: Field Backup Directory Description Location of the backup directory. We recommend that your target location be on a different partition than the Cisco Prime installation location. The backup directory should not contain any special character. Maximum number of backups to be stored in the backup directory. From the lists, select the time period between which you want the backup to occur. Use a 24-hour format. Enter a valid e-mail ID in this field. You can enter multiple e-mail IDs separated by commas. The system uses the e-mail ID or e-mail IDs to notify you the following:
Step 2
New backup schedules. Status of immediate or scheduled backup jobs upon their completion. Cancelled backup schedules.
Warning
There may be a problem in sending e-mails when you have enabled virus scanner in the Cisco Prime LMS Server.
Frequency
Immediately - The database is backed up immediately. Daily - The database is backed up every day at the time specified. Weekly - The database is backed up once a week on the day and time specified. Select a day from the Day of week list. Monthly - The database is backed up once a month on the day and time specified. Select a day from the Day of month list.
You cannot schedule more than one backup at a time. The new schedule overwrites the previous schedule, if any.
3-20
OL-20721-01
Chapter 3
Step 3
Click Apply. The Schedule Backup message verifies your schedule and provides the location of backup log files. Examine the log file at the following location to verify backup status: On Solaris/Soft Appliance: /var/adm/CSCOpx/log/dbbackup.log On Windows: NMSROOT\log\dbbackup.log You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job. The Remove button appears only if you have scheduled any backup.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from versions 3.1, 3.2. The restore framework checks the version of the archive.
If the archive is of the current version, then the restore from current version is run. If the backup archive is of an older version, the backup data is converted to LMS format, if needed, and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and restart Cisco Prime while restoring data. In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is restored on the same machine A, or on a different machine B. Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data of such tasks. For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.
Caution
Restoring the database from a backup permanently replaces your database with the backed up version. The list of applications in a backup archive should match the list of applications installed on the LMS Server where you want to restore the data. You should not continue the restore when there is a mismatch, as it may cause problems in the functionality of Cisco Prime applications. This section explains the following:
3-21
Log in as the superuser, and enter the root password. Stop all processes by entering:
/etc/init.d/dmgtd stop
Step 3
Restore the database by entering: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h]
[-t temporary directory]The restore framework uses a temporary directory to extract the content of backup archive. By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData. You can customize this, by using this t option, where you can specify your own temp directory. This is to avoid overloading NMSROOT
[-gen generationNumber]Optional. By default, it is the latest generation. If generations 1 through 5 exist, then 5 will be the latest. [-d backup directory]Required. Which backup directory to use. [-h]Provides help. When used with -d <backup directory> syntax, shows correct syntax along with available suites and generations.
To restore the most recent version, enter: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory For example, -d /var/backup
Step 4
Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log
Step 5
To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1
Step 2
Restore the database by entering: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h] where NMSROOT is the Cisco Prime installation directory. See the previous section for command option descriptions. To restore the most recent version, enter the following command: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory
3-22
OL-20721-01
Chapter 3
Step 3
Examine the log file in the following location to verify that the database was restored by entering: NMSROOT\log\restorebackup.log Restart the system by entering:
net start crmdmgtd
Step 4
Note
For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.1 in Installing and Migrating to Cisco Prime LAN Management Solution 4.1
Caution
You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data. This section explains the following:
Changing Password on Solaris/Soft Appliance Changing Password on Windows Formats Available for Changing the Database Password
Log in as the superuser, and enter the root password. Stop all processes by entering:
/etc/init.d/dmgtd stop
Step 3
NMSROOT/bin
Enter the following command to list the different formats available for changing the database password: NMSROOT/bin/perl dbpasswd.pl When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Start all processes by entering:
/etc/init.d/dmgtd start
Step 5
Step 6
3-23
At the command line, make sure you have the correct permissions. Stop all processes by entering:
net stop crmdmgtd
Step 3
NMSROOT\bin
Enter the following command to list the different formats available for changing the database password: NMSROOT\bin\perl dbpasswd.pl When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Start all processes by entering:
net start crmdmgtd
Step 5
Step 6
The different formats available and the commands for changing the database passwords on Windows, Solaris and Soft Appliance platforms are tabulated below: Format Format 1 detects the available datasource names and databases and prompts you to enter and confirm the passwords for each of them. It also allows you to encrypt the password. Format 2 allows you to list all the databases and datasource names (DSNs) available in the server. Command On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl all On Windows: NMSROOT\bin\perl dbpasswd.pl all On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl listdsn On Windows: NMSROOT\bin\perl dbpasswd.pl listdsn Format3 allows you to change the database password. On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource Format 4 allows you to change the database password for a specific DSN. It also allows you to enter a new password in the command line using the npwd option. On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
3-24
OL-20721-01
Chapter 3
Command On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
Format 6 allows you to change the database password for a specific DSN. Format 6.0 also:
Allows you to enter a new password in the command line using the npwd option.
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password Allows you to encrypt the password using the encryption=yes encryption option.
Change modes. For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from which the backup was taken (source machine), and the machine on which the data was restored (target machine).
Change Master/Slave relationships. For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed, the Slave will attempt to use Master A.
For detailed information on DCR, see Managing Device and Credentials in Inventory Management with CiscoWorks LAN Management Solution 4.1 . The following scenarios helps you understand the implications of Restore operations on DCR.
Restoring Data From a DCR Standalone Restoring Data From S1 on S1 Restoring Data From S1 to M1 Restoring Data From S1 on M2 Restoring Data From M1 on M1 Restoring Data From M1 to M2
3-25
If you restore the data backed up from a machine in the Standalone mode, on any machine whose working mode is either Standalone, Master, or Slave, the end mode will be Standalone. Let X be a machine in Standalone mode. If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to Standalone mode. Further scenarios can be better explained based on the following DCR set up. Let us assume there are two DCR domains.
For Domain 1, you have M1 as Master, and S1, and S2 as Slaves. For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.
Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1 will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1 is available. However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize after the restore on S1. The changes that have taken place after the backup was taken from S1 will be reflected in S1, even if S1b is restored on S1. In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1 is down.
Restoring Data From S1 to M1
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to Standalone mode. At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices. Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However, after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent than the data on M1.
Restoring Data From S1 on M2
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master in the DCR Domain 2 in our example. After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3, and S4, which were Slaves of M2, will switch to the Standalone mode.
Restoring Data From M1 on M1
Suppose you take a back up from M1. After the backup you would be performing several operations that would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example. Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that on the Master.
3-26
OL-20721-01
Chapter 3
To avoid this, you must perform the Restore operation in the following sequence:
Step 1 Step 2
Back up data from the slaves, S1 and S2. Backup data from the Master, M1. This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2. Stop Daemon Manager on all three machines. Restore data on the Master, M1. Restart Daemon Manager on M1. Restore data on S1, and S2 after the Master is up and stable, Restart Daemon Manager on S1, and S2.
This ensures that Master has more recent data than the Slaves.
Note
To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take a back up of all machines at the same time.
Restoring Data From M1 to M2
Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2. S3, and S4 which were Slaves of M2, will switch to Standalone mode.
3-27
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This will upset the Master-Slave relationship. During restore you are prompted to confirm whether you need to overwrite the SSL certificate. SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it on another, you should be careful not to overwrite the SSL certificate. However, if you backup data from a machine and restore it to the same machine, you may overwrite the SSL certificate.
Restoring Data From a DCR Standalone Restoring Data From S1 on S1 Restoring Data From S1 on M1 Restoring Data From S1 on M2 Restoring Data From M1 on M2
Restore data from a Standalone machine A to another Standalone machine B: The provider group name will change accordingly. That is, the provider group CS @A will become CS@B.
Restore data from a Standalone machine A to a Master M: The Master will switch to Standalone mode. The provider group name will be updated accordingly. The Slave groups will be removed from the Master. Only the groups pertaining to LMS and the applications installed in the Standalone machine will be visible. All dependent Slaves of M will become Standalone.
Restore data from a Standalone machine A to a Slave S: The Slave will switch to Standalone mode. The provider group name is updated accordingly. The groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The groups UI will be enabled.
The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
3-28
OL-20721-01
Chapter 3
No impact on CS groups. There may be applications installed on S1. Say you create 10 groups in the Applications before you backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore, the 10 groups you created after backup will not be present. This loss of newly added groups also propagates to other Slaves in the domain.
Restoring Data From S1 on M1
After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other Slaves of M1 will switch to Standalone mode.
Restoring Data From S1 on M2
After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of M2 (before restore) will now switch to Standalone mode.
Restoring Data From M1 on M2
Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be deleted from M2. In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated in the target machine.
Obtaining a License for Cisco Prime LMS Licensing the Application Viewing License Information Updating Licenses Transferring Files to Soft Appliance Server Licensing Incremental SKUs
3-29
To obtain a product license for your Cisco Prime applications, register your software at one of the following websites. You will need to provide the Product Authorization Key (PAK), which is printed on a label affixed to the Bundle sub-box. If you are a registered user of Cisco.com, use this website: http://www.cisco.com/go/license If you are not a registered user of Cisco.com, use this website: http://www.cisco.com/go/license/public The product license will be sent to the e-mail address you provide during registration. Retain this license with your Cisco Prime software records.
Licensing the Application
After you obtain the product license, perform these steps to license your software:
Step 1 Step 2
Copy the new license file to the LMS Server, with read permission for casuser/casusers. Select Admin > System > License Management. The License Information page appears. The License Information page displays the name, version, size, status and expiration date of the license.
Click Update. Enter the path to the new license file in the License field, or click Browse to locate the new file. Click OK. The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise an error message is displayed. To return to the License Information page, click Cancel.
To view details of your current software license, select Admin > System > License Management to open the License Information page. The license name, license version, size (device limit for the licensed application), status of the license, and the expiration date of the license appear under License Information. The license version shows the major version of the application.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page. To update to a new license from the Licensing page:
Step 1
Select Admin > System > License Management. The License Information page displays the license name, license version, status of the license, and the expiration date of the license.
Step 2
Click Update.
3-30
OL-20721-01
Chapter 3
Step 3 Step 4
Enter the path to the new license file in the License field, or click Browse to locate the new file. Click OK. The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise, an error message is displayed. To return to the License Information page, click Cancel.
Log into the Soft Appliance server through the command line, using a SSH client/console access. To log into the server, you have to use the sysadmin account that was created at the time of installation. To log into the shell:
a. b.
Note
By default, shell will be enabled with sysadmin password. If you want to change the shell password, use the command shell_enable in sysadmin mode.
Step 3
Transfer the files using the following FTP, SFTP or SCP commands: FTP command To log into FTP server use the below command:
ftp -i -n FTP_SERVER_IP_ADDRESS ftp> user USER_NAME PASSWORD
Ensure that the file to be retrieved is available in the FTP server. To retrieve the file use the below command:
ftp>get FILE_NAME
Note
Ensure that you provide the appropriate path to the navigate to the folder where the file is located.
SFTP command To log into the SFTP server use the below command:
sftp user@SFTP_IP_ADDRESS:PATH
Ensure that the file to be retrieved is available in the SFTP server To retrieve the file use the below command:
sftp>get FILE_NAME
Note
Ensure that you provide the appropriate path to the navigate to the folder where the file is located.
3-31
SCP command Ensure that the file to be retrieved is available in the SCP server
scp [[user@]from-host:]source-file [[user@]to-host:][destination-file]
Step 4
Change the owner and group name of the transferred file by using the below command:
chown casuser:casusers FILE_NAME
Incremental SKUs are introduced in LMS 4.1. You must have the LMS 4.1 base media kit to order the incremental licenses. The following are the available incremental licenses (SKUs) for LMS 4.1 users, who have opted to order the physical Product DVD kit (Physical software and Software claim certificate paper with PAK): Available Licenses (SKU) in LMS 4.1 L-LMS-4.1-50-ADD (only for Windows) L-LMS-4.1-200-ADD L-LMS-4.1-500-ADD L-LMS-4.1-1K-ADD L-LMS-4.1-2.5K-ADD L-LMS-4.1-5K-ADD Permitted number of Devices in LMS 4.1 Incremental license for 50 devices Incremental license for 200 devices Incremental license for 500 devices Incremental license for 1000 devices Incremental license for 2,500 devices Incremental license for 5,000 devices
Select Admin > System > SMTP Default Server. Enter a fully qualified SMTP server name. Click Apply.
3-32
OL-20721-01
Chapter 3
For example, when you have chosen to collect the grouping services information about the server, the following details will be collected and stored:
Status of LMS grouping server. The status values are Running, and Not Running. List of groups created in the LMS grouping server. Content of the registry and properties files associated with LMS. Status of the grouping server installed on same Cisco Prime Server. The status values are Running, and Not Running. List of groups created in the LMS grouping server. Content of the properties files associated with other applications. Error encountered if the grouping servers are not running or if they are not reachable.
You can look into this collected information to find out the errors with grouping servers and debug them. You can also collect server information using CLI. See Collecting Server Information Using CLI To collect the server information:
Step 1
Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Click Create to collect the current server information. The Collect Server Information popup dialog box appears with a list of options. The available options are:
Step 2
System Information Displays the server type, operating system version, installation date of operating system, and other system information. Event Logs Displays the logs of events in the LMS Server. Cisco Prime Registry Displays the registry entries of Cisco Prime components installed in the server. Tomcat Log Files Displays the log files corresponding to the application server. Grouping Service Displays the information of grouping servers and the groups created in the grouping server. Application Registry Details Displays the information of applications registered with CiscoWorks home page. Device Credentials Admin Information Displays the details of DCR mode, status of DCR Master, number of devices in DCR and the contents of DCR configuration files. ODBC Configuration Displays the information about the configuration of database connection in the LMS Server. Product Log Files Displays the contents of log files of all Cisco Prime components. Environment Variables Displays the list of environmental variables set up in the LMS Server. Process Status Displays the name of processes, current state of the process, process ID, start and finish time of the process, and other information. Network Configuration Displays information about the various configurations in a network. Memory and Harddrive Status Displays details of free space and total space of memory and hard disk drives in the LMS Server. JRE Registry Displays information about the Java Runtime Environment registry files.
3-33
Step 3
Select the check boxes corresponding to the options you need. You can use the All check box to select or deselect all the available options. By default all the check boxes are selected. Click OK. The server information for the selected components is collected. Collecting server information may take longer if more components are selected. To return to the Collect Server Information page, click Cancel. You can click Refresh in the Collect Server Information page to see the latest status.
Step 4
Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Click Server Information at the date time link to view the collected server information. The popup window displays the server information collected. View server information by clicking the corresponding link in the Table of Contents.
Step 2
Step 3
Select Admin > System > Server Monitoring > Collect Server Information The Collect Server Information page appears. Select the corresponding check box of the server information you want to delete. Click Delete.
Step 2 Step 3
You can also collect server information using CLI. Enter the following command:
or
3-34
OL-20721-01
Chapter 3
Select Admin > System > Server Monitoring > Selftest. Click Create to perform a self test and to view the report. Click the Self Test Information at date time link. A popup window displays the selftest information report.
To delete a Self Test Information report, select the check box and click Delete.
Select Admin > System > User Management > Notify Users. The Notify Users page lists all the users currently logged in. Enter the message in the Message field and click Send. The Status field displays the status of the message.
Step 2
Note
If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note
The System Identity user must configure all the Resource management related tasks. The Browse Resources and Free Resources tasks should be enabled.
3-35
Select Admin > Network > Resource Browser. The Resource Browser page displays the following details: Item Resource Job ID / Owner Time Locked Expire Time Description Name of the resource currently locked. Number assigned to this task at creation time. Identifies all related locked resources, and user who locked the resource. Time this lock was established. Lock expiration time.
Select Admin > Network > Resource Browser. The Resource Browser page appears. Check the check box corresponding to the Job ID. Click Free Resources. All users (except those with Help Desk and Approver role) can perform the Free Resource operation in the Resource browser. To view updated resources, click Refresh.
Step 2 Step 3
3-36
OL-20721-01
Chapter 3
Description Maximum size of the e-mail attachments that are allowed to be sent from LMS Server. You can specify the attachment size in KB or MB. Name used by network device when it connects to LMS Server to run rcp. User account must exist on UNIX systems, and should also be configured on devices as local user in the ip rcmd configuration command. The default RCP username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP. The username you have entered here is used for authorization while transferring software images using SCP protocol. You must specify a user name that has SSH authorization on a Solaris system. SCP uses this authorization for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server.
SCP Password
Enter the password for SCP User in this field. The password you have entered here is used for authentication while transferring software images using SCP protocol. You must specify a user name that has SSH authentication on a Solaris system. SCP uses this authentication for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server.
SCP Verify Password Re-enter the SCP password in this field. This field is available only if Cisco Prime LMS applications are installed on the LMS Server. Enable crmlogger DNS resolution Enable the Domain Name Service Resolution for the crmlog service using this field. Note that enabling the DNS Resolution for the crmlog service will slow down the Syslog performance. The crmlog service will stop and start when you enable or disable the Domain Name Service Resolution for crmlog service. If the crmlog registry does not contain the CrmDnsResolution parameter, it will be created automatically when you enable the service. This field is available only on Windows systems.
3-37
Select Admin > System > System Preferences. The System Preferences page appears. Enter the following information:
Step 2
Set this information carefully. If you introduce errors, users may not be able to log in. Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution for the crmlog service, on a Windows system. Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the LMS Server:
Step 5
Click Apply after making the changes. To cancel the changes, click Cancel.
Rotate log files while Cisco Prime is running. Optionally archive and compress rotated logs. Rotate log files only when they have reached a particular size.
Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI. The following log files are maintained by the log rotation program:
Daemon Manager Web server log files Configuring Log Files Rotation Settings From the User Interface Configuring Log Files For Rotation From the User Interface Scheduling Log Files Rotation
3-38
OL-20721-01
Chapter 3
Configuring Logrot Utility Running Logrot Script Viewing the Scheduled Logrot Job
Select Admin > System > Log Rotation. The Log Rotation page appears. Set your backup directory in the Backup Directory field. This backup directory stores the rotated log files. You can also use the Browse button to select a directory from the file browser. The default directory is:
Step 2
If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3
Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log rotation starts. This is optional.
Select Admin > System > Log Rotation. The Log Rotation page appears. Click Add to add the log files you wish to rotate. The Configure Logrot page appears. Enter the name of the log file in the Select Log File field. You can enter only one log file at a time. You should specify log file using its fully-qualified path. If the log files do not exist in the path you have specified, this will not be considered for rotation. You can also click Browse to select a log file name from the file system. Enter the maximum file size in the Maximum Logrot Size field. The log file will not be rotated until this size is reached. You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log rotation is 4096 MB.
Step 2
Step 3
Step 4
Step 5
Select a file compression type from Compression Format. The supported formats are:
ZUNIX compression (on Solaris/Soft Appliance only) gzGNU gzip bz2bzip2 (on Solaris/Soft Appliance only)
3-39
Step 6
Specify the number of backups in the No of Backups field. If you do not want to keep any archives, enter 0 (the default) for this option. Click Apply to save the changes. To return to the Log Rotation page, click Cancel.
Step 7
To edit the log files that you have configured for rotation:
Step 1
Select Admin > System > Log Rotation. The Log Rotation page appears. Select a record from the list of log files displayed. Click Edit. The Edit Logrot page appears. Edit the name of the log file. The rotated log files will be stored with the new name you have edited. Edit the log file size, compression type or number of archive revisions. Click Apply to save the changes. To return to the Log Rotation page, click Cancel.
Step 2 Step 3
Select Admin > System > Log Rotation. The Log Rotation page appears. Click Schedule. The Schedule Logrot appears. Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should start. You should specify the time in 24-hour format.
Step 2
Step 3
3-40
OL-20721-01
Chapter 3
Step 4
Select a periodic or immediate backup schedule in the Frequency field. The available schedule frequencies are:
ImmediateLog rotation job runs immediately. DailyLog rotation job runs every day at the time specified. WeeklyLog rotation job runs once a week on the day and time specified. Select a day from the Day of Week list. MonthlyLog rotation job runs once a month on the day and time specified. Select a day from the Day of Month list.
Step 5
Click Apply to save the changes. You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.
Logrot should be installed on the same machine where you have installed LMS. To configure the Logrot script:
Step 1
Enter:
NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows) Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance) Edit variables. Edit log files. Quit and save changes. Quit without saving change.
The Logrot configuration menu appears. You have the following options:
Step 2
Select Edit variables to set your Backup Directory. If you do not set a backup directory, each log will be rotated in its current directory. Select Edit log files to add log files you wish Logrot to rotate. You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log file does not exist in that path, the default log file path for your operating system will be added during rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 3
Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default) for this option. Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in kilobytes (KB). The default is 1024 KB or 1 MB. Specify the file compression type to be used. It can be:
ZUNIX compression (on Solaris/Soft Appliance only) gzGNU gzip bz2bzip2 (on Solaris/Soft Appliance only)
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a certain pattern.
3-41
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that match the pattern *.log. You can also specify the special pattern, *, which means delete all logfiles in the configuration.
You can schedule log rotation so that the utility works on a specified time and day. The following command line flags are accepted:
-v -s
option to get verbose messages. option shuts down dmgtd before rotating logs.
Caution
The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.
-c -h
You can view the scheduled jobs log file to troubleshoot the logrot utility. To look at the scheduled logrot job:
Example: To view the job scheduled to run as root user, use the command:
crontab -l root
Example: To view the job scheduled to run as root user, use the command:
crontab -lu root
3-42
OL-20721-01
Chapter 3
Cisco Prime Installation directory (on both platforms) /var directory (on Solaris/Soft Appliance platform only) /tmp directory (on Solaris/Soft Appliance platform only)
The process calculates the disk space availability of the LMS Server directories at a regular interval of approximately one hour. In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes and in the last 15 minutes of an approximate one hour time interval. This process also alerts you when the disk space is less than the threshold level you have configured in the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert messages through e-mail if you have configured your e-mail ID along with threshold level. This process records the alert information in the system log files. The alert information is recorded in diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and daemons.log files in Solaris machines. To configure the disk space threshold limit:
Step 1
Select Admin > System > Server Monitoring > DiskWatcher Configuration. The DiskWatcher Configuration page appears. Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk space in the Cisco Prime Installation directory. This is mandatory. You should enter the threshold value in units of MB or GB. Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in Solaris file systems. This is mandatory. You should enter the threshold value in units of MB or GB.
Step 2
Step 3
Note Step 4
Enter a valid e-mail in the E-mail ID field. You can enter multiple e-mail addresses separated by commas. The system uses the e-mail addresses to notify about the disk space availability when the disk space is less than the threshold limit you have configured. There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server.
3-43
Step 5
Click Apply to save the changes or click Cancel to reset the values.
3-44
OL-20721-01
Chapter 3
Administering LMS Server Effects of Third Party Backup Utility and Virus Scanner
The following are the scenarios where Assertion Error might appear:
If you use any third-party backup software to back up a live, running database, the Assertion Error might be thrown. This is because some of the database pages that have been modified will be in the database server cache, so the database file will be in an inconsistent state.
If you use any anti-virus software. The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O operations, which contribute to the good performance of Adaptive Server Anywhere. However, anti-virus software might detect this as a potential problem and quarantine the file. This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption by interfering with the normal functions of the database. Poor performance can also occur if the anti-virus software is checking all I/O operations performed by the database server.
We recommend that you do not use third-party backup software for backing up a running database. We also recommend that you configure your anti-virus software so that it must not scan the NMSROOT/databases directory. NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris. The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP (Transmission Control Protocol) Wrappers. If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the jobs requiring TFTP may fail. To ensure that TFTP works properly, check the following configuration files:
If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the command is not there in the file at all, add it as in.tftpd:ALL If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any changes
Note
The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon under its control. It provides logging support, returns messages to connections, and permits a daemon to accept only internal connections.
3-45
Displaying LMS Server name with browser title helps you to identify the server from which the application window is launched especially in a multi-server setup and Single Sign-On based setup. You can enable or disable the option of displaying the LMS Server name along with the browser title. When you choose to display the server name in the browser title, the browser window displays the title in the following format: Hostname - ApplicationWindowTitle where,
Hostname is the name of the LMS Server ApplicationWindowTitle is the title of application window launched from LMS Server.
Note
By default, the option of displaying the LMS Server name with the application window title in the browser is enabled. For example, if the name of your LMS Server is lmsdocultra, then the title of the CiscoWorks home page is displayed as lmsdocultra - CiscoWorks. If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra - LMS Home. You can also enable or disable the display of server name with the browser title by changing the configurations in a properties file. Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
Enable or disable the option of displaying server name with browser title. Change the format of display from Hostname - ApplicationWindowTitle to ApplicationWindowTitle - Hostname and vice versa. Replace hyphen (-) with any other delimiter except empty spaces. Trim the spaces between the Hostname, delimiter and Application window title.
3-46
OL-20721-01
CH A P T E R
Scheduling Device Discovery Configuring Device Selector Administering Device and Credential Repository
Only one Device Discovery job can run at a time. When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each other. Otherwise, one of the Device Discovery jobs may fail. You should configure the Device Discovery settings before you schedule a Device Discovery job. Otherwise, the system displays an error message when you try add a schedule. However, you can edit the Device Discovery settings for the scheduled job later. Add a Device Discovery schedule. See Adding Device Discovery Schedule for details. Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details. Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details. Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for details. Start device discovery. See Starting Device Discovery for details.
4-1
Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs for details. View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details. Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details.
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Click Add. The Add Discovery Schedule popup window appears. The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add button if you have not configured Device Discovery Settings. The Add button is disabled on a fresh installation of LMS in LMS Server. Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should start. You should specify the time in 24-hour format. Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Enter a description in the Job Description field. This is optional. You cannot edit the description entered in this field later. Click Schedule. The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the email address you have configured in the Discovery Settings wizard.
Step 2
Step 3
Step 4 Step 5
Step 6
4-2
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Device Discovery schedule from the list. Click Edit. The Edit Discovery Schedule popup window appears. Edit the values in the Hour and Min drop-down list, if required. Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Click Schedule to save the changes.
Step 2 Step 3
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Device Discovery schedule from the list. Click Delete. The Delete Confirmation dialog box appears. Click OK. The selected Device Discovery schedule is deleted from the list of schedules.
Step 2 Step 3
Step 4
Caution
Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the Device Discovery job is running, deleting the schedule will stop the job first and then will remove it.
4-3
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a job from the list. Click Start Discovery. A popup window appears with the information on the immediate jobID. The Start Discovery button will be disabled before setting any jobs or if a discovery is already running. Click OK. The Device Discovery summary screen appears. You can view the status of the job in Job Browser page (Admin > Jobs > Browser).
Step 2 Step 3
Step 4
You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status of Device Discovery jobs. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Click the link provided at the bottom of the page. The Job Browser page displays the Device Discovery jobs.
Step 2
Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the settings for scheduled jobs later and maintain different settings for different jobs. To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for Selected Discovery Schedule. To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected Discovery Schedule.
4-4
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
You can view the Discovery settings used to create the selected Discovery Schedule job. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Discovery schedule from the list. Click View Settings. The View Discovery Settings dialog box appears. Click OK to return to the Discovery Schedule page after you have view the schedule.
Step 2 Step 3
Step 4
You can edit the Discovery Settings used to create the selected Discovery Schedule job. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Discovery schedule from the list. Click Edit Settings. The Module Settings page of Discovery Settings wizard appears. Edit the required module settings and click Next. The Seed Devices Settings page appears. Edit the required seed devices settings and click Next. If you do not want to proceed further, click Finish. The SNMP Settings page appears. Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish. The Filter Settings page appears. Edit the Filter settings and click Next. If you do not want to proceed further, click Finish. The Global Settings page appears. Edit the Global settings and click Next. If you do not want to proceed further, click Finish. The Discovery Settings Summary page appears. Click Finish to return to Discovery Schedule page.
Step 2 Step 3
Step 7
Step 8
Step 9
4-5
You can define the settings of the Device Selector pane to customize the display of devices and the order of display. You can customize the top level groups, sub-groups and the list of devices displayed under each group using the Group Customization option. The Group Ordering option allows you to specify the order of display in which the groups are seen in the Device Selector pane. See Device Selector Settings for more information. The Device Selector Settings are specific to each user. You can search for devices using a Simple search or an Advanced search. See Searching Devices for more information. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. The Device Selector is used to select devices to perform various device management tasks. The device selector lists all devices in a group. The Display Name of the devices entered when you have added the devices in DCR is displayed as the device name in the Device Selector pane. The Device Selector contains the following components: Component Name Search Input Description Enter your search expression in this text field. You can enter a single device name or multiple device names in this field. You can enter the following as search inputs for searching multiple devices:
Comma separated list of full device names Device names with wildcard characters, (?) and (*), to search for multiple devices matching the text string entered in this input field. The wildcard character ? matches a single character in a device name and the wildcard character * matches multiple characters in a device name.
Combination of comma separated list of device names, and device names with wildcard characters.
See Performing Simple Search for more information. Search Advanced Search All Use this icon to perform a Simple search of devices, after you have entered your search input. See Performing Simple Search for more information. Use this icon to perform an Advanced search of devices. See Performing Advanced Search for more information. This tab lists all the top-level device groups and the device names under each group in a hierarchical format (tree view). The top-level device groups include:
All Devices Device Type Groups Subnet Groups User Defined Groups
See Understanding Device Groups for more information on types of device groups.
4-6
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
Description This tab displays all the Simple or Advanced search results and you can select all devices, clear all devices, or select a few devices from the list. The Simple search results are based on the display name of the devices added to DCR. The Advanced search results are based on the grouping attributes of the grouping services server.
Selection
This tab lists all the devices that you have selected in the All or Search Results tab or through a combination of both. You can also use this tab to deselect the devices you have already selected. You can perform more than one search and can accumulate your selection of devices.
The Device Selector displays the number of devices selected by you at the bottom. When you click the link provided, it launches the Selection Tab. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. This section contains the following information:
Selecting Devices for Device Management Tasks Searching Devices Device Selector Settings
Selecting Devices From All Tab Selecting Devices From Search Results Combination of Selection From All Tab and Search Results
The All tab lists the top-level device groups and the device names under each group in a hierarchical format (tree view). You can select the devices from the tree view. The Selection tab shows the flat list of selected devices from the All tab. You should expand the nodes of the top-level device groups and sub groups to see the list of devices within a group and select the devices you want. We recommend that you do not expand all and leave all the multiple group nodes open. This may affect the performance of the device selector.
4-7
You can perform a Simple Search or an Advanced Search, and the search results are displayed under the Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab and the All tab, display the devices you have selected from the Search Results tab.
Note
You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results
You can select the devices from the All tab and add more devices to the Selection list from the Simple or Advanced search results in the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. You can enter another search criteria and select more devices. The selected devices are accumulated in the Selection tab.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an Advanced search. In both cases, you do not need to remember the name of the devices and the groups in which the devices are grouped.
Note
The search string is not case sensitive in LMS. This section contains the following:
You can enter a comma separated list of device names to search for multiple devices. You can use the wildcard characters, * and ?, to search for multiple devices that match the text string entered in this input field. Multiple wildcard characters are allowed in a search string. You can use the combination of comma separated list of device names and wildcard characters in the device names to search for multiple devices. If you are not using the wildcard characters, make sure that you enter the full device name. Device names starting with device2 and with only one character after device2 Device names ending with .cisco1 Device names containing the text string device10
For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:
4-8
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
or
You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule you have created using the Clear button.
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression contains:
Device Type Object type used for forming a group. All expressions start with the string Device Variables Device attributes used to form a device group. The list of variables for advanced search are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress, MDFId, Model, Series, SystemObjectID, and the user-defined data, if any. The list of device attributes are different across Cisco Prime modules. The Advanced Search window in the Device Selector of Cisco Prime applications displays the respective device attributes as variables.
Operators Various operators to be used with the rule. The list of operators includes equals, contains, startswith, and endswith. The list of operators changes dynamically with the value of the variable selected. For the ManagementIpAddress variable, you can select the range operator other than the standard list of operators. The range operator enables you to search for devices of the specified range of IP Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
Value Value of the variable. The value field changes dynamically with the value of the variable and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression. You can also enter multiple rule expressions using the logical operators. The logical operators include OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule
The range operator enables you to search the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress and IP.Address variables. You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address ranges. When you enter the IP Address range in the text field, you should:
Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. Use the hyphen character (-) as a separator between the numbers within a range. Specify the range of IP Addresses within the [ and ] characters to create a group rule.
4-9
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field. You should not:
Enter numbers lesser than 0 and greater than 255 in the IP Address range. Enter any characters other than the range separator (-). Enter the value of highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].
For example, if you want to search all the devices in the network whose display name contains TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform the following:
Step 1
Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Create a search rule expression. To do so:
a. b. c.
Step 2
Select Variable as DisplayName Select Operator as equals Enter the Value as TestDevice
Step 3
Click Add Rule Expression. The rule is added into the Rule Text. Create another rule expression. To do this:
a. b. c. d.
Step 4
Select OR as the logical operator Select Variable as ManagementIPAddress/IP.Address Select Operator as range Enter the Value as 10.10.[210-212].[207-247]
Step 5
Click Add Rule Expression. The rule is appended into the Rule Text. Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.
Step 6
4-10
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
For example, if you want to search all the devices in the network whose display name contains or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:
Note
We recommend that you use expressions to construct a complex rule instead of creating them using the Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
Read the following notes before you perform an advanced search:
You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith or contains. You can use Check Syntax button, when you add or modify a rule manually. You must delete the complete rule expression including the logical operator, when you delete a portion of your rule. The search string is case-insensitive.
Understanding Device Groups Customizing Device Grouping Customizing Display Order of Device Groups
All Devices Device Type Groups Subnet Groups User Defined Groups
4-11
All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their display names. The display names are defined when you have added the devices in DCR.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can check the functionality settings at Admin > System Administration > Collection Settings > Functionality Settings. In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services, then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups folder in the Device Selector pane. See Customization of Subnet Groups for information on customizing the display of devices under this group.
Tip
We recommend you to provide unique and meaningful names to User Defined Groups when you create them to avoid the display of multiple User Defined Groups with the same name. See Customization of User Defined Groups for information on customizing the display of devices under this group.
4-12
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
Customization of Device Type Groups Customization of Subnet Groups Customization of User Defined Groups
All devices in groups, based on their Device Category only All devices in groups and subgroups, based on their Device Category and Series All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only. To display the devices in groups based on their Device Category:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Category Groups check box from the Device Type Based Groups panel. Click Apply to save your changes or click Restore Defaults to restore the default values.
Step 2 Step 3
To display the devices in groups and subgroups based on their Device Category and Series:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Series Groups check box from the Device Types Based Groups panel. When you check the Show Series Groups check box, the Show Category Groups check box will also be checked automatically and will be disabled.
Step 2
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
4-13
To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Model Groups check box from the Device Type Based Groups panel. When you check the Show Model Groups check box, the Show Category Groups and Show Series Groups check boxes will also be checked automatically and will be disabled to you.
Step 2
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Go to the Device Type Based Groups Panel and uncheck all the check boxes. Click Apply to save your changes.
Step 2 Step 3
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel. Click Apply to save your changes or click Restore Defaults to restore the default values.
Step 2 Step 3
Only User Defined Groups created by you in the local server Only User Defined Groups created by you in all Peer Servers in a Multi Server setup All User Defined Groups created by any user in the local server All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server in the Device Selector pane.
4-14
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel. Select either:
Step 2 Step 3
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups created by you in the local server. All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups created by you in all the servers in a Multi-server setup.
Or
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups panel. Select either:
Step 2 Step 3
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups in the local server. All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups in all the servers in a Multi-server setup.
Or
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
4-15
4. 5.
You can change the order and save the configurations. To change the order of the device groups:
Step 1
Select Admin > Network > Display Settings > Group Ordering. The Group Ordering page appears. Select a group from the list displayed. Click Up to move the device group up in the displayed order or click Down to move down. Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.
Changing DCR Mode Configuring Device Polling Configuring User Defined Fields Configuring Default Credentials
To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page appears with the current DCR Administration settings. You can change the Mode Settings or modify User Defined fields.
Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page appears. Click Change Mode to change the current mode. The DCR Mode dialog box appears. You can select the required mode from this dialog box.
Master-Slave Configuration Prerequisites Changing the Mode to Standalone Changing the Mode to Master Changing the Mode to Slave
4-16
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure communication takes place between the Master and Slave.
Tip
We recommend you to configure the Master and all its Slaves in the management domain with the same version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory Management with Cisco Prime LAN Management Solution 4.1 . If machine M is to be the Master and S is to be the Slave:
Step 1
Add a Peer Server User and password in M See Setting up Peer Server Account for details. Add a System Identity user and password in S. This should be same as the Peer Server User set up in M. See Setting up System Identity Account for details. Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S. See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer Server Certificate for details on copying Peer Certificate.
Step 2
Step 3
Step 4
Select the Standalone radio button. Click Apply to change mode. The default DCR mode is Standalone.
Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in place.
Step 1 Step 2
Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place. You need to perform the following tasks:
Step 1 Step 2
Select the Slave radio button. Enter the hostname of the Master in the Master field. This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.
4-17
Step 3 Step 4
Specify the SSL port of the master. Default is 443. Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from Master to Slave. If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave) will be informed of the new master hostname. That is, they will become the slaves of the new Master.
Step 5
Select the Add new devices to Master check box to add the devices in Slave to the new Master. If the devices are already available in the new Master, they will be discarded. Click Apply. A warning message appears when the Master server has the earlier version of LMS. Click OK to change the mode to Slave. To cancel the change of mode, click Cancel.
Step 6
Step 7
Note
You must restart the daemon manager after the mode change to Slave is complete.
Changing the hostname of a Master is equivalent to pointing Slaves to a new Master. When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same Domain ID as the current machine. If Domain ID is the same, DCR displays an error message that Master cannot be configured since the new Master has the same Domain ID. In this case, you need to convert the Slave to Standalone, and then register the machine with the new Master. When you re-register, the applications on Slave will clean up the device list. When you change the host name of the current Master, you must change the Slave mode to Standalone, and then re-register the machine as a Slave by providing the new Master hostname. However, when the machine is re-configured as Slave, the applications will clean up the device list. For example, if you have a Master M and Slave S, and if you change the hostname of M, you should change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you re-configure S as Slave, the applications on S will clean up their device lists. Therefore, you have to be aware that while changing the hostname of a Master, application data is cleaned up on all Slaves.
4-18
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Activate Device Polling to check whether the devices can be reached Configure Device Polling policy Schedule Device Polling Display a list of devices that are not reachable for a certain period of time Delete the selected unreachable devices from DCR
You should have the required privileges to configure Device Polling policy. You should be a Network Administrator, or a System Administrator to perform this task in Cisco Prime local mode. You should have the following privileges to delete the devices:
Privileges to perform the Delete Devices task Device level authorization Configuring Device Polling Settings Deleting Unreachable Devices from DCR
You can use any one or more of the following protocols to poll devices:
ICMP (Ping) SNMPv3 SNMPv2c/SNMPv1
When you select all protocols, the devices in the network are polled using ICMP (Ping) first followed by SNMPv3, and later by SNMPv2c/SNMPv1. When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1 is used to poll the devices only if the SNMPv2c protocol has failed to query the device. If you use more than one protocol for polling and if a device is reachable using the first protocol, the other protocols will not be used. You can configure only one job at a time to detect unreachable devices. You can modify the schedule later at any point of time. You cannot schedule an immediate Device Polling job. In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job only from Master server.
4-19
Select Admin > Network > Device Credential Settings > Device Poll Settings. The Device Poll Settings page appears. Select the Activate Device Polling to Check Reachability check box to enable Device Polling. Device Polling is not enabled by default. You must select this check box to activate Device Polling. Configure a Polling Policy. To do so:
a.
Step 2
Step 3
Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for polling:
ICMP (Ping) SNMPv3 SNMPv2c/SNMPv1
Enter the timeout value for the selected protocols in the appropriate Timeout fields. The timeout denotes the time period after which the ICMP or SNMP query of devices times out. You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds and the maximum value is 20000 milliseconds. Default value is 1000 milliseconds. You cannot leave this field blank. Enter the value of retries for the selected protocols in the appropriate Retries fields. The retry denotes the number of attempts made to query the device. You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for both ICMP and SNMP protocols. You cannot leave this field blank. Enter the number of instances in Notify when devices not reachable for, to receive notifications when the devices are not reachable for a specific time period. This is mandatory. For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily, you will receive notifications of devices that are not reachable for two days or more than 2 days. If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will receive notifications of devices not reachable for last 18 hours or more than 18 hours. See Step 4 for details on the job frequencies available.
c.
d.
Step 4
Select a job frequency from the Run Type drop-down list. You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily, Weekly, or Monthly.
b.
Enter a date in the Date field or select a date from the date picker to start the scheduled job. The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details. If you do not want to edit the schedule, go to Step 7.
4-20
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Step 5
Select the Change Schedule check box if you want to edit the schedule information (Run Type and Starting Date). This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not been scheduled earlier. If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager (JRM) and a job is scheduled. The device reachability status is also reset. A warning message appears if you select this check box. Click OK. Enter the Job information. To do this:
a. b. c. d.
Step 6 Step 7
Select the Report Attachment field if you want to receive the report through e-mail. Select the Attachment Option as either PDF or CSV. Enter a brief description about the Device Polling job in the Job Description field. Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device Polling job. You can enter multiple e-mail addresses separated by commas. Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8
Click Apply for the Device Polling settings to take effect. The Device Polling schedule is created and assigned with a job ID. Notification is sent to the e-mail address you have configured in the Device Polling Settings page.
Connectivity protocols such as SNMP or ICMP may be disabled on the device. Incorrect credentials may be configured for the device. Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR, select Reports > Inventory > Management Status > Unreachable Devices.
4-21
You can add six more UDFs through the user interface. You can rename or delete all the UDFs including the four default UDFs provided by the user interface. This section explains the following:
Adding User Defined Fields Renaming User Defined Fields Deleting User Defined Fields
Select Admin > Network Administration > Device Credential Repository Settings > User Defined Fields. The User Defined Fields page appears with the current settings.
Click Add to add a UDF. Enter the field label and description in the corresponding fields. Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Select the radio button corresponding to the UDF you want to rename. Click Rename. The User Defined Field dialog box opens in a new window. Enter the UDF label and description in the corresponding fields. Click Apply. To return to the User Defined Fields page, click Cancel.
Step 2 Step 3
Step 4 Step 5
4-22
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Select a UDF and click Delete. A confirmation message window appears. Click OK. To return to the User Defined Fields page, click Cancel.
Step 2
Step 3
Using Default Credentials Important Notes on Default Credentials Default Credentials Behavior in Multi-Server Setup Configuring Default Credential Sets Configuring Default Credential Set Policy
Manually add devices in DCR When you manually add devices with a similar credential set in DCR, you have to enter the credentials repetitively for every device addition. Instead, you use the default credentials defined in default credential sets or default credential set policies to populate DCR.
Add devices into DCR through Discovery Discovery populates only the SNMP read community string in DCR during device addition and leaves the other credentials as blank.
4-23
When other applications manage the newly added device, the management operations fail if they cannot retrieve the required credentials from DCR. To prevent the management operations failing, you can use the default credentials while adding devices through Discovery.
Import devices into DCR Importing devices from a file, NMS or any other third party applications into DCR populates the SNMP read-only community string and the SNMP read/write community string. When other applications manage the newly imported devices, the management operations fail if they could not retrieve the required credentials from DCR. To prevent the management operations from failing, you can use the default credentials while importing devices from NMS or any other third party application.
The default credentials you use while adding or importing devices into DCR will not be verified. You can configure multiple default credential sets and add or import a set of devices in DCR with default credentials from a default credential set. Later, you can edit the value of the credentials in a default credential set and add another set of values with the edited default credentials. The devices that are already added or imported into DCR will not be affected if you edit the values of the default credentials or remove the default credentials from DCR. Devices added with default credentials in DCR populates all the credentials you have configured for the default credential set irrespective of the device management type. For example, if you have configured the default credential set with Standard credentials, SNMP credentials, and Auto Update Server Managed Device credentials and if you add a device of Standard management type in DCR, the Auto Update Server Managed Device credentials are also populated for that device.
We recommend you to configure a default credential set with the values common for most of the devices that are to be added or imported into DCR.
4-24
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password) SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String) SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm, Privacy Password, Privacy Algorithm) HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and Password, HTTP port, HTTPS port, Current Mode) Auto Update Server Managed Device Credentials (Username and Password) Rx Boot Mode Credentials (Username, Password) Configuring a Default Credential Set Editing a Default Credential Set Deleting a Default Credential Set
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Step 3
Click Next or select Credential Sets name from the Default Credentials list panel and enter the respective credential information. Enter a name of the credential set in the Credential Set Name field. This is mandatory. The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9). You can include the following special characters in the Credential Set Name: Special Character _ . Description Underscore Hyphen Period
4-25
Step 4 Step 5
Enter a description of the credential set in the Set Description field. Click Next or select a credential type from the Default Credentials list panel and enter the respective credential information. You can select any of the credential types from the panel.
Standard Credentials SNMP Credentials HTTP Credentials Auto Update Server Managed Device Credentials Rx-Boot Mode Credential Standard Credentials
Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password)
Step 6
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm) You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password) Secondary Credentials (Username, Password) Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password) Rx-Boot Mode Credentials (Username, Password)
Note
You must enter a value for at least one credential before applying the default credentials.
Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.
4-26
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Click Next or select Credential Set Name from the Default Credentials list panel. Select a default credential set name from the Credential Set drop-down list box. Edit the description of the credential set in the Set Description field. You cannot edit the name of the credential set. Click Next or select a credential type from the Default Credentials list panel. Edit the following credentials as required:
Step 5 Step 6
Standard Credentials
Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password)
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm) You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password) Secondary Credentials (Username, Password) Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password) Rx-Boot Mode Credentials (Username, Password)
Note Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.
4-27
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Step 3
Select a credential set from Credential Set drop-down list box. Click Remove to delete a default credential set. The selected default credential set is deleted from the LMS Server. The default credential set policies that you have configured with this default credential set will also be deleted.
IP Address Hostname Display Name Before Configuring a Credential Set Policy Creating a Default Credential Set Policy Patterns in IP Address Default Credential Set Policy Rules Regular Expressions in Default Credential Set Policy Rules Examples For Default Credential Set Policies Deleting Default Credential Set Policies Defining the Order of Default Credential Set Policies
You can include patterns when creating rules for IP Address based default credential set policies. See Patterns in IP Address Default Credential Set Policy Rules for more information. Regular expressions are supported for policies based on Hostname and Display Names. IP Address based policy types do not support regular expressions. See Regular Expressions in Default Credential Set Policy Rules for more information.
4-28
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
The expressions in default credential set policy rules are case insensitive. You can include the following characters in Display Name and Hostname:
Lower case alphabets Upper case alphabets Numerals ( 0 to 9) Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
When you define more than one policy for a default credential set, all these policy rules work together. The policies will be applied in the same order in which they appear on the Credentials Sets Policy Configuration page. See Defining the Order of Default Credential Set Policies for more information.
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Default Credentials Sets Policy Configuration page appears. The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct a policy rule. To do so:
a.
Step 3
Select a parameter from the Select a Policy Type drop-down dialog box. The listed parameters are IP Range, Hostname and Display Name. Based on the parameter that you have selected, the value field name changes dynamically. Enter a value for the rule parameter. If you have selected IP Range as the rule parameter, enter a value in the IP Range field. If you have selected Hostname as the rule parameter, enter a value in the Hostname field. If you have selected Display Name as the rule parameter, enter a value in the Display Name field. See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default Credential Set Policy Rules for more information. The expressions in credential set policy rules are case insensitive. Select a credential set name from the Credentials Set drop-down list box to associate the rule expression with the default credential set. Select No Default if you do not want to enter a credential set name.
b.
c.
Step 4
Click OK to go back to Credentials Sets Policy Configuration page. The policy that you have configured is listed in the Credentials Sets Policy Configuration page.
You can edit a default credential set policy later. To do so, you must select a default credential set policy in the Credentials Sets Policy Configuration page and click Edit.
4-29
Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format. Any octet can have one of the following: Any Octet can have.. Numbers between:
Example
10.77.240.225 (IPv4 Address) 001:DB8:0:2AA:FF:C0A8:0:640A (IPv6 Address) 10.*.*.240 (IPv4 Address) 001:*:0:2AA:FF:*:*:* (IPv6 Address) 10.77.[220-240].[210-220] (IPv4 Address) 001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA F] (IPv6 Address)
Asterisk (*) as wildcard denoting all numbers from 0 to 255 in an IPv4 Address and 0 to FFFF in an IPv6 Address. Range of numbers in the [StartingNumber-EndingNumber] format, where:
StartingNumber and EndingNumber should
or equal to EndingNumber
The octets in an IP Address policy type can also contain the combination of wildcard characters and range of numbers. Some examples of IP Address filter combinations include:
10.77.[210-230].* 10.77.*.[110-210] 001:DB8:*:*:FF:[C0A-DD8]:0:[5-D] [10-20]:[10-20]:[A-F]:2:4:*:*:*
4-30
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added or imported to DCR with the default credentials defined in a default credential set IPSet. You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as IP Range from the Select a Policy Type drop-down list box. Enter the IP Range value as 10.77.[210-230].* Select the Default Credential Name as IPSet
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
4-31
Consider that all devices whose IP Addresses are within the range 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default credentials defined in a default credential set IPv6Set. You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as IP Range from the Select a Policy Type drop-down list box. Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15] Select the Default Credential Name as IPv6Set
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
Consider that all devices whose Display Names end with or contain device, should be added or imported to DCR with the default credentials defined in a default credential set SetName2. You should create a default credential set policy based on the Display Name policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as Display Name from the Select a Policy Type drop-down list box. Enter the value as (.)*device Select the Default Credential Name as SetName2
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
4-32
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Consider that all devices whose Display Names contain 1.3.6.1.4.1.9.1.n, should be added or imported to DCR with the default credentials defined in a default credential set SOIDset. You should create a default credential set policy based on the Display Name policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as Display Name from the Select a Policy Type drop-down list box. Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.) Select the Default Credential Name as SOIDset
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with the default credentials defined in a default credential set SetName1. You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as Host Name from the Select a Policy Type drop-down list box. Enter the value as Che(.)* Select the Default Credential Name as SetName1
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
4-33
Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the default credentials defined in a default credential set SetName3. You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as Host Name from the Select a Policy Type drop-down list box. Enter the value as (.)*lab2(.)*. Select the Default Credential Name as SetName3
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Select a default credential set policy to delete. You can also select multiple default credential set policies to delete. Click Delete to remove the default credential set policies.
Step 3
4-34
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears with a list of default credential set policies.
Step 2 Step 3
Click the Up Arrow icon to move the selected default credential set policy up in the displayed order. Click the Down Arrow icon to move the selected default credential set policy down in the displayed order.
Or
Step 4
4-35
CH A P T E R
Managing Groups
LMS 4.1 combines the device grouping with a new attribute list. The other grouping services that are available in LMS are:
Fault Group - supports 50 groups IPSLA Collector Group - supports 100 groups Port and Module Group - supports 100 groups
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details, see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN Management Solution 4.1 guide. This section explains the following:
Groups - Components and Basic Concepts Groups in Single-Server and Multi-Server Setup Device Group Administration DCR Mode Changes and Group Behavior Port and Module Group Administration Working with Fault System-defined Groups Working with Customizable Groups Managing Fault Groups Viewing Fault Group Details Viewing Fault Membership Details Refreshing Fault Membership Deleting Fault Groups Understanding Collector Group Rules IPSLA Collector Group Administration Process Understanding IPSLA Collector Group Administration Working with User-Defined Collector Groups Operation-Based Collector Groups (System-Defined)
5-1
Managing Groups
Group Server: Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by the application. It interfaces with an application service adapter (ASA) to evaluate group rules and retrieve devices of a particular group.
Application Service Adapters (ASAs): Application-specific information repository that serves as source of the devices and attributes that are grouped by the Groups Server. Till LMS 3.2, ASA was an interface between applications and Groups Server. In LMS 4.1, there is only a single ASA. Group Admin: Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
Group Class: Representation of a set of devices belonging to DCR. In this context a device in Device and Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set of attributes and a unique device ID.
Group Object: Device in a group class. Each device in the group will have a set of attributes stored in DCR. Associated with every device is a unique and immutable device ID.
Group: Named aggregate entity comprising a set of devices belonging to a single class or a set of classes, with a common superclass. Groups can be shared between users or applications, subject to access-control restrictions. The membership of a group is determined by a rule.
Group Rule: Consists of one or more rule expressions combined by operators, which can be AND, OR or EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.
5-2
OL-20721-01
Chapter 5
CS@hostname RME@hostname Campus@hostname Device Groups The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and Campus@hostname. LMS supports 200 device groups.
In LMS 4.1, there are no separate applications and there are four types of groups:
Fault Groups These groups are created by the Fault Management module in LMS, and consist of interface, trunk port, and access port groups. Each group has a set of properties (such as a name, description, and permission.), and are defined by the rules associated with the group.
IPSLA Collector Groups You can group IPSLA collectors based on a set of criteria such as operation name, operation type, source address, target address.
Port and Module Groups You can group ports and modules for easy port and module selection in various configuration workflows.
5-3
Managing Groups
Note
You can create groups in LMS even if the server on which it is installed is in Slave mode. If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under LMS@Slave hostname. In a cluster, if you have M as the Master, and S1 and S2 as Ms slaves, and you want to evaluate S1s groups from S2, you need to import the certificate of S1 to S2 and vice versa.
The System-defined Groups shows subgroups only after Device and Credential Repository is populated. The predefined sub-groups under System-defined Groups are:
Cisco Interfaces and Modules Network Management Non Cisco Devices Routers Switches and Hubs Subnet Based Groups Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each folder contains the devices corresponding to those subnets.
Note
5-4
OL-20721-01
Chapter 5
Voice and Telephony Unknown Device Type Universal Gateways and Access Servers Wireless
You can create subgroups only under User-defined Groups. You cannot create them under System-defined Groups. However, you can view the details of a subgroup under System-defined Groups and refresh the group.
Note
Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone mode. The groups created in DCR Master will be copied to Group Administration instances on servers where DCR is in Slave mode. The following sections provide information on how to perform group administrative tasks in LMS 4.1:
Migrating Device Groups from Previous Releases of LMS Creating Groups Viewing Group Details Modifying Group Details Refreshing Groups Deleting Groups Exporting Groups Importing Groups Overview of Subnet Based Groups
The following table explains migration of device groups from previous releases of LMS, in the table. In this example, Group A is an application group created separately in CS, RME, and CM, in earlier versions of LMS: Common Services UDG/SDG Group A
After migration to After migration to After migration to LMS 4.1, LMS 4.1, Group A is LMS 4.1, Group A is not Group A is not available Available available Group A After migration to LMS 4.1, Group A will not be available Group A After migration to LMS 4.1, Group A will not be available Subnet-based groups After migration to LMS 4.1, CM Subnet-based groups will not be available.
You must create new subnet-based groups after a successful Data Collection
5-5
Managing Groups
Creating Groups
You can create device groups using this feature. To create a new device group:
Step 1
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select the group from the groups listed in Group Selector to create a new subgroup. The Group Info fields on the right, display details of the selected group. The group you select here is the Parent group for the new group that you are about to create. You can change the Parent group later, if required. You cannot create groups under System-defined Groups but you can view details and refresh the group. Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public or Private). If you have the required permissions, you can create subgroups under groups.
Step 3
Click Create to create a new group. The Group Administration Creation wizard is launched and guides you through the process of creating a new group. Perform the following tasks using the Groups Create wizard.
a. b. c.
Specify group properties. See Specifying Group Properties for information. Define group rules. See Defining Group Rules for information. Assign group membership. See Assigning Group Membership for information.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete all of the above three tasks in this sequence to create a group. If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the group will not be created.
The default limit of User Defined Groups you can create is 600. If you try to create more than 600 User-Defined Groups, you will get a message that you have exceeded the limit. This section contains:
Specifying Group Properties Defining Group Rules System Defined Attributes Assigning Group Membership
5-6
OL-20721-01
Chapter 5
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Click the Create button in the Group Administration. The Properties page appears. Enter a name for the group in the Group Name field in the Properties:Create dialog box. The group name should be unique within the Parent group. However, it need not be so across groups. The same group name cannot be used in the same group hierarchy. For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create another group with the same name MyView under /LMS@Servername/User Defined Groups.
Step 3
Step 4
Click Select Group, if you want to copy the attributes of an existing group. The Replicate Attributes dialog box appears. Select the group you need from the Replicate Attributes list and click OK. To return to the Properties page, click Cancel. Click Change Parent, to change the Parent group. The Group Selector page appears. Select the group you need from the Select Parent list. Click OK. The Group Administration wizard changes the Parent group to the one you selected. To return to the Properties page, click Cancel.
Step 5 Step 6
Step 7 Step 8
Step 9
Enter a description for the group. Typically, you can enter a detailed description of the group that identifies its characteristics in this field. Select the Membership Update mode for the group. The modes of membership updates available are:
Step 10
Automatic: The membership of the group is updated when you add a new device to the group, and each time the group is invoked.
Only Upon User Request: The membership of the group is recomputed only when an explicit request is made, using the Refresh option.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request, the group will be a Static group.
5-7
Managing Groups
Step 11
Private The group created can be viewed only by user who creates the group. Public The group created can be viewed by all users.
Step 12
Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and composite group rules.
If you have created the group by copying the attributes of another group, the rules specified for that group appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules. The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this facility to validate the rules you have created. If you leave the rule blank, it creates a Container group. Click View Parent Rules to display the rules defined for its ancestor groups. This section explains:
Defining a Group Rule Defining Composite Group Rules Using IP Address Range Operator Examples System Defined Attributes
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in Properties:Create dialog box. See Specifying Group Properties for more information.
5-8
OL-20721-01
Chapter 5
Complete all the tasks in the Properties page. See Specifying Group Properties for more information. Delete the rules displayed in the Rule Text field, if any. Select appropriate parameters for the following:
Object Type Denotes the object type used for forming a group. All expressions start with the string Device. Variables Denotes the device attributes, which are used to form a device group. See System Defined Attributes for details on the variables. Operators Denotes the various operators to be used with the rule. The list of operators includes equals, contains, startswith and endswith. The list of operators changes dynamically with the value of the variable selected. For the ManagementIpAddress variable, you can select a range operator other than the standard list of operators. See Using IP Address Range Operator for more information.
Step 4
Value Denotes the value of the variable. The value field changes dynamically based on the value of the variable and operator selected, and the field type can be a text field or a list box.
Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. For example, the rule type:
Device.DisplayName equals "joe"
will select the device with the DisplayName joe. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression. You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field. See Defining Composite Group Rules for more information. You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add Rules Expression option in the dialog box.
Step 5
To check whether the syntax is valid, click Check Syntax. To view the rules defined for the parent groups, click View Parent Rules.
Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information. If you have entered an invalid IP Address range or invalid values in the Value field, an error message will be displayed. You should correct the values and then navigate to the Membership:Create dialog box.
5-9
Managing Groups
Delete the rules displayed in the Rule Text field and click any other field. Form a simple rule. See Defining a Group Rule for details. Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression.
Select a Boolean Operator from the drop-down list. Select the appropriate parameters for Object Type, Variables, and Operators. Enter a value in the Value field. Click Add Rule Expression. You can validate rules that are entered directly into the Rules Text field or rules formed using the Add Rules Expression option in the dialog box.
To check whether the syntax is valid, click Check Syntax. To view the rules defined for the parent groups, click View Parent Rules.
Step 8
Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information.
Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. Use the hyphen character (-) as a separator between the numbers that indicate a range. Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
5-10
OL-20721-01
Chapter 5
Enter numbers less than 0 and greater than 255 in the IP Address range. Enter any characters other than the range separator (-). Enter the value of the highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on the IP Address Range based device groups in a multi-server setup.
Examples
This section contains:
Example to Create a Simple Group Rule Example to Create a Composite Group Rule Example to Create a Group Rule Using Range Operator
To create a group of all devices ending with the hostname Test, you should:
Step 1
Select Variable as HostName Select Operator as endswith Enter the Value as Test
Step 2
Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.
If you want to group all the devices in the network that match the following criteria:
Display name of the device should contain TestDevice Category of the device should be equal to Routers or IP Address of the device should starts with
10.77
Select Variable as DisplayName Select Operator as contains Enter the Value as TestDevice
Step 2
Click Add Rule Expression. The rule is added into the Rule Text.
5-11
Managing Groups
Step 3
Select AND as the Boolean operator Select Variable as Category Select Operator as equals Enter the Value as Routers
Step 4
Click Add Rule Expression. The rule is appended into the Rule Text. Create another rule expression by entering:
a. b. c. d.
Step 5
Select OR as the Boolean operator Select Variable as ManagementIPAddress/IP.Address Select Operator as startswith Enter the Value as 10.77
Step 6
Click Add Rule Expression. The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains TestDevice AND Device.Category equals Routers OR Device.ManagementIpAddress startswith 10.77
Step 7
Edit the rule expression in the text area to adjust the priorities among the group expressions. You should place two rule expressions together within an opening and a closing parentheses. Ensure that you leave a space between the parenthesis and the group expressions. The edited composite rule is:
Device.DisplayName contains "TestDevice" AND ( Device.Category equals "Routers" OR Device.ManagementIpAddress startswith "10.77" )
You can also check the syntax of the group rule entered.
Step 8
To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you should:
Step 1
Select Variable as ManagementIPAddress/IP.Address Select Operator as range Enter the Value as 10.10.[0-212].[207-247]
Step 2
Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.
5-12
OL-20721-01
Chapter 5
Note
In LMS 4.1, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are not available. If you backup and restore any group created in older versions of LMS using these attributes, the groups will not be restored.
Table 5-1
Attribute Asset.CLE_Identifier Asset.Part_Number Asset.User_Defined_Identifier Category Chassis.Model_Name Chassis.Number_Of_Slots Chassis.Port_Count Chassis.Serial_Number Chassis.Vendor_Type Chassis.Version DeviceIdentity DiscoveryStatus DisplayName DomainName EnergyWise.Domain_Name EnergyWise.EnergyWise Version EnergyWise.EnergyWiseState
Description CLE identifier of the asset. Orderable part number of the asset. User-defined identifier of the asset Category into which the device falls. The first level entries in the Device Type tree in DCR Device Management UI. For example, Routers is a category. Name of the model. Number of slots in that chassis. Total port count of the chassis. Serial number of the chassis. Vendor type of the chassis. Version number of the chassis. Identifies pre-provisioning devices. The value would be application specific. Status of the data collection process. Device name, as you want it to be represented in reports or graphical displays. This can be derived from Host Name, Management IP Address or Device Identity. Domain name of the device. Name of the EnergyWise domain. Version of EnergyWise. EnergyWise status of the device, for example EnergyWise-capable devices, EnergyWise-enabled devices, EnergyWise-hardware-incapable devices and EnergyWise-software-incapable devices. EnergyWise Importance of the device. This value prioritizes the devices in a domain based on their power usage. A word that will help you identify a specific device or group of devices in the EnergyWise domain. Role or function of the device in the EnergyWise domain. Location of Flash file. Flash file size in MB. Model name of the Flash device. Free space in MB.
5-13
Managing Groups
Table 5-1
Attribute Flash.Partition_Name Flash.Partition_Size Flash.Size HostName Image.ROM_Sys_Version Image.ROM_Version Image.Sys_Description Image.Version ImageVersion IP.Address IP.Address_Type IP.Network_Mask IPv4.Subnet IPv4.SubnetMask IPv6.Subnet IPv6.SubnetMask ManagementIpAddress MDFId Medianet.EndPointConnected Memory.Free Memory.Name Memory.Size Memory.Type Memory.Used Model
Description Flash partition name. Flash partition size in MB. Total Flash device size in MB. Device Host name. System ROM software version Version of ROM. Image system description Running device image version. Software version running on the device. Device IP address. Version of IP, IPv4 or IPv6 Network mask address IPv4 subnet of a device. IPv4 subnet mask of a device. IPv6 subnet of a device. IPv6 subnet mask of a device. IP Address used to access the device. Both IPv4 and IPv6 address types are supported. Normative name for the device type as described in Cisco Meta Data Framework (MDF) database. Each device type has a unique normative name defined in MDF. Devices that have Medianet Endpoints connected to them. Free memory in MB. Name of the memory. Total RAM size in MB. Memory type. Used memory in MB. Model of the device. The third level entries in the Device Type tree in DCR Device Management UI.
Routers,
For example, the model Cisco 3101 Router falls under the Cisco 3100 Series which comes under the category Routers. Module hardware version.
Name of the model. Total ports on that module. Serial number of the module. Vendor type of the module. Name of the model. Size of the processor NVRAM in MB. Size of the processor NVRAM that has been utilized, in MB.
5-14
OL-20721-01
Chapter 5
Table 5-1
Description Total port count of the processor Size of the processor RAM in MB. Serial number of the processor. Vendor type of the processor. Series to which the device belongs. The second level entries in the Device Type tree in DCR Device Management UI. For example, Cisco 3100 Series Routers, that falls under the category Routers. Groups devices according to their Auto Smartport capability Device contact person name. Description of the system. Device domain name. Groups devices according to their Identity capability Device location information. Name of the system. Type of the operating system. Groups devices according to their Smart Install capability sysObjectID value. It may be UNKNOWN in the case the facility that populates the repository does not know the value.
System.ASP_Capability System.Contact System.Description System.DomainName System.Identity_Capability System.Location System.Name System.OSTYPE System.Smart_Install_Directors SystemObjectID
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details, see Adding User Defined Fields. If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is appended to the User-Defined Field you add, to distinguish these two attributes. For example if you create a UDF called DisplayName (which is one of the predefined attributes present in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note
You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field stands for any attribute listed in the above table. By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum number of UDFs that can be added in the Variable drop-down list is 10.
5-15
Managing Groups
Note
You can add devices from the list of available objects in the parent group even if they do not match membership criteria. To add devices to the group you have created:
Step 1
Select one or more devices in Available Objects From Parent Group column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Click Add. The selected devices are removed from the Available Objects From Parent Group and added to the Object Matching Membership Criteria column.
Step 2
Select one or more devices in Object Matching Membership Criteria column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Click Remove. The selected devices are removed from the Object Matching Membership Criteria column and added to Available Objects From Parent Group.
Step 2
Step 3
Click Next. The Summary:Create window appears. It displays the group name, the parent group, description, the membership update type, group rules, and the visibility scope of the group you created. If you want to change the parameters, click Back to go back to the previous windows and make changes. Click Finish to create the group based on the parameters specified.
Step 4
5-16
OL-20721-01
Chapter 5
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Select a group from the Group Selector pane. The Group Info pane on the right side displays the high-level properties of the selected group. Click Details. The Group Administration wizard displays the details of the group in Properties:Details window.
Step 3
Click View Parent Rules to display the rules set for the parent group. The rules set for the parent group are displayed in the Show Parent Rules window. Click Membership Details to display a list of devices and their corresponding object types. The membership details are displayed in Membership:Details window. In the Membership:Details window, you can:
Click on the column headers to sort the entries in the table. Select the number of rows to be displayed in the table in the Rows per page option.
Step 4
5-17
Managing Groups
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Select a group from the Group Selector pane. The Group Info fields on the right side displays details of the selected group. Click Edit. The Group Administration wizard guides you through the process of editing a group. It displays the details of the group in Properties:Edit window.
Step 3
Step 4
Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit dialog box. You cannot change the Parent group or copy attributes from a different group in Edit mode. Click Next. The wizard takes you to the Rules:Edit window. Change the rules as required. For details on creating the rules, see Defining a Group Rule. Click Next. The wizard takes you to the Membership:Edit window. Add or remove devices from the list of objects in Objects Matching Membership Criteria as required. For details on creating the rules, see System Defined Attributes. Click Next. The wizard takes you to the Summary window. If you want to change the parameters specified, click Back to go back to the previous windows and make changes to the properties or rules.
Step 5
Step 6 Step 7
Step 8 Step 9
Step 10 Step 11
Click Finish to modify the group. Click OK. The Group Administration wizard copies the attributes of the selected group and displays it in the corresponding fields in Properties:Create window. Note that the Parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different Parent group.
5-18
OL-20721-01
Chapter 5
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of Automatic groups is recomputed dynamically. The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with this option.
Note
Only users with read-write access can refresh the Only-upon-user-request groups. To refresh a group:
Step 1
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Select a group from the Group Selector pane. The Group Info fields on the right pane displays details of the selected group. Click Refresh. The Group Administration popup window prompts you for confirmation. Click Yes. The selected group is recomputed and the window, refreshed.
Step 3
Step 4
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
5-19
Managing Groups
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that belong to users removed from Cisco Prime). To delete a group:
Step 1
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Select the group from the Group Selector. The Group Info fields on the right pane displays details of the selected group. Click Delete. The Group Administration prompts you for confirmation. Click Yes. The selected group is deleted.
Step 3
Step 4
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file. You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to an output file. Private User-defined groups created by other users will not be exported. However, the privateUser-defined groups created by you will be exported. You must have Network Administrator, System Administrator or Super Admin privileges to export groups. In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same DCR domain. You can do this from a DCR Master Server and a Slave server. Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are not supported. See Sample Export Groups Output File for sample XML file generated by the Grouping Services export utility.
Note
We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.
5-20
OL-20721-01
Chapter 5
You can:
Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details. or Export Groups through the CLI. See Exporting Groups Through CLI for details. Sample Export Groups Output File Exporting Groups From User Interface
Select Admin > System > Group Management > Device. The Group Administration page appears. Select a User-defined Group hierarchy from the Group Selector. Click Export. The Export Groups dialog box appears.
Step 2 Step 3
5-21
Managing Groups
Step 4
Export the selected User-defined Group hierarchy Exports the selected User-defined Group and its child groups. Export All Applications User-defined Groups Exports all User-defined Groups from all applications installed on all LMS Server in the same DCR domain.
Or
The browser-specific File Download window appears prompting you to open or save the output XML OGSExport.xml file.
Step 5
Open to open the XML file Save to store the file on the client system with the same or a different filename.
Or
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS Server. This feature is available from LMS 4.0 and later.
Note
You cannot import User-defined groups from older versions of LMS. You can import User-defined groups from an input file to the LMS Server. The private User-defined groups in the input XML file will be imported as your private User-defined groups in LMS Server. They will not be visible to other users. You must have Network Administrator, System Administrator or Super Admin privileges to import groups. In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave server.
Note
We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.
5-22
OL-20721-01
Chapter 5
You can:
Importing Groups From User Interface Or Importing Groups Through CLI Important Notes on Importing Groups Importing Groups From User Interface
You must have the required file permissions to select a source XML file for import groups operation. After importing groups, the group selector may take some time to refresh and display the latest groups information. You must launch the Groups Administration page again to view the newly imported groups. To launch the Groups Administration page, select Admin > System > Group Management > Device.
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
Step 2
Click Import. The Import Groups - File Selection dialog box appears. Enter an input XML file name in the File Name field or click Browse to select a file from the client system. The Import Groups dialog box appears with a list of import groups specified in the input XML file. Select the list of groups to be imported from the Import Groups From field.
Step 3
Step 4
5-23
Managing Groups
Step 5
Select a server location to which the groups are to be imported in the Import Groups to Servers field. You can select multiple Grouping Server locations or All to select all the Grouping Server locations. This field is disabled on LMS Servers operating in the DCR Standalone mode. Click OK. A message appears indicating if the groups were imported or not. See Important Notes on Importing Groupsfor the possible causes of the import job failure.
Step 6
See Using Group Administration Features Through CLI for more information on using group administration feature using CLI.
Accessing Subnet Based Groups Understanding Subnet Based Groups Creating Groups Based on Subnet
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
This displays the Group Management page. The Group Selector field displays two groups, System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System Defined Groups.
5-24
OL-20721-01
Chapter 5
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
The examples provided here are simple. However, the Grouping Service allows complex rules to be arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives the administrator the power and flexibility to create view partitions tailored to the needs of their site.
5-25
Managing Groups
Not applicable.
Slave will get Masters groups, both system-defined and user-defined groups. You can also create new user-defined groups in the Slave. These groups will not be shared with the Master or other slaves in the domain. Device Allocation Policy gets disabled (Inventory > Device Administration > Device Allocation Policy).
Slave
Device Allocation Policy gets Not applicable. enabled. The groups pertaining to Master and Slaves will be removed. The existing Device Allocation Policy is retained.
Device Allocation Policy gets enabled. Groups pertaining to the previous Master and the associated Slaves will be removed. Local groups will behave in the same manner. The existing Device Allocation Policy is retained.
Master
All dependent Slaves will switch to Standalone mode. All groups pertaining to other machines will be removed. Device Allocation Policy will be enabled on all machines in the cluster.
If you select Inform current Slaves of new Not applicable. Master Hostname when you change the mode to Slave, all the Slaves in the domain, switch to the new Master. In this case, the groups in the Master will be seen in the new Slave. Device Allocation Policy gets disabled. If this check box is not selected, the new Slave will pickup the groups of the new Master. Other Slaves in the domain will move to Standalone mode.
5-26
OL-20721-01
Chapter 5
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain. The utility is useful in the following scenarios:
Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone or Master belonging to a different domain. When you uninstall Cisco Prime from the Slave. Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry. A redundant group (such as LMS@Slave) will still appear in the Master Groups UI. In the case of DCR, any device operation on Master will update the Slave list. However, this does not happen in the case of Groups. You can run the UnregisterSlave utility to remove any unwanted slave information: From the CLI, run: NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name You have to enter the hostname of the machine you want to unregister. For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.
When the Master server is using an earlier version of LMS, you cannot create device groups based on IP Address range. When the Slave server is using an earlier version of LMS, the IP Address Range based device groups information in the Master is synchronized with the Slave. Even if you change the mode of Slave server to Standalone, the IP address range based device groups will remain as they were in the Groups Server. However, you cannot retrieve the device group information from the Standalone LMS Server to view it in the user interface. To retrieve and view the device group information, you should either:
Upgrade the LMS in Standalone LMS Server to LMS 4.1.
Or
Change the mode of the LMS Server that has the earlier version of LMS 4.1 from Standalone to
Slave for a DCR Master with the latest version of the software.
5-27
Managing Groups
Port and Module configuration depends on the data collected by LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful. You must trigger a fresh inventory collection to update all the port and module attributes. If the data collection is not successful, then data will not be available for some attributes. The following are the recommended number of ports in LMS:
1. 2. 3.
The maximum number of ports supported in LMS is 500,000 ports. The maximum number of ports supported in a port group is 100,000 ports. The maximum number of ports supported in an LMS job is 250,000 ports.
4. 5.
In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry for the ifName will be considered and the duplicate entries will be dropped. The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in the device, then port configuration for the device will not work. For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2 Fields on Port and Module Group Browser
Description Name of the group created. By default, the following System-defined groups are displayed:
1 Gbps Ethernet PortsContains all 1 Gbps Ethernet ports in the network. 10 Gbps Ethernet PortsContains all 10 Gbps Ethernet ports in the network. 10 Mbps Ethernet PortsContains all 10 Mbps Ethernet ports in the network. 100 Mbps Ethernet PortsContains all 100 Mbps Ethernet ports in the network. Access PortsContains all the Access mode ports. DMP PortsContains all ports connected to DMP. End HostsContains all ports connected to End Hosts. IP PhonesContains all ports connected to IP Phones. IPVSC PortsContains all ports connected to IPVSC. Link PortsContains all ports connected to other devices.
Description of the group created. Type of the group created. For example, Port or Module. User who created the group.
5-28
OL-20721-01
Chapter 5
Table 5-2
Description Time at which the group settings were last modified. This page displays the number of rows you have set for display in the Rows per page field. You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module Groups. Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module Groups. Allows you to view the group details, as described in the Viewing Port and Module Group Details. Deletes the group, as described in the Deleting Port and Module Groups. You can perform the following tasks from the LMS Port and Module Group Browser window:
Creating Port and Module Groups Editing Port and Module Groups Viewing Port and Module Group Details Deleting Port and Module Groups
Entering the Port and Module Group Properties Details Selecting Group Source Defining Rule Expression for Port or Module Groups Understanding the Summary
You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the group will not be created.
Note
Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful.
5-29
Managing Groups
Description Name of the group you are creating. Text description of the group.
To enter the values in Port and Module Group Properties dialog box:
Step 1
Either:
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2
Click Create. The Group Properties page appears. Enter a unique name for the group in the Group Name field. Enter a description for the group in the Description field (optional). Click Next. The Select Group Source page appears, displaying the Device Selection dialog box.
5-30
OL-20721-01
Chapter 5
Table 5-4
Description Displays all LMS devices in the group. Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters * and "?". For example: 192.168.10.1*, 192.168.20.*
Search
Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Performing Simple Search. Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Performing Advanced Search. Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Selecting Devices From All Tab. Displays all the search results from Search or Advanced Search. For more information, see Selecting Devices From Search Results. Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. Displays all groups in LMS.
Advanced Search
All
Either:
Select Device Selector. Select the devices. Select Group Selector. Select the groups.
or
Step 2
5-31
Managing Groups
Module Port
Variable Operator
Object type attributes, based on which you can define the group. See Rule Attributes for Port and Module Creation. Operator to be used in the rule. The list of possible operators change, based on the variable selected. When using the equals operator the rule is case-sensitive. Value of the rule expression. The possible values depend upon the variable and operator that you select. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Adds the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button to verify the syntax of the rule that you have created before proceeding to the next step. Include List popup opens and lists all the modules or ports from the selected devices that do not match the rule. You can choose to include those modules or ports for group creation. The Include List popup will also list the modules or ports that match the rule but will not be enabled for selection. Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in the Include List window. You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include.
Value
Add Rule Expression (Button) Rule Text Check Syntax (Button) Include (Button)
Exclude (Button)
Exclude List popup opens and lists all the modules or ports from the selected devices that match the rule. You can choose to exclude those modules or ports for group creation. The Exclude List popup will also list the modules or ports that do not match the rule but will not be enabled for selection. Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields in the Exclude List window.
5-32
OL-20721-01
Chapter 5
Go to the Rules Expression page. Set the parameters for Object Type, Variable and Operator. Enter the desired value for the Variable you have selected. Click Add Rule Expression. The LMS Port and Module Group Administration creates the rule based on the parameters you have specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. You can manually add or change any text in the Rule Text box. Click Include or Exclude.
Step 5
IncludeA popup window appears, allowing you to include ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Include List window. ExcludeA popup window appears, allowing you to exclude ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Exclude List window. If the syntax is correct, an information box appears with a message, The rule syntax is valid. If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.
Step 6
For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7
Click Next. The Summary page appears, displaying the group properties. See Understanding the Summary.
Note
You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation
The following table lists the available attributes that you can use to define rules to create port and module groups.
5-33
Managing Groups
Object Type Attribute Module AdminStatus FW_Version ModuleName OperStatus SlotNumber SW_Version VendorType
Description Administrative status of the module. For example, Enabled/Commissioned. Firmware version of the module. For example, 12.1(27b)E1 Name of the module. For example, Linecard Operational status of the module. For example, Dormant Slot number of the module. For example, 6 Software version of the module. For example, 12.1(27b)E1 Vendor type of the module. For example, cevAS53004ct1
5-34
OL-20721-01
Chapter 5
Object Type Attribute Port AdminStatus CM.AccessStatus CM.Channel CM.Duplex CM.JumboFrameEnabled CM.L2L3 CM.LinkStatus CM.Neighbor CM.TrunkStatus CM.VLAN_ID CM.VLAN_NAME CM.VTP_DOMAIN EnergyWise_Importance EnergyWise_Role EnergyWise_Keyword FlexLink IFIndex IsEnergyWisePort Identity_Security_Mode
Description Administrative status of the port. For example, Disabled/Decommissioned Whether the port is an Access port or not. Whether the port is a channel port. The duplex mode of the port. The values could be unknown-duplex, full-duplex, half-duplex, default, disagree, auto-duplex. Whether the port is JumboFrame enabled or disabled. Whether the port is in switched or routed mode. Link status of the port. Whether the link is up or down. Whether the port is connected to a device, IP Phone, or End Host. Whether the port is a Trunk port. If trunk is configured in the port, then it is a trunk port. The index of the VLAN configured on the port. Name of the VLAN configured on the port. Name of the VTP Domain that the port is associated with. EnergyWise Importance of the device. This value prioritizes the devices in a domain based on their power usage. Role or function of the device in the EnergyWise domain. A word that will help you identify a specific device or group of devices in the EnergyWise domain. Whether the FlexLink status of the port is enabled or disabled. IFIndex of the port. For example, 10 Specifies if the port is EnergyWise-enabled. Specifies the security mode, based on the level of security you wish to implement in your network. The three types of security modes are:
You can enable or disable MACsec on the interface. MACsec provides secure, encrypted communication on wired LANs. Operational Status of the port. For example, Stopped/Suspended Description of the port. For example, FastEthernet0/1 Name of the port. For example, Fa0/1 Whether the port is Span enabled. Speed of the port. For example, 10000000 (for 10 Mbps) Enter the value for the port type. For example, if you want to define a rule for the port type ethernetCsmacd, you need to enter 6 as the value. For information on the port type values, see http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift ype&translate=Translate&submitValue=SUBMIT&submitClicked=true
Administration of Cisco Prime LAN Management Solution 4.1
OL-20721-01
5-35
Managing Groups
Note
For the port attributes that start with name CM. , the data collection for the attributes must be successful.
Examples for Port and Module Groups
This section shows examples of a valid rule. The following are some examples for grouping tasks:
Rule to select all the Ports whose Port Description contains the string: Ethernet Rule to select all the Ports that are connected to another device Rule to select all the Modules whose Slot number is 1 Rule with OR Operator Rule with AND Operator
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet. To provide rule expression for this scenario: From the Create Rules dialog box:
Step 1 Step 2 Step 3 Step 4 Step 5
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select contains from the Operator drop down listbox Enter Ethernet in the Value textbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.PortDescription contains "Ethernet"
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device. To provide rule expression for this scenario: From the Create Rules dialog box:
Step 1 Step 2 Step 3 Step 4 Step 5
Select Port from the Object Type drop down listbox Select CM.LinkStatus from the Variable drop down listbox Select = from the Operator drop down listbox Select Configured in the Value drop down list box. Click Add Rule Expression The following rule gets added to the Rule Text:
Port.CM.LinkStatus = "Configured"
5-36
OL-20721-01
Chapter 5
This rule filters all the modules that are placed in slot number 1. To provide rule expression for this scenario: From the Create Rules dialog box:
Step 1 Step 2 Step 3 Step 4 Step 5
Select Module from the Object Type drop down listbox Select SlotNumber from the Variable drop down listbox Select = from the Operator drop down listbox Enter 1 in the Value textbox Click Add Rule Expression The following rule gets added to the Rule Text:
Module.SlotNumber = "1"
Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet. To provide rule expression for this scenario:
Step 1
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter Ethernet from the Value drop down listbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.PortDescription StartsWith "Ethernet"
Step 2 Step 3
Select the OR option from the logical operator list box. From the Create Rules dialog box:
a. b. c. d. e.
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter FastEthernet in the Value textbox Click Add Rule Expression The following rule gets appended to the Rule Text:
Port.PortDescription StartsWith "Ethernet" OR Port.PortDescription StartsWith "FastEthernet"
The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected based on either or both of the matching criteria.
5-37
Managing Groups
Rule to select all the FastEthernet Ports whose Operational status is up. To provide rule expression for this scenario:
Step 1
Select Ports from the Object Type drop down listbox Select OperStatus from the Variable drop down listbox Select = from the Operator drop down listbox Select OK from the Value drop down listbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.OperStatus = "OK"
Step 2 Step 3
Select the AND option from the logical operator list box. From the Create Rules dialog box:
a. b. c. d. e.
Select Ports from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter FastEthernet in the Value textbox Click Add Rule Expression The following rule gets appended to the Rule Text:
Port.OperStatus = "OK" AND Port.PortDescription StartsWith "FastEthernet"
The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both the criteria are selected.
5-38
OL-20721-01
Chapter 5
Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and Module Group Administration.
Table 5-5 Include and Exclude Window Fields Description
Description Devices selected for group creation. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown.
Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Include (Button) Filter by Port/Module Name Exclude List Device Selector Slot number of the module. This field is available only for modules. The selected ports or modules are included for group creation. Enter the filter expression and click Filter to filter the port or modules in the device. Devices selected for group creation. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown. Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Exclude (Button) Filter by Port/Module Name Slot number of the module. This field is available only for modules. The selected ports or modules are excluded from group creation. Enter the filter expression and click Filter to filter the port or modules in the device.
5-39
Managing Groups
Description Name of the group you are creating. Text description of the group. Rules used to filter the group. List of devices or groups to which the rule will be applied.
Click Finish to complete the procedure for Creating Groups. A confirmation box appears. Click OK. You can view the newly created group in the Port and Module Group Browser page. Or Click Back to change the group properties.
Step 2
Either:
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
5-40
OL-20721-01
Chapter 5
Step 2
Select the group name and click View. The View Group Details page appears, displaying Group: Details dialog box with the following details:
Field/Button Group Name Parent Group Type Description Rule Created By Last Modified By Devices/Groups Membership Details (Button) Cancel (Button)
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. Rules used to create the group. User who created the group. This also displays the time at which the group was created. User who last modified the group. This also displays the time at which the group was last modified. Devices or Device Groups that are part of the port or module group. Used to view the list of devices that belong to the group. See Viewing Membership Details. Closes the page and takes you back to the Port and Module Group Browser page.
You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1
Either:
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2
Select the group name for which you want to view the membership details and click View. The Group: Details dialog box appears.
5-41
Managing Groups
Step 3
Click Membership Details. The View Group Members dialog box appears with the following information:
Field/Button Device Selector Port Name/Module Name Description Filter by Port/Module Name Close (Button)
Description Devices selected for group creation. Name of the port or module in the device that are part of the group. Description of the ports or modules in the device that are part of the group. Enter the filter expression and click Filter to filter the port or modules in the device that are part of the group. To close the View Group Members dialog box.
Either:
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2 Step 3
Select the group by checking the check box. Click Edit. The Group Properties page appears, displaying Port and Module Group Properties dialog box. See Entering the Port and Module Group Properties Details. You cannot:
Modify the Group Name field. Click Finish to complete the edit flow.
5-42
OL-20721-01
Chapter 5
Step 4
Click Next. The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.
Device Selection
If you have selected devices using Device Selector in the Create flow. If you have created the group by including the ports or modules without specifying the rule in
the Create flow. In this case, only the devices for which you selected ports or modules are displayed. Or
Group SelectionIf you have selected device groups using Group Selector in the Create flow.
You can modify the devices or groups that you have selected, based on your requirement.
Step 5
Click Next. The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression for Port or Module Groups. You can modify and define new rules. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have the higher priority.
Step 6
Click Next. The Summary page appears, displaying the group details. Understanding the Summary. Either: Click Finish to complete the editing procedure for the group. Or Click Back to change the group properties.
Step 7
Note
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. Select the group to remove from the Port and Module Group Browser dialog box. Click Delete. A confirmation dialog box shows that the group will be deleted. Click OK.
Step 2 Step 3
Step 4
5-43
Managing Groups
Broadband Cable Content Networking DSL and LRE Interfaces and Modules Network Management Optical Routers Security and VPN Server Fabric Switches Storage Networking Switches and Hubs Server Fabric Switches Universal Gateways and Access Servers Unknown Voice and Telephony Wireless
5-44
OL-20721-01
Chapter 5
If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group, then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB Ethernet Group, you must set the priority of the group to high. If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group, then the 10GB device falls under 10 GB group.
For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.
5-45
Managing Groups
Access Port Groups Trunk Port Groups Interface Groups Device Groups
Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7 Polling and Thresholds: Customizable Groups
Customizable Groups A B C 1 2 3 4
Intended Use Consider reserving customizable groups A, B, and C to troubleshoot Add one device to any of these groups when you need to test. For example, to test a changed threshold or interval value for a polling setting. Consider using customizable groups 1, 2, 3, and 4 when you want to override polling settings and thresholds for more than one device.
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups before you can set polling parameters or threshold values for them. To do so, see Working with Customizable Groups. Since you cannot change the rules for system defined groups, Fault Management provides groups that you can customize so that they contain devices, ports, or interfaces. Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold Settings > Fault). After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8 Fault Management Customizable Groups
Group Name Customizable Access Port Groups Customizable Groups Customizable Interface Groups Customizable Trunk Ports Groups
Use this group to monitor... Access ports Devices Interfaces Trunk ports
Settings you can configure for this group: Thresholds Polling and thresholds Thresholds Thresholds
5-46
OL-20721-01
Chapter 5
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9 Fault Management Customizable GroupsRestrictions
Restrictions
Use to troubleshoot a single device (but can contain more than one device) Cannot be deleted Cannot have subgroups Cannot have name changed Can contain multiple devices Cannot be deleted Cannot have subgroups Cannot have name changed
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed when you select an option. Do not proceed without viewing and installing the self-signed security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create and edit groups. In addition to creating and editing groups, Group Management provides the following functions:
5-47
Managing Groups
Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10 Fields on Group Administration and Configuration Page
Description Hierarchical display of all available groups. When you select an item from the Group Selector, the Group Info pane displays the following information:
Group NameName of the group you selected. TypeType of objects in the selected group. DescriptionText description of the group. Created ByPerson who created the group. Last Modified ByLast person to modify the group settings.
Create Edit
Starts the Group Creation Wizard for creating a group, as described in Editing a Fault Group. Starts the Group Edit Wizard for editing user defined groups, as described in Editing a Fault Group. Not supported for view groups created from the Alerts and Activities Defaults page. Opens the Properties: Details page, as described in Viewing Fault Group Details. Refreshes a group memberships, as described in Refreshing Fault Membership. Not supported for port and interface groups. Deletes a group, as described in Deleting Fault Groups.
You can edit user defined customizable subgroups. For example, the subgroup Customizable Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with Customizable Groups. You can create or edit user defined miscellaneous groups. These groups can be used with views in the Alerts and Activities display, or with notification groups in Notification Services. You cannot edit or view groups created from the Alerts and Activities Defaults page.
Editing a Fault Group Creating a Fault Group Understanding Rules Finalizing Fault Group Membership Viewing the Fault Group Summary
5-48
OL-20721-01
Chapter 5
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group. The wizard consist of four steps:
1. 2. 3. 4.
Setting properties (for details, see Editing a Fault Group) Creating rules (for details, see Understanding Rules). Modifying group membership (for details, see Finalizing Fault Group Membership). Viewing the summary (for details, see Viewing the Fault Group Summary).
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Step 2
In the Group Selector, select the group you want to edit, click Edit. The Properties: Edit page appears. You can modify the following in the Properties: Edit page:
Group Name Will be automatically populated when editing customizable subgroups; for example, Customizable Group 1 under Customizable Access Port Groups.
Description Membership update type (not supported for port and interface groups) The parent group is displayed, but it cannot be modified. Visibility Scope
Step 3
Click Next. The Rules: Edit page appears. For more information on creating rules, see Understanding Rules. To return to any of the previous pages in the wizard, click Back.
Note
5-49
Managing Groups
Adding and Deleting Rules from the Rules:Edit Page Adding and Removing Objects from the Rules: Edit Page
From the first list, select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered.+ From the Object Type list, select an object type. From the Variable list, select a variable. From the Operator list, select an operator. In the Value field, enter a value. Click Add Rule Expression. The rule expression appears in the Rule Text box. You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
Step 7
Verify whether the syntax of the rule is correct by clicking Check Syntax. A dialog box appears, stating that the syntax is valid. Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. Click Next. The Membership: Edit page appears.
Step 8
Step 9
5-50
OL-20721-01
Chapter 5
To delete a rule:
Step 1
In the Rule Text box, select the entire rule text and press the Delete key. After deleting the rule, you must click the page so that the page can refresh, removing the list of logical operators.
Step 2
In the Available Objects from Parent Group column, select the device you want to add. Click Add. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
To remove an object:
Step 1 Step 2 Step 3
In the Objects Matching Membership Criteria column, select the device you want to remove. Click Remove. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
5-51
Managing Groups
Note
When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Step 2 Step 3
In the Group Selector, select User Defined Groups. Click Create. The Properties: Create page appears. Enter a group name for the new group. If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If you want to copy the attributes of an existing group to the new group, do the following:
a.
Step 4
Click Select Group. The Replicate Attributes page appears. Select the group from which you want to copy the attributes. Click OK. All attributes except the group name are copied to the new group.
b. c.
If you want to change the parent group (the location where the group will reside in the Group Selector), do the following:
a.
Click Change Parent. The Select Parent page appears. Select the parent group.
b. Step 5
Click OK. Enter a description. This is optional. Choose how you want the group membership updated. This choice is not displayed for port and interface groups):
Step 6
If you want the membership for this group updated automatically, select Automatic. If you want the membership for this group updated only when the Refresh button is clicked, select Only Upon User Request.
5-52
OL-20721-01
Chapter 5
Step 7
Step 8
Click Next. The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.) Do one of the following:
Step 9
To create rules to apply to the group, go to Step 10. Click Next and select the objects on the Membership: Create page (not supported for port and interface groups). Then go to Step 10. If you need to return to any of the previous pages in the wizard, click Back.
Step 10
Select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered. Select an object type. Select a variable. Select an operator. Enter a value. Click Add Rule Expression. The rule expression appears in the Rule Text box.
b. c. d. e. f.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
g.
Verify that the rule syntax is correct by clicking Check Syntax. A dialog box appears, stating the syntax is valid. Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. Click Next.
h.
i.
5-53
Managing Groups
In the Available Objects from Parent Group column, select the device you want to add. Click Add. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
To remove an object:
Step 1 Step 2 Step 3
In the Objects Matching Membership Criteria column, select the device you want to remove. Click Remove. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
5-54
OL-20721-01
Chapter 5
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule expressions. Rules are created to filter in the objects that you want to belong to the group, and to filter out those that you do not want in the group. When determining the objects that belong to a group, Group Management compares object information to the rule. If an object information satisfies all of the rule requirements, it is placed in the group. One or more rule expressions can be applied to form a rule. Each rule expression contains the following: Object Type.Variable Operator Value For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND (AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You can define the following:
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
ORInclude devices that fulfill the requirements of either rule. For interface, access port, and trunk port groups, this operator can only be used between the variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals HALFDUPLEX OR AccessPort.DuplexMode equals FULLDUPLEX
If you used an AND operator in the previous port rule, it would be invalid.
ANDInclude only objects that fulfill the requirements of both rules. For interface, access port, and trunk port groups, this operator can only be used between the variables of different types, as in the following example:
AccessPort.Mode equals AND AccessPort.DuplexMode equals FULLDUPLEX
5-55
Managing Groups
For device groups, this operator can only be used between variables of the same type, as in the following example:
Routers.Model equals "12816" AND Routers.Model equals 12810
Object Type
The Object Type field lists the available objects that you can use to form a group. Depending upon the type of group you are creating, the Object Type field may contain the following choices:
AccessPort TrunkPort Interface Cable ContentNetworking Device DSLAndLRE Group InterfacesAndModules NetworkManagement Optical Routers SecurityAndVPN ServerFabricSwitches StorageNetworking SwitchesAndHubs UniversalGatewaysAndAccessServers Unknown VoiceAndTelephony Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list of possible variables changes based on the object type that is selected. Some variables for port and interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes based on the object type and the variable selected. When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object type, variable, and operator selected. Depending on the operator selected, the value may be free-form text or a list of values.
5-56
OL-20721-01
Chapter 5
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some of the objects in the Variables field have special meanings or restrictions on how to enter the related attribute in the Value field. Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need further explanation.
Table 5-11 Explanations for the Values of Special Variables
Explanation Interface or port description. Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED). Interface types, protocols, or encapsulations. Maximum speed, in bits per second. Speed of the largest datagram that can be sent or received, specified in octets. For interfaces that use transmitting network datagrams, this is the speed of the largest network datagram that can be sent.
Mib2ifType
Type of interface, distinguished according to the physical or link protocols immediately below the network layer in the protocol stack, represented as a digit. Intended purpose (for example, for interfaces, backup, dial-on-demand, and so forth). Name of object. Name of the system. Name of system containing this element. System Object Identifier associated with vendor of system. Name of system supplier. Type of element (for example, interface), distinguished according to the physical or link protocols immediately below the network layer in the protocol stack.
Note
After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page. Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12 Fields on the Rules: Edit Page
Description Used to add the rule expression to the group rules. Displays the rule. For complex rules (which contain both OR and AND conditions), you must manually add parentheses in this field. (In Editing a Fault Group, see Step 10 and Step 6.)
5-57
Managing Groups
Table 5-12
Description Verifies that the rule syntax is correct. Used to view the parent group rules. All parent group rules apply to the subgroups.
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location. Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains Dallas
You want to create a group that contains all of the security and VPN devices in the San Jose location. Form the following rule:
SecurityAndVPN.Location contains "SanJose"
To understand the group rules, see the rules used for system defined groups. These rules appear in the Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group Details.
5-58
OL-20721-01
Chapter 5
Description Name of the group you are creating. Parent group of the group you are creating. Text description of the group.
Membership Update Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button). Rules Visibility Scope Polling Overriding Group preview Threshold Overriding Group preview Rules used to filter group membership. Setting that determines whether all Cisco Prime users or only the created user can view the group. Click to display the Preview page. This page displays the priorities of the Polling Overriding Groups. Click to display the Preview page. This page displays the priorities of the Threshold Overriding Groups.
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Step 2 Step 3
In the Group Selector, select the group for which you want to view details. Click Details. The Properties: Details page appears.
5-59
Managing Groups
Heading/Button Group Name Parent Group Type Description Membership Update Created By Last Modified By Rules View Parent Rules Membership Details Cancel
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button) Person who created the group. Last person to modify the group. Rules used to filter group membership. Used to view the parent group rules. All parent group rules apply to the subgroups. Used to view the list of devices that belong to the group. Does not apply to port and interface groups. Closes the page and takes you back to the Group Administration and Configuration page.
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Step 2 Step 3
In the Group Selector, select the group for which you want to view details. Click Details. The Properties: Details page appears. Click Membership Details. The Membership: Details page appears.
Step 4
5-60
OL-20721-01
Chapter 5
Description Name of the device for which you want to view membership details. Type of object for which you want to view details. Takes you back to the Properties: Details page. Closes the page and takes you back to the Group Administration and Configuration page.
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
In the Group Selector, select the group you want to refresh. Click Refresh. In the confirmation dialog box, click Yes. In the next dialog box, click OK.
5-61
Managing Groups
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
In the Group Selector, select the group you want to delete. Click Delete. In the confirmation dialog box, click Yes. In the next dialog box, click OK.
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a period of high CPU utilization after these processes are triggered.
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears.
Rules are created to filter in the devices that you want to include in the group, and to filter out those that you do not want in the group. While determining the devices that belong to a group, Group Management compares device information to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the group. The devices are filtered based on the data present in the IPSLA Performance database. One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
object type.variable operator value
5-62
OL-20721-01
Chapter 5
IPSLA Collector Group Administration Process Understanding IPSLA Collector Group Administration
Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16 Understanding Collector Group Rules
ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects. INCLUDE Include these objects
The Rule Text field appears only after a rule expression is added. Object Type Variable Operator Type of object (collector) that is used to form a group. Collector components, based on which you can define the group. For more information, see Collector Components. Operator to be used in the rule. The list of possible operators changes based on the Variable selected. When using the equals operator the rule is case-sensitive.
5-63
Managing Groups
Table 5-16
Field/Button Value
Description Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-from text or a list of values. Wildcard characters are not supported. The following are the values for the corresponding operations:
1 = echo 2 = pathEcho 5 = udpEcho 6 = tcpConnect 7 = http 8 = dns 9 = jitter 10 = dlsw 11 = dhcp 12 = ftp 14 = RTP 16 = icmpjitter 18 = VoipCallSetupPostDialDelay 19 = VoipGKRegDelay 1019-Ethernetping 1020-Ethernetjitter 1119-EthernetPingAutoIPSLA 1120-EthernetJitterAutoIPSLA
Add Rule Expression Rule Text Check Syntax View Parent Rules
Used to add the rule expression to the group rules. Displays the rule. Verifies if the rule syntax is correct. Use this button if you have entered the rules manually. Used to view the parent group rules. All parent group rules apply to the subgroups.
5-64
OL-20721-01
Chapter 5
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17 Collector Components
Component Type Source Address Target Address Operation Type Operation Name VRF
Description Device IP address. Device IP address. All IPSLA operations available for LMS Name of a user-defined operation. Name of the VRF (Virtual Routing and Forwarding).
You can resolve this error by starting the IPMOGSServer process. You can start this process using Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. In the Process Management page, select the IPMOGSServer and click Start.
If the IPMOGS Server is down, do the following:
You can start the IPMOGS Server either from the CLI, or from the LMS UI. To start IPMOGS Server from the CLI: Enter NMSROOT/bin/pdexec IPM OGSServer where NMSROOT is the Cisco Prime installation directory. To start IPMOGS server from the LMS UI:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. Select IPM OGSServer in the Process Management dialog box. Click Start.
Step 2 Step 3
5-65
Managing Groups
You can start the CMFOGS Server either from the CLI, or from the LMS UI. To start CMF OGS Server from the CLI: Enter NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime installation directory. To start CMFOGS server from the LMS UI:
Step 1 Step 2 Step 3
Select Admin > System > Server Monitoring > Processes. Select CMFOGSServer in the Process Management dialog box. Click Start.
Description Hierarchical display of all available groups. Displays the following collector group information:
Group NameThe name of the group you selected. TypeThe type of objects in the selected group. DescriptionA text description of the group. Created ByThe person who created the group. You can also view the time at which the group was created. Last Modified ByThe last person to modify the group settings. You can also view the time at which the group was modified.
Starts the Group Creation Wizard for creating a group, as described in the Creating and Modifying User-Defined Collector Groups. Starts the Group Edit Wizard for editing an existing group, as described in the Creating and Modifying User-Defined Collector Groups. Opens the Properties: Details page, as described in the Viewing Collector Group Details and Viewing Membership Details. Refreshes a group membership, as described in the Refreshing User-Defined Collector Group Membership. Deletes a group, as described in the Deleting User-Defined Collector Groups.
5-66
OL-20721-01
Chapter 5
Creating and Modifying User-Defined Collector Groups Deleting User-Defined Collector Groups Viewing User-Defined Collector Groups Refreshing User-Defined Collector Group Membership
Setting Collector Group Properties Defining Collector Group Rules Assigning Collector Group Membership Viewing the Collector Group Summary
You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the collector groups will not be created.
5-67
Managing Groups
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears.
Step 2
Select the required group from the Group Selector pane. For example:
If you want to create or edit a group, select the User Defined Group folder from the Group Selector pane. If you want to create or edit a subgroup, select the required collector group under the User Defined Groups folder. Click Create to create a group or subgroup. Or Click Edit to edit a group or subgroup.
Step 3
Specify the collector group name and description in the Group Name and Description fields. The Group Name must be unique within the parent group. However, you can specify the same name in some other groups. For example, if you already have a group named MyGroup in a group named Views under User-Defined Groups, you cannot use the same name for another subgroup in the group Views. However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups. After entering the group name and description, you can either copy the attributes of an existing group to the new group or proceed to Step 5. To copy the attributes of an existing group to the new group, do the following:
a.
Click Select Group. The Replicate Attributes window appears. Select the required collector group from the User Defined Groups folder. Click OK. All attributes except the group name are copied to the new group. The parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different parent group.
b. c.
5-68
OL-20721-01
Chapter 5
Click Change Parent. The Select Parent window appears. Select the required group. Click OK. The Properties page appears with the new parent group.
b. c.
Step 5
Select the Membership Update and Visibility Scope for the group. For more information, see Table 5-19. Click Next. The Rules page appears.
Step 6
Table 5-19
Field Group Name Copy Attributes from Group Parent Group Description Membership Update
Description Name of the group you are creating. Copy the attributes of an existing group to your new group using Select Group. Parent group of the group you are creating. You can change the parent group using Change Parent. Text description of the group. Group Membership is updated.
Automatic: Updates whenever the group is accessed. Only Upon User Request: Click Refresh. Private Groups: Visible only to users who created the group. Public: Visible to all users.
Visibility Scope
Note
All rules assigned to a parent group also apply to any of its subgroups.
5-69
Managing Groups
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components of the rule from the Rule Expression fields and define a rule. Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20 Defining Collector Group Rules
ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects.
The Rule Text field appears only after a rule expression is added. Object Type Variable Operator Type of object (Collector) that is used to form a group. All IPSLA Collector group rule expressions begin with the same Object Type, IPM:Collector Management: Collector. Collector attributes, based on which you can define the group. For more information, see Collector Components. Operator to be used in the rule. The list of possible operators change based on the Variable selected. When using the Equals operator, the rule is case sensitive. Value Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Add Rule Expression Rule Text Check Syntax View Parent Rules Used to add the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. Used to view the parent group rules. All parent group rules apply to the subgroups. For group rule restrictions and examples, see Understanding Collector Group Rules.
5-70
OL-20721-01
Chapter 5
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Step 2 Step 3
Select the Object Type from the drop-down list. Select the required variables from the Variable drop-down list. You can select one or a combination of variables. The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target Address. For more information, see Table 5-20. Select the Boolean operator from the Operator drop-down list. The Boolean operators change based on the variable you have selected. For more information, see Table 5-20. Specify the Value for the variable you have selected. Click Add Rule Expression. The IPSLA Collector Group Administration creates the rule based on the parameters you specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. If you want to delete a rule expression, you have to select the complete expression including the logical operator and press the Delete key on your keyboard.
Step 4
Step 5 Step 6
Step 7
Click Check Syntax to validate the rules expression syntax. If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is incorrect, an error message appears with syntax error messages along with the line and column number.
Step 8 Step 9
Click View Parent Rules to view the parent and group rules. Click Next. The Membership page appears.
Objects From Parent GroupLists the collectors in the parent group. Objects Matching MembershipLists the collectors that satisfy the rule defined by you. You can add or delete collectors from this pane. You can also add collectors from the parent group to create the collector group.
5-71
Managing Groups
Select the required collectors from the Objects From Parent Group pane. Click Add. The selected collectors are added to the Objects Matching Membership pane. Click Next. The Summary page appears with the User-Defined Group properties.
Step 3
Select the required collectors from Objects Matching Membership pane. Click Remove. The selected collectors are removed from the Objects Matching Membership pane and added to the Objects From Parent Group pane.
Step 3
Click Next. The Summary page appears with the summary of the user-defined collector group.
Description Name of the group you are creating. Text description of the group. Parent group of the group you are creating. You can change the parent group using Change Parent. You can select only IPSLA Collector User-Defined groups. You cannot edit this field in the Edit flow.
Membership Update
Updates group membership. Membership updates can be automatic (updated every time the group is accessed) or upon user request only (updated only when you click Refresh).
Rules used to filter group membership. Describes if the group is public (all users) or private (only for the group owner).
5-72
OL-20721-01
Chapter 5
Click Finish to complete the procedure for creating collector groups. A confirmation message appears. Click OK. You can view the newly created user-defined collector group in the Group Selector pane. Or Click Back to modify the group properties.
Step 2
Select the group for which you want to view details from the Group Selector pane. Click Delete. A confirmation message appears.
Viewing Collector Group Details Viewing Membership Details Refreshing User-Defined Collector Group Membership
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
5-73
Managing Groups
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Details. The Property Details page appears. For more information, see Table 5-22.
Table 5-22
Field/Button Group Name Parent Group Type Description Membership Update Created By Last Modified By Rules Visibility Scope View Parent Rules Membership Details Cancel
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. How group membership is updated. Person who created the group. This also displays the time at which it was created. Last person to modify the group. This also displays the time at which it was modified. Rules used to filter group membership. Indicates whether the group is Public (visible to all users) or Private (visible only for the group owner). Allows you to view the parent group rules. All parent group rules apply to the subgroups. Allows you to view the membership details. Takes you back to the Group Administration page.
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Details. The Property Details page appears.
5-74
OL-20721-01
Chapter 5
Step 4
Click Membership Details. The Membership Details page appears. For more information, see Table 5-23.
Table 5-23 Viewing Membership Details
Description Name of the device. Type of object. Takes you back to the Property Details page. Takes you back to the Group Administration page.
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.
Step 4
5-75
Managing Groups
Either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Step 2 Step 3
Select the default operation name from the Group Selector pane for which you want to view the collector group details. Click Details. The system-defined collector group details appear. Click Membership Details to know the membership details of this system-defined collector group. The Membership Details page appears.
Step 4
Select the group for which you want to view details from the Group Selector pane. Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.
Step 3
5-76
OL-20721-01
CH A P T E R
Modifying SNMP Timeouts and Retries. For details, see Modifying Data Collection SNMP Timeouts and Retries. Scheduling Data Collection. For details, see Scheduling Data Collection. Configuring Polling options. For more details, see Data Collection Critical Device Poller.
If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1. If you have configured a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Select Admin > Collection Settings > Data Collection > Data Collection SNMP Timeouts and Retries. The SNMP Timeouts and Retries dialog box appears.
Step 2
6-1
Table 6-1
Field Target
Description Denotes the Target device. You should enter IPv4 or IPv6 address of the target device in this field. You can also use wildcard characters or range of numbers to specify the target device. For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB] as the target device
Timeouts
Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If timeout is increased, discovery time could also increase. Enter the value in seconds. For every retry, the timeout value is doubled. For example, If the timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which LMS stops querying the device.
Retries
Step 3 Step 4
Number of attempts made to query the device. The allowed range is 0-8.
Click Edit to edit the timeouts and retries values. Click Delete to delete the timeouts and retries values.
Or
Click Apply.
6-2
OL-20721-01
Chapter 6
Select Admin > Collection Settings > Data Collection > Data Collection Schedule. The Data Collection Schedule dialog box appears. Modify the data collection settings as described in Table 6-2.
Table 6-2 Data Collection Schedule Settings
Step 2
Field
Schedule
Description Days on which and the time at which data collection is scheduled.
Usage Notes The optimum data collection schedule depends on the size of the network and the frequency of network changes. The default data collection schedule is every 4 hours, on the 4-hour mark, daily: 04.00, 08.00, 12.00, 16.00, 20.00, 24.00 Note that time is in the 24-hour format.
Step 3
Select a schedule and click Edit to edit the schedule. Select a schedule and click Delete to delete the schedule. Click Add to add a new schedule.
Best Practices
Data Collection consumes significant resources on the network management system. Use the Polling option to see the device and link status without running data collection. For more details on polling see, Data Collection Critical Device Poller
6-3
Configure the time interval at which the network is polled. Poll only a critical set of devices. Use this option to see the device and link status without running Data Collection. Since Data Collection consumes significant system resources, you can simply poll the network and view the device and link status in Topology maps.
Launch a Topology map. Right click a device and select Add device to Critical Poller.
To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1 Step 2
Launch N-Hop View Portlet. Go to the configuration screen and select Poll devices.
Caution
If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle will use a large amount of bandwidth. To configure Device Poller:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller. The Device Poller screen appears. Configure the device poller options as specified in Table 6-3.
Table 6-3 Device Poller Options
Step 2
Field
Polling Details
Description
Usage Notes
Specifies that all devices in the network will By default the whole network is polled every 2 be polled at the specified interval. hours. Specifies that only critical devices in the network will be polled at the specified interval. You can configure this option when you need to poll a few devices in the network more frequently. By default, the critical devices are polled every five minutes.
6-4
OL-20721-01
Chapter 6
Table 6-3
Description
Usage Notes
Time interval at which the specified devices Configure this option to change the interval from the default value. are polled. The time interval is added to the completion time of Data Collection. For example, you have configured the following:
Data Collection is scheduled to run at 07:00 hours Time interval is set to 4 hours.
If Data Collection completes at 08:00 hours, the next polling will happen at 12:00 hours (8 + 4). Show Devices For Critical Devices: Displays the list of critical devices in the network. The following information about the Critical Devices is displayed:
IP Address DeviceName
You can choose any device and click Delete to remove it from the Critical Device poller list. For All Devices: Launches the Data Collection report. The following information about the devices in the network is displayed:
Step 3
6-5
CH A P T E R
Understanding User Tracking Using User Tracking Administration Understanding Dynamic Updates Using User Tracking Utility
Recently down ports Ports that are in unused condition for the specified interval Connected ports and Free ports Percentage utilization of ports for each device
7-1
These reports give a clear picture of the switch port utilization in the network and help you in doing capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from the megamenu. This topic covers:
Display information about the connectivity between the devices, users, and hosts in your network. For example, you might want to identify all users connected to a particular subnet, or all hosts on a particular switch. Display information about the IP phones registered with discovered Media Convergence Servers. Use simple queries to limit the amount of information User Tracking displays. Configure or limit the User Tracking acquisition by subnets. Create and save simple and advanced queries. Modify, add, and delete username and notes. You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table. The user names are collected from the UTLite process.
Customize User Tracking table layouts. For example, you can design a layout that displays only the MAC addresses of hosts on your network.
View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses. You can also view History Reports for Switch port utilization, and the connection and disconnection of endhosts and users from your network. You can set the schedule for generating the reports, and also generate the reports for a subset of devices.
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria For example, you can generate reports on end hosts that belong to a specific VLAN. To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.
7-2
OL-20721-01
Chapter 7
Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface
You can generate various User Tracking reports from the Command Line Interface also. For more details, see User Tracking Command Line Interface.
Data Extraction Engine
Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format. For more details, see Overview of Data Extraction Engine.
User Tracking Utility
Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful information about users or hosts discovered by LMS User Tracking application. You can use UTU search band to search for the users or hosts in your network. You can search using user name, host name or IP address, or MAC address.
Discovers all the end hosts that are connected to the devices managed by LMS. For details on the various options that can be set before starting an acquisition, see Modifying UT Acquisition Settings. User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following command: NMSROOT/campus/bin/ut cli
performMajorAcquisition u
userid -p password
where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User Tracking Command Line Interface.
User Tracking Minor Acquisition
Minor acquisition occurs on a device if any of the following changes take place:
A new endhost or IP phone is added to the network. Port state changes (when the port comes up or goes down). A new VLAN is added to the network. There is a change in the existing VLAN.
7-3
Minor acquisition updates the LMS database with just the changes that have happened in the network. It is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the interval at which the acquisition takes place. For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition
Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition
User tracking subnet based acquisition would run only on those subnets that are configured in LMS. LMS discovers end hosts on all the VLANs available in the configured subnets. Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by LMS. For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition
This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is useful for collecting information only on end hosts connected to the specified device. For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions
Modify Acquisition settings. Before you start collecting information about the hosts in your network, you can set various options that control the way in which Acquisition happens. For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host. For complete details, see Modifying UT Acquisition Settings Schedule Acquisition. You can set the day and time of the week when you want to run Major Acquisition. The time interval at which Minor Acquisition happens in the network can also be set. For more details, see Modifying UT Acquisition Schedule Configure Ping Sweep options for Acquisition. You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition. For more details, see Modifying Ping Sweep Options Configure Subnet Acquisition. You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition collects details about the end hosts that are connected to a particular subnet or a select set of subnets. This Acquisition completes faster, since it is not run on all devices managed by LMS. For more details, see Configuring UT Subnet Acquisition
7-4
OL-20721-01
Chapter 7
Configure end host and IP phone data delete interval. You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or the History Table from the database. For more details, see Deleting User Tracking Purge Policy Details Configure UT Acquisition to discover end hosts connected to non-link trunk ports. Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports. For more details, see Configuring UT Acquisition in Trunk for End Host Discovery Specify Purge Policy. You can specify the intervals at which you want old reports and jobs to be purged. You can save the Purge Policy, so that the older jobs and archives are purged at the specified interval. For more details, see Specifying User Tracking Report Purge Policy Specify Domain Name display. You can specify the way in which domain names are to be displayed in User Tracking Reports. For more details, see Specifying Domain Name Display. Import information on end hosts. You can import user names and notes of end hosts that are already discovered by User Tracking, from a file. For more details, see Importing Information on End Host Users Enable Dynamic User Tracking. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS tracks changes about the end hosts and users on the network to provide real-time updates, based on these traps. For more details, see Understanding Dynamic Updates Enable Debugging options. When you face issues in running User Tracking, logging can be enabled for debugging purposes. For more details, see Debugging Options for User Tracking Server and Debugging Options for User Tracking Reports
7-5
Either:
Select Admin > Collection Settings > User Tracking > Acquisitions Info. Or Select Inventory > User Tracking Settings > Acquisition Summary.
The acquisition information appears with the following information: Field Acquisition status Last acquisition type Description Status of the User Tracking Major Acquisition process. It can be either Idle or Running. Type of User Tracking acquisition that you had performed last time. Types of acquisition are:
MajorUser Tracking Major Acquisition DevicesUser Tracking Acquisition for a device SubnetsUser Tracking Acquisition for subnets IP PhonesUser Tracking Acquisition for IP phones
Date and time at which User Tracking started the Acquisition process. This is displayed in the format dd mon yyyy hh:mm:ss. Date and time at which User Tracking stopped the Acquisition process. This is displayed in the format dd mon yyyy, hh:mm:ss time zone. Number of major and minor acquisitions performed. Number of hosts found after User Tracking acquisition. Number of MAC addresses that have duplicate entries in the list of hosts found. Number of IP addresses that have duplicate entries in the list of end hosts found. Number of Cisco CallManagers in the list of devices found after Data Collection. Number of IP phones available in the LMS managed network. Date and time of the previous LMS Data Collection process. This is displayed in the following format: dd mon yyyy hh:mm:ss time zone. Status of the LMS Data Collection process. It can be either Idle or Running.
Number of acquisitions Number of host entries Number of duplicate MAC Number of duplicate IP Number of CCM hosts Number of IP phone entries Last Campus data collection completed at Data collection status
7-6
OL-20721-01
Chapter 7
Either:
Select Admin > Collection Settings > User Tracking > Acquisition Action. Or Select Inventory > User Tracking Settings > Acquisition Actions.
Acquisition Actions
Description
Usage Notes
You can select the type of acquisition. Type When you select a type of acquisition the appropriate of acquisition can be: fields are displayed.
Device Subnet IP Phones If you do not select the All hosts and users check box, the device selection field is enabled and you can enter the name or IP address of the device for which you require data. Click Select to select the device from the list of available devices.
Scope Selection
Select the All hosts and users check box to acquire information about all hosts and users in your network.
Device Selection
Device Name or IP Enter the name or IP address of the device Address about which data is to be acquired.
Subnets
Type Selection
Subnet Selection
You can choose to get data about a particular If you choose to acquire data about a particular subnet, the subnet or about all the configured subnets. subnet selection fields are enabled. Select the IDs of the subnets on which you need to get data. This field is enabled only if you select the Subnet option in the Type Selection area. Click Select to select the subnet ID from the list of available subnets.
Subnet ID
7-7
Table 7-1
Description Enter the subnet mask. Select this check box to get data only about the VLANs specific to the subnet.
Usage Notes If you select the subnet ID, the subnet mask is automatically entered.
If you select this check box, only the work stations associated with the VLANs that are mapped to the selected subnets will be acquired. If you do not select this check box, work stations associated with all the available VLANs in the selected subnets will be acquired.
You do not have to specify any details for the IP Phones option.
Step 3
Modifying UT Acquisition Settings Configuring Rogue MAC List Modifying UT Acquisition Schedule Modifying Ping Sweep Options Configuring UT Subnet Acquisition Deleting User Tracking Purge Policy Details Configuring UT Acquisition in Trunk for End Host Discovery Specifying User Tracking Report Purge Policy Importing Information on End Host Users
Modifying Acquisition Settings from UI UT Behaviour in DHCP Environment for Missing IP address Configuring Properties That Support Duplicate MAC Addresses Configuring User Tracking Properties from the Backend
7-8
OL-20721-01
Chapter 7
Select Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings dialog box appears. Modify the acquisition settings as specified in Table 7-2.
Usage Notes If you enable this property, it allows you to control inclusion and exclusion of Duplicate MAC addresses in the Acquisition. To understand the behavior of User Tracking in case of missing IP address, see UT Behaviour in DHCP Environment for Missing IP address. For details on properties that support Duplicate MAC addresses, see Configuring Properties That Support Duplicate MAC Addresses.
This is enabled by default and allows UT Major Acquisition process to collect Access point information. However, WlseUHIC cannot collect Wlse related end host information. If disabled, it precludes Access point acquisition. However, WlseUHIC collects Wlse related end host information.
Select this option to allow Acquisition to collect the active usernames of UNIX hosts. UNIX user names are updated at the end of major acquisitions.
Collects information only for users, who are logged into the console port of the UNIX hosts.
Get user names from hosts Allows LMS to collect active user This option helps you to: in NT and NDS names on the Windows or Novell Collect information only for users who are currently Directory Service (NDS) servers. logged into the network.
Collect information from NDS hosts. You must use NDS 5.0 or later.
7-9
Table 7-2
Usage Notes User Tracking performs DNS Lookup for a host to resolve its IP address. When you choose this option the Advanced button is enabled. Click on this to launch the Advanced UT Acquisition Settings window. The following options are available:
DNS threads Number of parallel threads allowed for name resolution. The default value is 1. Maximum number of threads allowed is 12.
DNS Timeout Time duration for which UT waits for a response from the DNS server, for name resolution. The value should be entered in milli seconds. The default value is 2000 milliseconds (2 seconds).
Enter values and click OK to save changes. User Port Number Specify the UDP port number from You must use the default port number unless it is already in where logon and logoff messages use. This port number must match the port indicated in the login script. are received from hosts in Windows and NDS. Enable notification when Rogue LMS sends e-mails to the specified addresses, when MACs are detected in the network. unauthorized end hosts are detected in the network. Specify the E-mail IDs to be notified when Rogue MACs are detected in the network. You can enter multiple E-mail IDs separated by commas. This field is enabled only when you check the Rogue MAC Detection field.
Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List. the screen that is launched. Enable notification when new LMS sends e-mails to the specified addresses, when new MACs are detected in the network. end hosts are detected in the network. Specify the E-mail IDs to be notified when new end hosts are detected in the network. You can enter multiple E-mail IDs separated by commas. This field is enabled only when you check the New MAC Detection field.
Step 3 Step 4
Click Apply to save the modifications in the settings. Click Start Acquisition to start User Tracking Acquisition with the modified settings.
7-10
OL-20721-01
Chapter 7
Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion and exclusion of Duplicate MAC addresses in UT Acquisition. LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment property, is explained in Table 7-3. The conventions used in Table 7-3 are:
MACx MAC address of the endhost IPx IP address of the endhost Device x Device to which the end host is connected. Time in xx:xx format Time entries in the Last seen column NA Not Available.
Note
The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User Tracking for DHCP Environment property.
Table 7-3
Scenario Scenario1: Missing IP Address MAC1 MAC1 NA IP1 Device 1 Device 1 6:35 6:40
Explanation For an endhost, if the IP address is not available in the first UT acquisition, but is available in the next, the IP address field in the database is updated with the value that is currently discovered.
Scenario 2: Missing IP Address MAC1 MAC1 IP1 NA Device 1 Device 1 6:45 6:50 For an endhost, if the IP address is MAC1 available in the first UT acquisition, but is not available in the next, the older value for IP address is retained in the database. IP1 Device 1 6:50
Scenario 3: Single MAC, Multiple IP Addresses MAC1 MAC1 MAC1 MAC1 IP1 IP2 IP3 NA Device 1 Device 1 Device 1 Device 1 6:55 6:55 6:55 7:00 MAC1 For an endhost with Single MAC address but multiple IP addresses, if MAC1 UT does not get the IP address in the current acquisition, it retains the MAC1 older values in the database. IP1 IP2 IP3 Device 1 Device 1 Device 1 7:00 7:00 7:00
7-11
Table 7-3
Scenario MAC1 MAC1 MAC1 MAC1 IP1 IP2 IP3 NA Device 1 Device 1 Device 1 Device 1 4:00 5:00 6:00 7:00
Explanation
What gets Updated in Database MAC1 IP1 IP2 IP3 Device 1 Device 1 Device 1 4:00 5:00 7:00
MAC1 For an endhost with different IP addresses at different points of MAC1 time, if UT does not get the IP address in the current acquisition, it retains the value that was last discovered.
Scenario 5: Endhost moving between devices MAC1 MAC1 MAC 1 IP1 IP1 NA Device 1 Device 2 Device 1 4:00 5:00 6:00 When an end host moves between MAC1 devices, if UT does not find the IP address in the current acquisition, it retains the IP address value that was last discovered for that device. IP1 Device 1 6:00
The following properties can be configured in the ut.properties file stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime. Table 7-4 lists the properties that support Duplicate MAC Addresses
Table 7-4 Properties Supporting Duplicate MAC Addresses
Property UT.DuplicateMac.Include_SwitchPorts
Description List of switchports connected to endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switchports connected to endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switches connected to end hosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switches connected to end hosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of VLANs associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.
UT.DuplicateMac.Exclude_SwitchPorts
UT.DuplicateMac.Include_Switches
UT.DuplicateMac.Exclude_Switches
UT.DuplicateMac.Include_Vlans
7-12
OL-20721-01
Chapter 7
Table 7-4
Property UT.DuplicateMac.Exclude_Vlans
Description List of VLANs associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of subnets associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of subnets associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.
UT.DuplicateMac.Include_Subnets
UT.DuplicateMac.Exclude_Subnets
Values should be separated by commas. IP addresses of the devices should be given. Port numbers should be given along with the device IP address as deviceip:port. The Exclude list takes precedence over the Include list. If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included or excluded as specified. For example, if you set the Include list as, UT.DuplicateMac.Include_Switches=X,Y Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y. Duplicate addresses will not be allowed for any other endhost.
If you set both Include and Exclude list as, UT.DuplicateMac.Include_Switches=X,Y UT.DuplicateMac.Exclude_Switches=A,B Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B. Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not specified in the Include list. Thus when an Exclude list is set, the Include list is ignored.
The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.
7-13
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list. For example, if you set UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2 UT.DuplicateMac.Exclude_Switches=10.77.211.33 Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch. Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend
This section explains the new user configurable properties that have been added to UT. You can configure properties that control DNS name resolution and history reports, by editing them in the file ut.properties, stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime.
7-14
OL-20721-01
Chapter 7
Property HistoryHostPurgeTime
Description Purges history entries that are older than the specified time. The value should be provided in minutes. For example, If you want to purge entries older than 10 days, set HistoryHostPurgeTime=14400
UT.nameResolution
both
Name resolution for end hosts using Java APIs JNDI and InetAddres.This property can have the following values:
wins (Use only InetAddress) dns (Use only JNDI) wins,dns (First InetAddress then JNDI) both (JNDI first and InetAddress next)
UT.nameResolution.dnsTimeout
2000
Time duration for which UT waits for response from the DNS server, for name resolution. The value should be entered in milliseconds. Time duration for which UT waits for response from the DNS server, for name resolution.The value should be entered in milliseconds. This property must be enabled only for windows server. Uses cache memory for name resolution in subsequent User Tracking discoveries. User Tracking performs DNS Lookup for a host only if the IP address of the host is being resolved for the first time.It does not perform DNS Lookup for every Major Acquisition. This helps the application to reduce the number of queries during User Tracking Acquisition. This in turn reduces the time taken for Acquisition process.
UT.nameResolution.winsTimeout
2000
UTMajorUseDNSCache
false
UT.RunLookupAnalyzer
OFF
To analyze the performance of DNS servers and provide the following information in the NMSROOT\log\ut.log file:
DNS Server Efficiency for each DNS Server Overall Summary of DNS Servers Namelookup related settings in ut.properties file Issues found and recommendations to overcome them
Set the value to ON to turn on the feature. You need not enable debugging for UT to get the LookupAnalyzer data in the ut.log file. For details on running Lookup Analyzer utility from the command prompt and example output of the utility, see Using Lookup Analyzer Utility
7-15
Select Admin > Collection Settings > User Tracking > Acquisition Settings. The User Tracking Acquisition settings window appears. Click Define Rogue MACs. The Rogue MAC Configuration window appears. The lists displayed in the window are:
Rogue MAC/OUI List Acceptable MAC/OUI List
Step 2
Step 3
Click Add MAC/OUI to add new entries to the list. The Add MAC/OUI window appears. The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely identify the vendor, manufacturer, or a worldwide organization. An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses, and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC), network protocol, or MAC addresses for Ethernet. In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three octets of the address are the OUI.
7-16
OL-20721-01
Chapter 7
Description Provides the following options to add MAC addresses to MAC/OUI List:
Manual Enables you to add MAC/OUI to either the Acceptable MAC/OUI List or to the Rogue MAC/OUI list. The Manual Add option is selected by default. Import from file Enables you to import MAC Addresses from a file to the Acceptable MAC/OUI List Import from UT Enables you to import MAC Addresses directly from UT to Acceptable MAC/OUI List
Add MAC/OUI
Enter the MAC Address or OUI in the text box provided. The values should be separated by spaces, tabs, or commas. You can also enter values on separate lines. The address can have only hexa decimal numbers separated by hyphen. Example: 00-c0-1d-99-06-b6
OUI List
Displays predefined values in LMS. You can select values from the list, to add to the Rogue OUI or Acceptable OUI list. To add more values to the list, add them to the Property file: NMSROOT/campus/etc/cwsi/OUI.properties where NMSROOT is the directory where you installed Cisco Prime. To get the latest OUIs listed by IEEE, see http://standards.ieee.org/regauth/oui/index.shtml
7-17
Step 4
Manual Add Select the required OUIs from the list displayed in OUI List. Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your requirement. The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list that you selected.
a. b.
Import From File Click Browse and browse to the folder location and choose the file to be imported Click the Import to Acceptable OUI list. The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list. Import From UT Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to the Acceptable MAC/OUI List. It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header MAC Address followed by MAC Address entries. For example: In the example, the file to be imported includes a MAC Address column with MAC Address entries. MAC Address MAC 1 MAC 2 MAC 3
The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5
Check Consider unqualified MAC as Rogue When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This is if it is not defined in the Acceptable MAC list.
Step 6
Save Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the
7-18
OL-20721-01
Chapter 7
Select Admin > Collection Settings > User Tracking > Acquisition Schedule. The Acquisition Schedule dialog box appears. Start the user tracking major acquisition for all or failed devices as specified below:
Step 2
Select either All devices or Failed devices . Click Start to start the user tracking major acquisition immediately for the selected devices. The UT Acquisition Confirmation pop up appears. Click OK to start user tracking acquisition. A success message appears. Click OK. To cancel the user tracking acquisition process, click Cancel.
Description Specify, in minutes, the periodicity at which a minor acquisition should take place.
Specify the time at which a major acquisition is to None. take place. Specify the days of the week on which a major acquisition is to be scheduled.
Days on which and the time at which a major acquisition is to be carried out. Select the days of the week on which a major acquisition is to be scheduled. Select the schedule and do any of the following:
You can add new schedules and edit or delete existing schedules. This field is available only when you are adding or editing a schedule.
Step 4
Click Edit to edit the schedule. Click Delete to delete the schedule. Click Add to add a new schedule.
Step 5 Step 6
Click OK to save the changes or Cancel to cancel the changes. Click Apply after adding or editing a schedule.
7-19
Select Admin > Collection Settings > User Tracking > Ping Sweep. The Ping Sweep dialog box appears. Choose any of the following:
Step 2
Disable Ping Sweep Perform Ping Sweep on all subnets Exclude subnets from Ping Sweep When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude from Ping Sweep. You can select subnets from the list of available subnets and add to the list of subnets to be excluded.
Step 3
Specify the Wait Interval, if Ping Sweep is enabled. Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not flooded with ping packets. For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10 seconds. If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10 seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on Device 1. Same happens with Device 2.
Step 4
Click Apply. User Tracking does not perform Ping Sweep on large subnets. For more details, see Notes on Ping Sweep Option.
7-20
OL-20721-01
Chapter 7
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. Use any external software, that will enable you to ping the host IP addresses. This will ensure that when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration. The Configure Subnet Acquisition dialog box appears. Select either of the following options:
Step 2
Perform acquisition on all subnets All the subnets are included for User Tracking Major Acquisition. If you select this option do not perform steps 4 and 5.
Or
Step 3
Perform major acquisition on selected subnets All subnets added to the Selected Subnets list are included for User Tracking acquisition.
Or
Do not perform major acquisition on selected subnets All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.
7-21
Step 4
Select subnets from the list of Available Subnets and add them to the list of Selected Subnets. In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking > Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.
If you select this check box, only the work stations associated to the VLANs that are mapped to the selected subnets will be acquired. If you do not select this check box, work stations associated to all the available VLANs in the selected subnets will be acquired.
Click Apply.
Select Admin > Network > Purge Settings > User Tracking Purge Policy. The Delete Interval dialog box appears. Specify delete intervals for end host, IP phone and history tables. Either:
Step 2 Step 3
Click Delete now to delete the entries immediately. If you select this step do not perform Step 4.
Or
Select Delete After Every Major Acquisition. If you select this option, LMS will delete records older than the specified interval, after every UT Major Acquisition.
Step 4
Click Apply.
7-22
OL-20721-01
Chapter 7
Link ports Trunk ports connected to Cisco devices (Switch or Router). Non-link ports Trunk ports connected to end hosts or IP phones.
In a switched network, many clients from different VLANs might access an enterprise resource, such as a database server. If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a different VLAN would have to send their traffic to a router. The router forwards the frames to the database server. The problem with this approach is the latency introduced by the router. To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN information. With this arrangement, an end station need not send its frame to the router. Instead it can directly access the file server. This makes the access much faster. To configure trunk ports:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk. The Configure Trunk for End Hosts Discovery page appears. You can:
Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
Step 2
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing this option, go to Step 8.
Step 3 Step 4
Select the list of switches where end hosts are connected to trunk ports, from the device selector. Click Show Trunks. This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down state are also listed here. If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display the ports. Link ports are not listed here.
Step 5 Step 6
Select the list of trunk ports where end hosts are connected from the Available Trunks list. Click Add. The selected ports are displayed under the Selected Trunks list.
7-23
Step 7
Select either
Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.
Or
Step 8
Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.
Click Apply. This saves the configuration on the server. After saving the configuration, run Data Collection. End hosts connected to trunk ports will be discovered in successive UT Major Acquisitions. For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.
Select Admin > Collection Settings > User Tracking > Table Import. The End Host Table Import dialog box appears. Specify the name of the file from which you are importing the end host table data. Click Apply.
Step 2 Step 3
Note
We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory headers: MAC Address, User Name and Notes. For example: MAC1 Peter Finance department
7-24
OL-20721-01
Chapter 7
Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts coming into and moving out of the network. Traps from suspended devices are not processed by LMS. The difference between a UTMajor Acquisition and a Dynamic UT process is: LMS collects data from the network at regular intervals for UTMajor Acquisition. In Dynamic UT, the devices send traps to LMS as and when changes happen in the network. This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have happened in your network. This is an improvement over the earlier versions, where updates on endhost information happened based on the polling cycle. As a result of Dynamic updates, the following reports contain up-to-date information:
End-Host Report Contains information from UT Major Acquisition and the recently added end-hosts. History Report Contains information from UT Major Acquisition and the recently disconnected end-hosts or end-hosts that have moved between ports or VLANs.
Switch Port reports Contains information about the utilization of switch ports.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or when it moves between VLANs or ports in the network. To enable the Dynamic Updates feature:
Switches must be managed by LMS. Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP MAC Notification Listener. Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port number that you would have configured on LMS Administration screen). For more details, see Enabling SNMP Traps on Switch Ports. Configure DHCP snooping on the switches Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted DHCP message received from outside the network or Firewall, and builds and maintains a DHCP snooping binding table. LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected. For details on configuring DHCP, see
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati on/guide/scg.html
User Tracking collects username and IP address through UTLite for Windows environment. For more details, see Understanding UTLite.
In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address of the end host. They can also co-exist.
7-25
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device should be populated with the IP address, for UT Major Acquisition to discover it. The User Tracking Dynamic Updates process includes:
MAC User-Host Information Collector (MACUHIC) Process User Tracking Manager (UTManager) Process UTLite
Checks whether the traps are generated from a switch managed by LMS. Checks whether the source is an access port. Updates LMS database. Informs UTManager if the trap is received for an ADD event.
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. For complete information, see Understanding UTLite. When an end-host is connected to your network, the following happens in the background.
1. 2. 3.
The switch to which it is connected sends a MAC notification. The MACUHIC process in LMS receives the MAC notification either directly from the switch or through other applications like LMS Monitor and Troubleshoot module or HPOV. After processing this MAC notification, MACUHIC informs the UTManager.
7-26
OL-20721-01
Chapter 7
4. 5.
LMS updates the database with the username and IP Address received from the UTLite. Database does not contain the complete information about the end host. UTManager finds the following details:
Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data
Collection.
LMS updates the database with the complete User Tracking information for the host. The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients, duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating reports.
Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status. The Dynamic Updates Process Status window appears. If you have started the process already, the status window shows Dynamic Updates Processes are RUNNING.
Step 2
The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are When you stop these processes, LMS stops processing traps sent by devices. Click Start to restart the Dynamic Updates processes. The Start button again toggles to Stop.
Step 3
7-27
If you do not have Configuration Management functionality enabled on your LMS Server, you have to manually configure the switches, for the switches to send MAC Notifications to the LMS server.
Note
LMS supports only those switches that contain the Management Information Base (MIB) named MAC Notification, for enabling the SNMP traps.
Through LMS Interface
The switches must be managed by LMS. If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well as the Write community strings to enable MAC Notification in the switches.
Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.
Note
LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic Updates. To enable MAC notification in switches:
Step 1
Select Admin > Collection Settings > User Tracking > Device Trap Configuration. The Configure Trap on Devices dialog box appears. Select the switches for which you want to enable the traps, from the Device Selector. Click Configure to see the devices that you have selected. Click Configure to configure MAC notification on the ports in the devices. The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in the Configure MAC-Notification Trap on Ports dialog box.
Table 7-8 Configure MAC-Notification Trap on Ports Field Description
Description Check the check box to configure devices, to send SNMP traps to LMS. To configure LMS to listen to traps sent from devices, see Configuring SNMP Trap Listener. Set a community string for the SNMP traps sent by devices. This property is enabled only when LMS is the Primary receiver for SNMP traps. This string is added to the list of valid strings in the Dynamic User Tracking Configuration screen. Check the check box to make this community string as the default for future configurations, if LMS is the Primary Trap receiver. Allows you to filter the ports listed, based on port name, device name and the device address (IP address of the device). Port number that you entered for receiving traps. The default trap receiver port number of the LMS server is 1431.
7-28
OL-20721-01
Chapter 7
Table 7-8
Description Name of the port. Access ports as well as Non-link Trunk ports are listed. Name corresponding to IP address of the switch. IP address of the switch. Select to view 10 to 50 rows on a page.
Check the check boxes to select the ports that you want to enable SNMP traps. Click Configure to enable the SNMP traps. An Information window appears. Click OK.
Step 7
If you select LMS as the Primary listener, the MAC notifications reach the application directly from the switches. If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and Troubleshoot module.
Note
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps. To select the MAC notification listener, see the following sections:
Configuring SNMP Trap Listener HPOV as Primary Listener LMS Fault Monitor Module as Primary Listener
7-29
Select Admin > Collection Settings > User Tracking > Trap Listener Configuration. The Trap Listener Configuration dialog box appears. Check Listen traps from Device to configure the trap reception directly from the devices This makes LMS as the primary listener for receiving SNMP traps from devices. OR Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications. In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They forward it to LMS which acts as the secondary listener for traps. If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS Fault Monitor module.
Step 2
Step 3
Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port field. The default trap listener port number of the LMS server is 1431. Click Apply to save the details.
Step 4
Install Cisco Prime Integration Utility Install Trap Adapter for HPOV
The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Prime Integration Utility
You must have CiscoWorks Integration Utility (Integration Utility) installed on your system. Integration Utility is a utility that integrates Cisco Prime applications with third-party Network Management Systems (NMS). This utility is available as part of the DVD in the LMS 4.1. This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications. See User Guide for CiscoWorks Integration Utility 1.7, for more details on the integration utility.
Note
You must install the Integration Utility on the same machine on which you have installed HPOV.
7-30
OL-20721-01
Chapter 7
LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems. To install the adapter on Windows:
Step 1 Step 2 Step 3 Step 4
Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory. Modify the Trap Receiver address and the port number to the LMS values, in the file. Set the LIB environment variable to HP OpenView lib directory. Run the fwdTrap.exe program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory. Modify the Trap Receiver address and the port number to the LMS values, in the file. Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory. Run the fwdTrap program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
7-31
The supported platforms for the HP NNM and HPOV adapters are: Network Management System HP OpenView 9.1 HP OpenView 9.01 HP OpenView 9.0 Supported Platforms
Solaris 10 Windows 2008 R2 Standard x 64 Edition Solaris 10 Windows 2008 R2 Standard x 64 Edition Solaris 10 Windows Server 2008 x64 with Service Pack 2 Windows Server 2008 x64 R2 with Service Pack 2
7-32
OL-20721-01
Chapter 7
From LMS
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. The Notification Services page appears. Enter the Hostname and the port number of the LMS server to which you want to forward the MAC Notifications. Click Apply to configure. The trapd.conf file is modified and the DFMServer process is restarted.
Step 2 Step 3
Note
If you configure through CiscoWorks, LMS server receives all Traps including MAC Notification. From the LMS Fault Monitor Server
Access the LMS Fault Monitor server using Telnet. Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server. Navigate to NMSROOT/object/smarts/conf/trapd directory. Edit the trapd.conf file in the directory to reflect the following changes. Enter:
FORWARD:
address OID generic type specific type \ host [:port] | [:port:community] [host [:port] | [:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5
Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration. The Dynamic User Tracking Configuration page appears. Select the Validate SNMP Community check box. LMS validates the community string in SNMP traps, with the values you have set. You can add community strings only after checking this check box.
Step 2
If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1. If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
7-33
Step 3
Enter the community string in the Valid Community List text box and click Add. You can add the community strings one at a time. You can use the Delete button to remove the extra or erroneous strings. The default Trap community string that you might have added in the Device Trap configuration screen is also listed here.
Step 4
Select the Validate Trap Source check box. LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking this check box.
Step 5
Enter the IP Address in the text box provided and click Add. You can use the Delete button to delete extra or erroneous entries. Click Apply to save changes to the server. To revert to the default values, click Reset.
Step 6
You can use any one of the options to filter SNMP traps. For example: To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box) Community String = private, test Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS. To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true Community String = private, test Validate Trap Source =true Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by LMS. In this case, LMS first validates the community string, and if it matches, validates the source address.
7-34
OL-20721-01
Chapter 7
Understanding UTU Hardware and Software Requirements for UTU Downloading UTU Installing UTU Accessing UTU Configuring UTU Searching for Users, Hosts or IP Phones Using UTU Uninstalling UTU Upgrading to UTU 2.0 Re-installing UTU 2.0
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones discovered by LMS User Tracking application. UTU comprises a server-side component and a client utility. UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.1, Network Topology, Layer 2 Services and User Tracking must be enabled and accessible through the network. UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS server in Secure Sockets Layer (SSL) mode. The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:
Windows Vista Support
Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts. UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this, UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search
In this release, UTU supports searching phone numbers in addition to existing search criteria.
7-35
Requirement Type Minimum Requirements System hardware System software IBM PC-compatible computer with Intel Pentium processor.
Windows 2008 Windows XP with SP2 or SP3 Windows Vista LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or LMS 3.2 (Campus Manager 5.2.1), or LMS 4.1 (Network Topology, Layer 2 Services and User Tracking) Microsoft .Net Runtime 3.5 Service Pack 1 You can download Microsoft .Net Runtime 3.5 Service Pack 1 from http://www.microsoft.com
512 MB
Network Connectivity
LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS 3.2 (Campus Manager 5.2.1) or LMS 4.1 (Network Topology, Layer 2 Services and User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires CiscoWorksUserTrackingUtility2.0.exe file to be downloaded and installed. To download UTU 2.0:
Step 1
Click http://www.cisco.com/public/sw-center/index.shtml. You must be a registered Cisco.com user to access this Software Download site. The site prompts you to enter your Cisco.com username and password in the login screen, if you have not logged in already.
Step 2 Step 3
Select the Software Product Category as Network Management and Automation. Select Routing and Switching Management > Network Management Solutions > CiscoWorks LAN Management Solution Products > CiscoWorks LAN Management Solution 4.0 and later from the product tree. Select LMS 4.1. Select the appropriate product software type. Select a product release version from the Latest Releases folder and locate the software update to download. Locate the file CiscoWorksUserTrackingUtility2.0.zip This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent installation).
7-36
OL-20721-01
Chapter 7
Step 8 Step 9
Click the Download Now button to download and save the device package file to any local directory on LMS Server. Extract the file using any file extractor such as WinZip.
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode. Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware and Software Requirements for UTU. This section explains:
CiscoWorksUserTrackingUtility2.0.exe file
file-location is the directory where you have the setup.iss file.
Do not use space after the -f1 option. Use the complete path for file-location. For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss
UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default. If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change the value of the szDir attribute in the setup.iss file. For example, if you want to set the installation directory as D:\utu20, change szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.
Setup.log File
The setup.log file is created during the installation in the same directory where you have extracted the setup.iss file. You should see the setup.log file to check the installation completion status. The value of the ResultCode attribute in the setup.log informs you whether the installation has completed successfully. The value 0 denotes that the UTU installation in silent mode is successful. When the value of the ResultCode attribute is other than 0, you must install UTU again.
7-37
Log into the system with local system administrator privileges. Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe. Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation. The User Tracking Utility Welcome screen appears. Click Next. A warning message appears if you have not installed .Net Framework 3.5 SP1. You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before completing the current UTU installation.
Step 4
Step 5
Click Next. A confirmation message appears. Click Yes. The Choose Destination Location dialog box appears. By default, UTU is installed in the directory C:\Program Files\CSCOutu2.0.
Step 6
Note
If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome screen.
If you click No in the confirmation message, the warning message appears again stating that you have not installed .Net Framework 3.5 SP1. You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7
Click Browse to choose a different directory and click OK. Click Next to continue with the installation.
Click Finish to complete the installation. User Tracking Utility is installed at the destination location you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see Accessing UTU.
7-38
OL-20721-01
Chapter 7
Accessing UTU
To access UTU, click either:
Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
The UTU band appears. See Figure 7-1 for UTU 2.0 band. You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1 User Tracking Utility - Search Band
After a system restart and during the startup, the system launches the UTU automatically.
7-39
Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.1 server configurations. To configure UTU:
Step 1
Right-click the UTU search band. A popup menu appears. Click Settings.
b.
Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS 4.0), or LMS 4.1 is installed. Enter the port number of the LMS Server. The default HTTP port number is 1741. You can modify the port number if required. Click Enable SSL for communicating with an SSL enabled server. The port is changed to 443, which is the default port for SSL. You can modify the port number if required. See Figure 7-2.
Figure 7-2 Enabling SSL
Step 4
Step 5
Enter a valid CiscoWorks Server user name and password. This is used to verify the validity of the user when searching for users, hosts, or IP Phones. Confirm the password by re-entering it.
Step 6
7-40
OL-20721-01
Chapter 7
Step 7
Select the Remember me on this computer checkbox if you want the client system to remember your credentials. The credentials are preserved only for the current user of Windows system. The credentials are not available when you log into the Windows system with a different user name.
Step 8
Note
Step 1
Right-click the UTU search band. A popup menu appears with the default search criterion Host name/IP Address selected. Select a search criterion from the popup menu. You can search using:
Step 2
User name Host name or IP Address Device name or IP Address MAC Address Phone number
The default search criterion is host name or IP Address of the host. The selected criterion is set for future searches until you change the criterion.
Step 3
Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC Address in the UTU search field. For example, you can enter 10.77.208 in the search field. Press Enter. If your server is not SSL enabled, go to Step 7. When you query for data from an SSL enabled server, the Certificate Summary dialog box appears. Click Details to view the certificate details. You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.
Step 4
Step 5
7-41
Figure 7-3
Certificate Details
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6
Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the certificate. SSL connection is established with the server. If you click No, the certificate is not stored and no connection is established with the server.
Note
The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes the first time, you are not prompted to store the certificate during subsequent sessions. Click the X Record(s) Found button to launch the results window. X denotes the number of matches found. For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See Figure 7-4.
Step 7
7-42
OL-20721-01
Chapter 7
Figure 7-4
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your search if you want better and more accurate results.
Step 8
Select an entry in the Results window. UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC Addresses, in a Results window. The Results window has the following options:
Copy to Clipboard, where you can copy the selected search result record. Copy All to Clipboard, where you can copy all the search result records. Close, which you can use to close the window. Table 7-10 for all search criteria except Phone Number Table 7-11 for search based on Phone Number
For a selected search result record, the Results window displays the details as described in:
See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results window.
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry User Name MAC Address Host IP Address Host Name Subnet Subnet Mask Device name Device IP Address VLAN Port Port Description Port State Port Speed
Description Name of the user logged in to the host. Media Access Control (MAC) address of network interface card in end-user node. IP Address of the host. Name of the host discovered by User Tracking. Subnet to which the host belongs. Subnet mask of the host Name of the switch. IP Address of the switch VLAN to which the port of the switch belongs. Port number to which the host is connected. Description of the port number to which the host is connected. State of the port: Static or Dynamic. Bandwidth of the port of the switch.
7-43
Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Description Port Duplex configuration details on the device. Date and time when User Tracking last found an entry for this user or host in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-5
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry Phone Number MAC Address Phone IP Address CCM Address Status Phone Type Phone Description Device Name Device IP Address Port
Description IP Phone number Media Access Control (MAC) address of network interface card on the phone. IP Address of the phone. IP Address of the Cisco Call Manager Status of the phone, as known to Cisco Call Manager Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus, 30VIP, SoftPhone, or unknown. Description of the phone. Name corresponding to IP Address of device. IP Address of the device Port number to which the phone is connected.
7-44
OL-20721-01
Chapter 7
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Description Description of the port to which the phone is connected. Date and time when User Tracking last found an entry. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-6
Note
The search results for the value you enter in the search field depends on the default search criteria.
7-45
Uninstalling UTU
Ensure that UTU is not running while uninstalling. If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates. To uninstall UTU:
Step 1
Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall CiscoWorks User Tracking Utility 2.0 from the windows task bar. The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation. Click Yes. The Uninstallation continues. Click Finish to exit the uninstallation wizard.
Step 2
Step 3
7-46
OL-20721-01
Chapter 7
7-47
CH A P T E R
Using the Inventory Job Browser Inventory Collection Settings Secondary Credentials Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System PSIRT or End-of-Sale or End-of-Life Data Administration Administering VRF Lite Modifying Fault Management SNMP Timeout and Retries Configuring Fault Management Rediscovery Schedules Configuring Event Forensics Fault Monitoring Device Administration Device Management Functions Performance Management SNMP Timeouts and Retry Settings IPSLA Application Settings Setting Up Archive Management Defining the Configuration Collection Settings Configuring Transport Protocols Overview: Common Syslog Collector Viewing Status and Subscribing to a Common Syslog Collector
8-1
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. When you install LMS, a default job is defined for Inventory Collection and Inventory Polling. When the default job runs, LMS evaluates the all devices group and executes the job. This way, whenever new devices are added to the system, these devices are also included in the default collection/polling job. For the default system jobs, the device list cannot be edited. You can only change the schedule of those jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the scheduled job is not displayed in the Inventory Job Browser. The default system jobs for Inventory Collection and Inventory Polling are created immediately after installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers > Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job Browser (Admin > Jobs > Browser) only after some time has elapsed. The jobs are displayed in the Job Browser when they are running, or after they are completed, with all the details such as Job ID, Job Type, and Status. User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are running, and after they are completed. You can do the following tasks from the Inventory Job Browser:
Viewing Job Details Creating and Editing an Inventory Collection or Polling Job Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
8-2
OL-20721-01
Chapter 8
Select Inventory > Job Browsers > Inventory Collection. Or Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs. The columns in the Inventory Job Browser dialog box are: Column Job ID Description Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the Job details (see Viewing Job Details.) Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Job Type Status Type of jobSystem Inventory Collection, System Inventory Polling, Inventory Collection and Inventory Polling. Status of the jobScheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start. The number, within brackets, next to Failed status indicates the count of the devices that had failed for that job. This count is displayed only if the status is Failed. For example, If the status displays Failed(5), then the count of devices that had failed is 5. This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions. Description Owner Scheduled at Completed at Schedule Type Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values. The field is restricted to 256 characters. Username of the job creator. Date and time at which the job was scheduled. Date and time at which the job was completed. Type of schedule for the job:
ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.
8-3
You can filter the jobs using any of the following criteria and clicking Filter: Filter Criteria All Job ID Job Type Description Select All to display all jobs in the Job Browser Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display. Select Job Type and then select any one of the following:
Status
System Inventory Collection Select Status and then select any one of these:
Schedule Successful Failed Cancelled Stopped Running Missed Start Missed start is the status when the job could not run for some reason at the scheduled time. For example, if the system was down when the job was scheduled to start, when the system comes up again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the specified job will be displayed as Missed Start.
Description Owner
Select Description and enter the first few letters or the complete description. Select Owner and enter the user ID or the beginning of the user ID.
Schedule Type Select the Schedule Type and select any one of these: Immediate Once 6-hourly 12-hourly Daily Weekly Monthly
Refresh (Icon)
8-4
OL-20721-01
Chapter 8
To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1
Inventory Browser Buttons, the Tasks they Perform and their Description
Description You can create a new job. You can edit only a scheduled job. You can select only one job at a time for editing. If you select more than one job, the Edit button is disabled.
Cancel
Cancel jobs
You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are prompted to confirm the cancellation. If it is a periodic job, you are prompted to confirm whether you want to cancel only the current instance of the job or all future instances.
1.
Select a periodic job and click Cancel. The Cancel Confirmation dialog box appears. Select one of the following options:
Cancel only this instance Cancel this and all future instances
2.
3.
Click OK.
Stop
Stop jobs
You can stop a running job. However, the job will be stopped only after the devices currently being processed are completed. This is to ensure that no device is left in an inconsistent state.
Delete
Delete jobs
You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However, you cannot delete a running job. You can select more than one job to delete, provided they are scheduled, successful, failed, stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete button is disabled. If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be run, the jobs will no longer run, nor will they be scheduled to be run again. You must recreate the deleted jobs.
You are prompted to confirm the deletion. Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge Settings.
8-5
Job DetailsExpand this node to display Job Summary and Job Results for the inventory collection or polling job. Job SummaryClick on this node to view the following for the inventory collection or polling job:
Job SummaryDisplays information about the job type, the job owner, the status of the job, the
start time, the end time, the schedule type, and details of email notification.
Device SummaryDisplays information about the total devices submitted for the job, the
number of devices that were scanned, the number of devices that were pending, the devices that were successful with change, successful without change, and the failed devices. Also, the Device Details and Not Attempted information appears. Not Attempted displays the number of devices for which the Inventory collection module did not attempt to collect the data.
Job ResultsDisplays information about the number of devices scanned, the names of the scanned devices, the duration of scanning, the average scan time per device, and the job results description, for the inventory collection or polling job. To see more details, expand the Job Results node. You will see the following details:
FailedIf you click on this node, you will see the collective list of failed devices and the reason
for their failure in the right pane, for the inventory collection or polling job. If you expand this node, the list of failed devices appears. If you select a device, the right pane displays the device name and the reason for the failure. For example, Device sensed, but collection failed, or Device not reachable.
Successful: With Changes
For a Inventory collection job: Expand the Successful: With Changes node to display a list of devices. If you select a device, the right pane displays the device name and a hyperlink: View Changes. If you click on this hyperlink, the Inventory Change Details report appears for the device. The report displays information about the attribute, the type of change, the time of change, the previous value and the current value for the collection job. If you do not expand this node, you will see the collective list of devices with the status Success: With changes with their View Changes hyperlinks, in the right pane, for the collection job. There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the changes on the devices are displayed. For a Inventory polling job: Click on the Successful: With Changes node to display a list of devices that have changes, as a comma separated list, in your right pane. When there is a change in the config of a device and when the device is polled, the information like Collection initated will appear in the job results. A separate job will be created for the inventory collection as a result of changes occuring in the inventory .
8-6
OL-20721-01
Chapter 8
If you click on this, you will see as a comma-separated list in your right pane, the devices that were successful for the inventory collection or polling job.
Note
Either:
Select Inventory > Job Browsers > Inventory Collection. Or Select Admin > Collection Settings > Inventory > Inventory Jobs.
Select either:
Click Create. The Create Inventory Job dialog box appears. Or Select a job and click Edit. Device Selector, if you want to schedule report generation for static set of devices Group Selector, if you want to schedule report generation for dynamic group of devices.
Step 3
Select either:
Or
8-7
Step 4
Enter the information required to create a job: Description Select either Inventory Collection or Inventory Polling, as required. Specifies the type of schedule for the job:
Run Type
ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. If you select Immediate, the date field option will be disabled. Date
1. 2.
Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date. Enter the start time by selecting the hours and minutes from the drop-down list. The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
Job Info
Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters. Enter e-mail addresses to which the job sends messages when the job has run. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
8-8
OL-20721-01
Chapter 8
Step 5
Click Submit. You get a notification that the job has been successfully created, and it appears in the Inventory Job Browser. To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit. The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change the Scheduling and Job Info fields as required, and click Submit. The job is edited.
Stopping a job, see Stop in Table 8-1. Cancelling a job, see Cancel in Table 8-1. Deleting a job, see Delete in Table 8-1.
SNMP RetryNumber of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero and the maximum value is 6. SNMP TimeoutAmount of time that the system should wait for a device to respond before it tries to access it again. It refers to the total transaction time of SNMP Packets. The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection.
Telnet TimeoutAmount of time that the system should wait for a device to respond before it tries to access it again. It refers to the initial response time required to create a socket. The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the Telnet timeout value affects inventory collection. Natted LMS IP AddressThe LMS server ID. This is the translated address of LMS server as seen from the network where the device resides. You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the NAT boundary. The default value is Not Available. TFTP TimeoutAmount of time that the system should wait to get the result status of the copy operation. Changing the TFTP timeout value affects Config collection. The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit. SSH TimeoutAmount of time in seconds after which SSH session will be terminated when there is no data transfer from client.
8-9
Select Admin > Collection Settings > Inventory > Inventory, Config Timeout and Retry Settings. The Inventory, Config timeout and retry settings dialog box appears. Enter the default values for:
Step 2
SNMP Retry SNMP Timeout Telnet Timeout Natted LMS IP Address TFTP Timeout SSH Timeout
The value you enter here will be applicable for all LMS devices. You can change the value for individual devices and also enter the device serial number information using the Edit Devices Attributes option on LMS Devices window.
Step 3
Step 4
Click OK.
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device Credential Repository (DCR).These credentials are:
LMS uses either the primary or secondary credentials to access the devices using the following protocols:
Telnet SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as a fallback mechanism in LMS for connecting to devices. For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to failure. You can add or edit the Secondary Credentials information through the DCR page (Select Inventory > Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is not available for a device.
Note
The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
8-10
OL-20721-01
Chapter 8
Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials fallback when the Primary Credentials for a device fails. This is a global option which you can use to enable or disable the use of Secondary Credential fallback for all LMS applications. To enable or disable the Secondary Credentials fallback:
Step 1
Select Admin > Collection Settings > Config > Secondary Credential Settings. The Secondary Credentials dialog box appears. Do either of the following:
Step 2
Check Fallback to Secondary Credentials check box if you want to enable the Secondary Credential fallback. Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary Credential fallback.
Or
Step 3
Click either Apply to apply the option or click Cancel to discard the changes.
Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with their own default schedules. A periodic inventory collection job collects inventory data from all managed devices and updates your inventory database. Similarly, the periodic polling polls devices and updates the inventory database. You can change the schedule of these default, periodic system jobs. For inventory collection or polling to work, your devices must have accurate read community strings entered. The changes detected by inventory collection or polling, are reflected in all associated inventory reports. You can also change the job schedule for PSIRT/EOX System. This section contains:
Changing the Schedule for System Inventory Collection or Polling. Changing the Schedule for PSIRT/EOX System.
8-11
Chapter 8 Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. Select Admin > Collection Settings > Inventory > Inventory System Job Schedule. The System Job Schedule dialog box displays the current collection or polling schedule. Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2: Inventory data does not change frequently, so infrequent collection is better. However, if you are installing much new equipment, you may need more frequent collection. Infrequent collection reduces the load on your network and managed devices. Collection is also best done at night or when network activity is low. Also, make sure your collections do not overlap, by checking their duration using the Inventory Job Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 1
Step 2
Step 3
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX system job schedule. The PSIRT and EOX Job Schedule displays the current PSIRT and EOX schedule. Set the new PSIRT and EOX schedule in the respective panes, as in Table 8-2. Click Apply. The new schedule is saved.
Step 1
Step 2 Step 3
Table 8-2
Details of Inventory system schedule and PSIRT and EOX System Job Schedule
Field
Scheduling
Description Select the run type or frequency for inventory collection or pollingDaily, Weekly, or Monthly. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3.
Run Type
8-12
OL-20721-01
Chapter 8
Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
Table 8-2
Details of Inventory system schedule and PSIRT and EOX System Job Schedule
Field Date at
Job Info
Description Select the date for the collection or polling to begin, using the date picker. Enter the time for the collection or polling to begin, in the hh:mm:ss format. Has a default Job Description: If the Job Type is Inventory Collection, the description is, System Inventory Collection Job. If the Job Type is PSIRT and EOX, the description is, System PSIRT and EOX Job. Enter e-mail addresses to which the job sends messages when the collection or polling job has run. You can enter multiple e-mail addresses, separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address.
Job Description
8-13
Note
System PSIRT job should be successful at least once before generating PSIRT/EoX reports. Report job will be successful even though there is no data to display for the selected devices. The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1. 2. 3.
If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not configured the Cisco.com credentials. If the system PSIRT job fails due to problems in the downloaded local XML file. If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and EOX job runs. LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see Changing the Data Source for PSIRT/EOS/EOL Reports.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data either from Cisco.com or from a local text file with XML data, depending upon the option you have set.
8-14
OL-20721-01
Chapter 8
Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option. The PSIRT/EOX Reports dialog box appears. Either:
Step 2
Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com Or Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from local file. The local file location is shown if you have selected Local.
Step 3
Click Apply The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Note
While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy Password fields are also enabled.
You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store it in the local file location on the LMS server. To download the text file with XML data from Cisco.com:
1. 2.
Use a server other than LMS server with internet connection as the external server. From this external server, access the following link to download the XML data:
8-15
Go to http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.1.1&mdfid=282635175&s ftType=CiscoWorks+Resource+Manager+Essentials+Patches&optPlat=Solaris&nodecount=2 &edesignator=null&modelName=CiscoWorks+Resource+Manager+Essentials+4.3&treeMdfI d=268439477&treeName=Network+Management&modifmdfid=&imname=&hybrid=Y&imst =N&lr=Y Login to Cisco.com by entering the Cisco.com user name and password. Download the PSIRT_EOX_OFFLINE.zip file. Extract the text file with XML data to the external server. Copy the text file from the external server into the LMS Server under: /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
2. 3. 4. 5.
The text file with XML data gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory. For EoS/EoL Software Report:
1.
Go to http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.1.1&mdfid=282635175&s ftType=CiscoWorks+Resource+Manager+Essentials+Patches&optPlat=Solaris&nodecount=2 &edesignator=null&modelName=CiscoWorks+Resource+Manager+Essentials+4.3&treeMdfI d=268439477&treeName=Network+Management&modifmdfid=&imname=&hybrid=Y&imst =N&lr=Y Login to Cisco.com by entering the Cisco.com user name and password. Download the EOX_SOFTWARE.zip file to the external server. Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under: /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
2. 3. 4.
Note
You must not extract the EOX_SOFTWARE.zip file in the LMS Server. The EOX_SOFTWARE.zip file gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data from the XML file. To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1. 2.
Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external server which has internet connection. Store this retrieved XML information in the local file location.
8-16
OL-20721-01
Chapter 8
3.
Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report. For more information, see:
Downloading the text file with XML data from Cisco.com
Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings. Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector. Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select Admin > System > Debug Settings. For details, see Setting VRF Lite Debugging Options. You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view only VRF Lite jobs. You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging VRF Management Reports Jobs and Archived Reports. This section contains:
Using VRF Lite Collector Settings Scheduling VRF Lite Collector Modifying VRF Lite SNMP Timeouts and Retries
Schedule VRF Lite Collector You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs. To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link. For details, see Scheduling VRF Lite Collector. VRF Lite SNMP Timeouts and Retries Settings You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries Settings, click VRF Lite SNMP Timeouts and Retries Settings link. For details, see Modifying VRF Lite SNMP Timeouts and Retries.
8-17
Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule. The VRF Lite Collector Schedule dialog box appears. Enter the details as mentioned in Table 8-3.
Field
Schedule
Description Allows you to enable or disable VRF Lite Collection after every Data Collection. The VRF Lite Collection collects VRF Lite-specific details.
Usage Notes
Enable: Check the check box to enable VRF Lite Collection after every Data Collection and click Apply. Disable: Uncheck the check box to disable VRF Lite Collection after every Data Collection and click Apply.
Job ID of the VRF Lite Collector Schedule Display only. job. Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the Lite collection is scheduled. size of the network and the frequency of network changes. By default, the VRF Lite collection process is scheduled to run after the Data Collection process has completed.
Select the days of the week on which VRF This field is available only when you are adding or editing a Lite collection is to be scheduled. schedule. Description of the VRF Lite Collector Schedule job.
Step 3
Select a schedule and click Edit to edit the schedule Select a schedule and click Delete to delete the schedule Click Add to add a new schedule
Click OK to save the details Or Click Cancel to exit the VRF Lite Collection Schedule dialog box.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use the filter to view VRF Lite Collector Schedule job.
8-18
OL-20721-01
Chapter 8
Select Admin > Collection Settings > VRF Lite > VRF Lite SNMP Timeouts and Retries. The VRF Lite SNMP Timeouts and Retries dialog box appears. Modify the SNMP settings as given in Table 8-4.
Table 8-4 Modify VRF Lite SNMP Timeouts and Retries
Step 2
Description IP address of the target device. For example, 10.*.*.* Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If Time out is increased, Discovery time could also increase. Enter the value in seconds. The allowed range is 0-60. For every retry, the Timeout value is doubled. For example, If the Timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which Virtual Network Manager stops querying the device.
Retries
Step 3 Step 4
Number of attempts made to query the device. The allowed range is 0-8.
Click Add to add VRF Lite SNMP settings. Select a row and either:
Click Edit to edit the VRF Lite SNMP Timeouts and Retries value. Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.
Or
Click Apply.
8-19
Note
Changing the settings on this page will modify the settings on all devices managed by LMS.
Note
Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To modify the Fault Management SNMP timeout and retries:
Select Admin > Collection Settings > Fault > Fault Management SNMP Timeouts and Retries. The SNMP Configuration page appears. Select a new SNMP timeout setting. Select a new Number of Retries setting. Click Apply. In the confirmation box, click Yes.
8-20
OL-20721-01
Chapter 8
Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. LMS rediscovery probes the devices to discover their configuration and verify their manageable elements in inventory. LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional schedules. For more information, see
Suspending and Resuming a Rediscovery Schedule Adding and Modifying a Rediscovery Schedule
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. The Rediscovery Schedule page appears. You can either:
Step 2
Select a schedule that does not have a Suspended status, and click Suspend. The status for the schedule changes to Suspended and the schedule does not run until you resume the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it. Or Select a schedule with a status of Suspended and click Resume. The status for the schedule changes to Scheduled.
8-21
You should plan the rediscovery schedule for maximum efficiency and minimum system impact. When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are scheduled by default to ensure that they do not run concurrently. You can configure the schedules for these tasks to meet the requirements of your site. However, you should still avoid running them concurrently.
Table 8-5 Scheduling Considerations
Comments and Notes The amount of time it takes to purge the database depends on the size of the database. For more information on how to configure the Daily Fault History Purging Schedule, see Configuring the Daily Fault History Purging Schedule.
Rediscovery
In addition to configuring schedules, a system administrator can schedule database backups. Be careful while coordinating the database backup schedule to avoid running concurrently with the tasks listed in Table 8-5. To add or edit a rediscovery schedule:
Step 1 Step 2
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. Select either:
Click Add. Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit Default_Schedule.
Or
Step 3 Step 4
Enter a name for the schedule. Select how often the schedule should run:
8-22
OL-20721-01
Chapter 8
Step 5 Step 6
Select the date, hour, and minute on which to start the rediscovery schedule and click Next. Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule page appears, listing the new schedule.
Select a rediscovery schedule and click Delete. A confirmation dialog box appears.
Note Step 2
Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job Browser.
Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event Forensics Configuration page appears. Select the Event Forensics Enable check box to enable LMS to collect forensics data. Click Apply. LMS polls for Event Forensics data for the following events only:
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see the event forensics results when you move your mouse over the Annotations in the Faults table of Fault Monitor Device Fault Summary view tab.
8-23
The left pane displays a device selector, from which you select the device or group that you want to rediscover or delete. The left pane includes a search option The right pane displays the information for the selected object.
Click the Refresh button to refresh the view. The devices that appear in the device selector are organized in folders by device state. See, Understanding Device States in Inventory Management with CiscoWorks LAN Management Solution 4.1 for more information on device states. The folders appear only if there is a device to go in the folder.
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new settings will overwrite any previous settings. Rediscovery occurs only for managed devices, and not suspended devices. Rediscovery also occurs when:
Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule) A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured to import that device type (or LMS automatically imports all DCR devices). Such DCR changes include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type) changed in the DCR. A device is manually added to LMS using the Device Import page.
Note
Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and Rediscovery is a process that affects only the LMS inventory.
8-24
OL-20721-01
Chapter 8
To rediscover devices:
Step 1 Step 2
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears. Select the device or group that you want to rediscover. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the device selector.
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. You should contact a user with System Administrator privileges to create a self-signed security certificate, and then install it. If you do not install the self-signed security certificate, you may not be able to access some LMS application pages.
Step 3
Click Rediscover. Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage Device State.
Inventory, Config and Image Management Network Topology, Layer 2 Services and User Tracking Fault Management IPSLA Performance Management Device Performance Management
To view the functionality settings: Select Admin > System > Device Management Functions. By default, all the functions will be enabled. If you have a 10K license, only Inventory, Config and Image Management will function. You should disable all functions except Inventory, Config and Image Management from this page.
Note
If you disable a function, the function will stop collecting device information. For IPSLA Management, history data will be deleted.
8-25
SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to query the device again. SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the notification should be sent. You can also configure Poll Settings to send the polling failure report as an e-mail. To configure Poll Settings:
Step 1
Select Admin > Collection Settings > Performance > Performance Management SNMP timeouts and retry settings. The Poll Settings dialog box appears. Table 8-6 describes the fields in the Poll Settings dialog box.
Table 8-6 Poll Settings Fields
Field
Poll Details
Description Specify the SNMP timeout interval in seconds. The default SNMP timeout value is 3 seconds. You can change the default SNMP timeout value to a value between 1 to 15 seconds.
SNMP Timeout
SNMP Retries
Specify the SNMP retries count. The default SNMP retry count value is 1. You can set the default SNMP retry count to a value from 0 to 3.
8-26
OL-20721-01
Chapter 8
Table 8-6
Field
Polling Failure
Description Specify the polling failure notification interval. You can select any of these predefined values. The default option is 6 hours.
Notification Interval
01 - HourPolling failures notified every 1 hour. 06 - HoursPolling failures notified every 6 hours. 24 - HoursPolling failures notified every 24 hours. 48 - HoursPolling failures notified every 48 hours. WeeklyPolling failures notified every week.
Polling failure notification report is generated periodically based on notification interval. This report contains information on the SNMP polling failures with device details. E-mail ID Enter the e-mail address. The E-mail address must be in the format: user@domain.com. The poll failure report is send to the E-mail address based on the Notification Interval.
Step 2
See Table 8-6 for the description of fields that appear in the Poll Settings dialog box.
Step 3
Click Apply to update the poll settings or Reset to cancel the poll settings. A message appears confirming that poll settings are updated successfully.
8-27
Note
The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and saved the IP SLA probes of the LMS collectors in the startup configuration. To view the configured collectors in the running configuration:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings. The IPSLA Application Settings page appears. Select the Copy IPSLA Configuration to Running-config check box. Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Click OK.
Step 2 Step 3
Step 4
Select Admin > Collection Settings > Performance > IPSLA application settings. The Application Settings page appears. Select the Use Managed Source Interface Address check box. Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Click OK.
Step 2 Step 3
Step 4
8-28
OL-20721-01
Chapter 8
Preparing to Use the Archive Management Entering Device Credentials Modifying Device Configurations Modifying Device Security Moving the Configuration Archive Directory Enabling and Disabling the Shadow Directory Configuring Exclude Commands Configuring Fetch Settings
Enter Device Credentials (See Entering Device Credentials for details) Modify Device Configurations (See Modifying Device Configurations for details) Modify Device Security (See Modifying Device Security for details)
Read and write community strings Primary Username and Password Primary Enable Password
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs, you are prompted for the following device credentials:
8-29
Routers Username:, Username: Password:, Password: Switches username: , Username: password: , "Password: Cisco Interfaces and ModulesNetwork Analysis Modules login: Password: password: Security and VPNPIX username: , Username: passwd: , password: , Password: Content NetworkingContent Service Switch Username: , username: , login: ,Username: , username: , login: Password: , password: , passwd: ,Password: , password: , passwd: Content NetworkingContent Engine Username: ,login: Password: Storage NetworkingMDS Devices Username:, Username: Password:, Password:
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more information.
Handling Custom Telnet Prompts
To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located at: NMSROOT/objects/cmf/data (on Solaris/Soft Appliance) NMSROOT \objects\cmf\data (on Windows) where NMSROOT is the location where you have installed Cisco Prime LMS. The format of this ini file is: [TELNET] USERNAME_PROMPT= PASSWORD_PROMPT=
8-30
OL-20721-01
Chapter 8
For example, if you have configured username and password prompts as MyUserName: and MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini file must be configured as: [TELNET] USERNAME_PROMPT=MyUsername:, Secret Username: PASSWORD_PROMPT=MyPassword:, Secret Password:
Note
You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only the custom prompts need to be added.
Enabling rcp Enabling scp Enabling https Configuring Devices to Send Syslogs
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your device configurations. Make sure the devices are rcp-enabled by entering the following commands in the device configurations: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] Where ip_address | host is the IP address/hostname of the machine where LMS is installed. Alternatively, you can enter the hostname instead of the IP address. The default remote_username and local_username are cwuser. Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for rcp to fetch the device configuration.
8-31
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your device configurations. To configure local User name:
aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local
username admin privilege 15 password 0 system ip ssh authentication-retries 4 ip scp server enable
User on the TACACS Server should be configured with priv level 15:
user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations. To modify the device configuration, follow the procedure as described in this URL: http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/mgtproto.html
8-32
OL-20721-01
Chapter 8
Router Commands Switches Commands Content NetworkingContent Service Switch Commands Content NetworkingContent Engine Commands Cisco Interfaces and ModulesNetwork Analysis Modules Security and VPNPIX Devices
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their configurations. Ensure that the user credentials provided by you in DCR has the required permissions to access the devices and execute the above mentioned configuration CLI commands on the devices to fetch the configurations. These configuration information fetched from the devices by the LMS server is stored in the LMS database.
Router Commands
Command
terminal length 0
Description Sets the number of lines on the current terminal screen for the current session Sets the number of character columns on the terminal screen for the current line for a session Displays your current level of privilege Gets running configuration. Gets startup configuration Gets the running configuration in brief by excluding the encryption keys.
terminal width 0
The commands in the above tables also apply to the following device types:
Universal Gateways and Access Servers Universal Gateways and Access Servers Optical Networking Broadband Cable Voice and Telephony Wireless Storage Networking
8-33
Switches Commands
The switches commands are: Command
set length 0 set logging session disable write term
Description Configures the number of lines in the terminal display screen Disables the sending of system logging messages to the current login session. Gets running configuration.
Description Disables support for more functions with the terminal. Gets all components of the running configuration. Gets the CSS startup configuration (startup-config).
Description Sets the number of lines on the current terminal screen for the current session Gets running configuration. Gets startup configuration.
Description Sets the number of lines on the current terminal screen for the current session Displays autostart collections Gets startup configuration.
8-34
OL-20721-01
Chapter 8
Description Sets the number of character columns on the terminal screen for the current line for a session Gets startup configuration. Gets running configuration. View the current logged-in user. Removes paging control
On LMS Windows server, NMSROOT\files\rme\dcma Where NMSROOT is the Cisco Prime installed directory. The new archive directory location should have the permission for casuser:casusers in Solaris and casuser should have Full Control in Windows. The new archive directory location should not be the root of any drive (F:\) and must be a subdirectory (F:\LMSarchives).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The following is the workflow for moving the configuration archive location:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Stop.
b. c. Step 2
Select Admin > Collection Settings > Config > Config Archive Settings. The Archive Settings dialog box appears. Enter the new location in the Archive Location field, or click Browse to select a directory on your system.
Step 3
8-35
Step 4
Click Apply. A message appears confirming the changes. Restart the ConfigMgmtServer process. To do this:
a.
Step 5
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Start.
b. c.
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. You can enable or disable the use of Shadow directory by following this workflow:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Stop.
b. c. Step 2
Select Admin > Collection Settings > Config > Config Archive Settings. The Archive Settings dialog box appears. Select the Enable Shadow Directory check box.
Step 3
8-36
OL-20721-01
Chapter 8
Step 4
Click Apply. A message shows that the changes were made. Restart the ConfigMgmtServer process. To do this:
a.
Step 5
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Start.
b. c.
Device Category (For example, Routers, Wireless, etc.) Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device Family and Device Category, these commands are excluded only at the Device Type level. The commands in the Device Family and Device Category are not excluded.
Example 1:
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are excluded.
8-37
Example 2:
If you have specified these commands only at Device Family and Device Category,
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands are excluded. If the commands are specified only at the Device Category level, these commands are applicable to all devices under that category. To configure Exclude Commands:
Step 1
Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration. The Configure Exclude Commands dialog box appears. Select one of these from the Device Type Selector pane:
Step 2
Device Category (For example, Routers, Wireless, etc.) Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Step 3
Enter the command in the Exclude Commands pane to add new commands. You can enter multiple commands separated by commas. You can also edit or delete the existing commands in the Exclude Commands pane. Click Apply. A message appears, The commands to be excluded are saved successfully.
Step 4
8-38
OL-20721-01
Chapter 8
Select Admin > Collection Settings > Config > Config Job Timeout Settings. The Fetch Settings dialog box appears. Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device (seconds) field. Click either of these:
Step 2 Step 3
Click Apply, if you want to submit the Job Result Wait Time entered. Click Cancel if you want to cancel the changes made to the Job Result Wait Time.
Schedule Periodic Configuration File Archival Schedule Periodic Configuration Polling Manual Updates (Sync Archive function) Using Version Summary Timestamps of Configuration Files How Running Configuration is Archived Change Audit Logging
8-39
Note
The Syslog application triggers configuration fetch, if configuration change messages like SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
8-40
OL-20721-01
Chapter 8
If LMS detects an effective change, the new configuration is queued for Archival. The archiver, calculates the exact effective changes, assigns a new version number for the newly collected archive, and archives it in the system. The archiver, at the end, logs a change audit record that the configuration of the device has changed, along with other Audit information. If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration file is also stored in a raw format for manual TFTP purposes to restore the configuration on the device, in the directory location:
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which
Note
Startup configurations are not versioned and only one copy of the startup configuration of devices (which supports startup configuration), is saved in the system. No change audit records are logged for changes in the Startup Configuration files. LMS first compares the collected configuration file, with the latest configuration in the archive, and checks to see if there are effective configurations changes from what was previously archived.
8-41
Any configuration change made through the LMS system (example, using Config Editor or Netconfig), will have the user name of the user who scheduled the change job. Any configuration change that was done outside of LMS and detected through the configuration retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB variable (ccmHistoryEventTerminalUser). Changes identified through syslog messages, contain the user name identified in the Syslog message, if present.
Periodic configuration archival (with and without configuration polling). To do this select Admin > Network > Collection Settings > Config > Config Collection Settings. Manual configuration archival. To do this select using Configuration > Configuration Archive > Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all of the following:
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration. By default, the Periodic Collection and Polling are disabled.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The following is the workflow for defining the configuration collection setting:
Step 1
Select Admin > Config > Config Collection Settings. The Config Collection Settings dialog box appears. Select one or all of the following options: Periodic Polling
a. b.
Step 2
Select Enable for Configuration archive to performs a SNMP query on the device to retrieve configuration. Click Schedule. The Config Collection Schedule dialog box appears.
8-42
OL-20721-01
Chapter 8
c.
Field
Scheduling
Description You can specify when you want to run the configuration polling job. To do this, select one of these options from the drop-down menu:
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule. The system default job description, Default config polling job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
d.
Click OK. Select Enable for Configuration archive to perform a periodic check on the device to retrieve configuration. Click Schedule. The Config Collection Schedule dialog box appears.
Periodic Collection
a. b.
8-43
c.
Field
Scheduling
Description You can specify when you want to run the configuration collection job. To do this, select one of these options from the drop-down menu:
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule. The system default job description, Default config collection job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
d. Step 3
Click OK.
Either click Apply to accept the new values provided. Or Click Cancel if you want to discard the changes and revert to previously saved values. If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
8-44
OL-20721-01
Chapter 8
Telnet TFTP (Trivial File Transport Protocol) RCP (remote copy protocol) SSH (Secure Shell) SCP (Secure Copy Protocol) HTTPS (Hyper Text Transfer Protocol Secured) Requirements to Use the Supported Protocols Defining the Protocol Order
You must... Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password. Know read and write community strings for device. Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the following commands in the device configuration: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default remote_username and local_username are cwuser. For example, you can enter: # ip rcmd remote-host cwuser 123.45.678.90 cwuser enable Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for RCP to fetch the device configuration.
8-45
You must... Know the username and password for the device. If device is configured for TACACS authentication, enter the Primary Username and Primary Password. Know password for Enable modes. When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed. Some useful URLs on configuring SSHv2 are:
Configuring Secure Shell on Routers and Switches Running Cisco IOS: http://www.cisco.com/warp/public/707/ssh.shtml How to Configure SSH on Catalyst Switches Running Catalyst OS: http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml Configuring the Secure Shell Daemon Protocol on CSS: http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/css11500series/ v8.20/configuration/security/guide/sshd.html
_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html
8-46
OL-20721-01
Chapter 8
You must... Know the SSH username and password for the device. To make sure the device is scp-enabled, enter the following commands in the device configuration. To configure local User name:
aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local
username admin privilege 15 password 0 system ip ssh authentication-retries 4 ip scp server enable
User on the TACACS Server should be configured with privilege level 15:
user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }
HTTPS
Know the username and password for the device. Enter the Primary Username and Password in the Device and Credential Repository. To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html This is used for VPN 3000 device. The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and Enable passwords.
8-47
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts. For module configs, the passwords on the module must be same as the password on the supervisor. This section also explains Supported Protocols for Configuration Management Applications.
The LMS device packages Online help. You can launch the LMS device packages Online help using Help > Device Packages. or
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Collection Settings > Config > Config Transport Settings. The Config Transport Settings dialog box appears. Go to the first drop-down list box, select the application for which you want to define the protocol order. Select a protocol from the Available Protocols pane and click Add. If you want to remove a protocol or change the protocol order, you must remove the protocol using the Remove button and add the protocol, again. The list of protocols that you have selected appears in the Selected Protocol Order pane. When a configuration fetch or update operation fails, an error message appears. This message displays details about the supported protocol for the particular device and it modules, if there are any. For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com.
Step 1
Step 2 Step 3
Step 4
Click Apply. A message appears, New settings saved successfully. Click OK.
Step 5
8-48
OL-20721-01
Chapter 8
Receives the filters it needs from the LMS server to filter Syslog messages. Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from the Analyzer, including the number of messages read, number of messages filtered, and number of messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process. If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on the current filters, it continues to filter the syslogs and stores them in a local file: NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server name_port\DowntimeSyslogs.log The Syslog Analyzer will automatically restore the connection after LMS server restart. For the complete instructions on installing the Common Syslog Collector, see the Installing and Migrating to CiscoWorks LAN Management Solution 4.1.
8-49
View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status) Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog Collector) Test Syslog Collector Subscription (see Testing Syslog Collector Subscription) Understanding the Syslog Collector Properties File
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
Click to subscribe a Syslog collector. Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector. If you want to refresh the information in this dialog box, click Update.
8-50
OL-20721-01
Chapter 8
Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin > Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze processes come up. In this interval you may see the following message:
Collector Status is currently not available. Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again. To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common Syslog Collector.
The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on both the servers. The Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. See Setting up Peer Server Certificate for more information.
3. 4.
The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server, are restarted after Step 2. Both hosts are reachable by host name.
Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears. For the information in the columns in the dialog box, see Viewing Common Syslog Collector Status:
Step 2
Step 3 Step 4
Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to. Click OK. The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.
8-51
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and click the Unsubscribe button. If you want to test the Syslog collector subscription, select the collector and click Test Collector Subscription. For more information see Testing Syslog Collector Subscription.
Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common Syslog Collector Status. Either:
Select a Syslog collector and click Test Collector Subscription. Test Collector Subscription popup window appears with the Syslog collector address. Click Test Collector Subscription. Enter the Syslog collector in the Test Collector Subscription popup window.
Or
Step 4
Click OK. The Test Collector Subscription Status popup window appears, displaying the following status of the Syslog collector:
SSL certificate statusStatus of the SSL Certificates. For example, SSL certificates are valid and are properly imported. For more information see Syslog Collector Subscription Messages. Collector statusStatus of the Syslog collector. For example, Collector is up and reachable. For more information see Syslog Collector Subscription Messages.
8-52
OL-20721-01
Chapter 8
Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector
The following table provides the Syslog collector subscription status messages shown when you test the subscription of a Syslog Collector: Subscription Status SSL Certification
Message
SSL certificate issue occurred, check if:
1.
The Self-signed Certificates are valid. For example, Check the certificate expiry date on the servers. The Self-signed Certificates of this server are copied to the Syslog Collector server and vice-versa. To do this, go to Admin > System Administration > Multiserver Management > Peer Server Certificate Setup and add the certificate. See the Administration User Guide for LMS for more details.
2.
3.
The SyslogCollector process on Syslog Collector server and the SyslogAnalyzer process in the current working server are restarted after Step 2. Both hosts are reachable by hostname.
4.
When the SSL certificates are valid Collector When the hostname is not DNS resolvable If the SyslogCollector process is down
SyslogCollector process is down. Check if the SyslogCollector process is running on the port <<port number>>.
Cannot check SSL connectivity because the Syslog If the Syslog Collector is down Collector is down.
8-53
8-54
OL-20721-01
Chapter 8
Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector
Description The path of the Timezone file. This file contains the offsets for the time zones. After installing the Syslog Collector, ensure that the offset specified in this file is as expected. If it is not present or is incorrect, you can add the Timezone offset as per the convention. The default path is: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/fcss/data/TimeZone.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\TimeZone.lst
General Properties SYSLOG_FILES Filename and location of the file from which syslog messages are read. The default location is: On Solaris/Soft Appliance: /var/log/syslog_info On Windows: %NMSROOT%\log\syslog.log DEBUG_CATEGORY_NAME Name Syslog Collector uses for printed ERROR or DEBUG messages. The default category name is SyslogCollector. We recommend that you do not change the default value. DEBUG_FILE Filename and location of the Syslog Collector log file containing debug information: The default location is: On Solaris/Soft Appliance, /var/adm/CSCOpx/log/CollectorDebug.log On Windows, %NMSROOT%\log\CollectorDebug.log DEBUG_LEVEL Debug levels in which you run the Syslog Collector. We recommend that you retain the default INFO, which reports informational messages. Setting it to any other value might result in a large number of debug messages being reported. If you change the debug level, you must restart the Syslog Collector. The values for the Debug levels are:
8-55
Description Maximum size of the log file containing the debug information. The default is set to 5 MB. If the file size exceeds the limit that you have set, Syslog Collector writes to another file, based on the number of backup files that you have specified for the DEBUG_MAX_BACKUPS property. For example, if you have specified the number of backups as 2, besides the current log file, there will be two backup files, each 5MB in size. When the current file exceeds the 5 MB limit, Syslog Collector overwrites the oldest of the two backup files.
DEBUG_MAX_BACKUPS
The number of backup files that you require. The size of these will be the value that you have specified for the DEBUG_MAX_FILE_SIZE property. Interval at which the Collector polls the syslog file. The default is set to 1 second. Size of the internal buffer, for queuing syslog messages. The default is set to 100000 File that contains the list of parsers used while parsing syslog messages. The default path of the parser file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/LMSng/fcss/data/FormatParsers.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\FormatParsers.lst
SUBSCRIPTION_DATA_FILE
Syslog Collector data file that contains the information about the Syslog Analyzers that are subscribed to the Collector. The default path of the data file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/csc/data/Subscribers.dat On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\csc\data\Subscribers.dat
FILTER_THREADS COLLECTOR_PORT
Number of threads that operate at a time for filtering syslog messages. The default is set to 1. Default port of the Syslog Collector. The default is set to 4444. The port where the collector listens for registration requests from Syslog Analyzers.
8-56
OL-20721-01
Chapter 8
Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector
8-57
CH A P T E R
Configuring Fault Poller Settings For Topology Loading MIB Files Configuring NAM Configuring RMON Configuring Topology Settings
Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology. The Fault Monitor Poller Settings page appears. Select the Poll Fault Monitor Server for alerts check box. If you try to apply the settings when Fault Monitor module is not installed on a local or remote server, you will get an error message indicating the same. If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.
Step 2
9-1
If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart ANI Server before enabling the above setting.
Step 3
Set the time interval at which the polling should occur. Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value between six minutes and fifty nine minutes, fifty nine seconds.
Step 4
Click Apply. The settings are saved to the server and polling starts within six minutes of the configuration. In addition to this, you can restrict the type of LMS event displayed in your machine. For example you can choose to display only critical events in Topology maps. The event information fetched from Fault Monitorserver can be launched from Topology Maps and N-Hop view portlet, by right clicking on the required device.
Select Admin > Network > Monitor / Troubleshoot > Load MIB. The Load MIB dialog box appears. Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1 Load MIB Fields
Description Use the Browse button to load a MIB file from a directory location. For example, RFC1213-MIB.my You are allowed to load a MIB file only from the following directory path:
9-2
OL-20721-01
Chapter 9
Step 2
Click Browse to select the MIB file from a directory location. The Server Side File Browser dialog box appears. Double-click the MIB file from the directory location. Click Apply to load the MIB file into LMS or Cancel to cancel the operation. You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are available in the directory location. For example, To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and RFC-1212) must also be available at the same directory location. If the dependent MIB files are not available, an appropriate error message is displayed and RFC1213-MIB does not compile. The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same as the MIB files names present in the definition files. Load only version2 MIB. The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:
Step 3 Step 4
RMON2-MIB.my BRIDGE-MIB.my RFC-1215.my INET-ADDRESS-MIB.my P-BRIDGE-MIB.my Q-BRIDGE-MIB.my CISCO-NETFLOW-MIB.my CISCO-STACK-MIB.my TOKEN-RING-RMON-MIB.my RFC-1212.my RMOM-MIB.my RFC1155-SMI.my RFC1213-MIB.my SNMP-FRAMEWORK-MIB.my CISCO-SMI.my ENTITY-MIB.my FDDI-SMT73-MIB.my CISCO-VTP-MIB.my SNMPv2-TC.my SNMPv2-SMI.my SNMPv2-MIB.my SNMPv2-CONF.my IF-MIB.my IANAifType-MIB.my
9-3
To view the list of more dependent MIBs go to: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file appears in the Show MIB drop-down list in Select MIB Variables page.
Configuring NAM
NAM refers to Cisco Network Analysis Module Traffic Analyzer. The NAM offers flow-based traffic analysis of applications, hosts, and conversations, performance-based measurements on application, server, and network latency, quality of experience metrics for network-based services such as voice over IP (VoIP) and video. Only NAM 4.1 is supported in LMS 4.1. To add, edit, or delete the NAM configuration details:
Step 1 Step 2
Select Admin > Network > Monitor / Troubleshoot > NAM Configuration. The NAM Configuration page appears. You can do the following:
Add
Click Add. The Add NAM Configuration page appears. Enter the IP Address in the NAM IP field. Enter the user name and password in the corresponding fields. Enter the SNMP read community. Select either HTTP or HTTPS as the protocol. Enter the port number. Click Add to add the new NAM configuration details or Cancel to return to the NAM
Configuration page.
Edit
Select a configuration detail that has to be edited. Click Edit. The Edit NAM Configuration page appears. Enter the IP Address in the NAM IP field. Enter the user name and password in the corresponding fields. Enter the SNMP read community. Select either HTTP or HTTPS as the protocol. Enter the port number. Click Edit to save the changes or Cancel to return to the NAM Configuration page.
Delete
Select a configuration detail that has to be deleted. Click Delete. A confirmation dialog box appears. Click OK to confirm or Cancel to return to the NAM Configuration page.
9-4
OL-20721-01
Chapter 9
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology. Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best estimate of the mean physical layer network utilization on the links, during the sampling time interval. In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them. You can customize the filters to display bandwidth utilization. For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting Online Help. This section contains:
Modifying the Parameters Enabling RMON on All Ports in Selected Devices Enabling RMON on Selected Ports in Selected Devices Disabling RMON
Note
LMS computes bandwidth utilization only on ethernet links, and not on any other type of link. To compute bandwidth utilization in LMS, you must enable Remote Monitoring (RMON). Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization
Bucket SizeNumber of samples (incoming and outgoing packets) that will be examined for a given point of time. IntervalDuration for which samples are to be collected.
The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the values through the user interface of LMS, you can reconfigure these values through command line interface. For more details see Modifying the Parameters. LMS computes bandwidth utilization only for those devices that have the same parametric values as configured and displayed in the RMON Settings page. This application allows you to configure only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports
All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices
LMS highlights links in the Topology Map even if the devices are managed by other applications such as HPOV, or CiscoView.
9-5
Note
You must configure the same value for Interval across the devices. To reconfigure the values:
Enter pdterm ANIServer at the command line to stop the ANI server. Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket Size. The maximum value that you can enter for RMON.interval is 3600 seconds (One hour). Enter pdexec ANIServer at the command line to start the ANI server.
Step 4
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices. You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for the Interval in a range. This is a hidden property that creates a range for the Interval value. The property adds a value to the current interval that forms the upper limit and subtracts a value from the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the interval. For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330. Thus, the samples are collected for the range of 270 to 330 seconds. If you want to change this default value, you must:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Stop the ANI server. Enter pdterm ANIServer at the command line to stop the ANI server. Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Enter RMON.percentageTolerance=value. Start the ANI server. Enter pdexec ANIServer at the command line to start the ANI server.
9-6
OL-20721-01
Chapter 9
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices. Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 2
Step 3 Step 4
Check the Configure on all links check box to configure all the ports of the selected devices in the Device Selector. Click Configure to enable RMON on all the ports in the selected devices. The following command is configured on the selected ports:
rmon collection history
Example:
rmon collection history
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays the list of devices. Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 2
Step 3 Step 4
Uncheck the Configure on all Links check box since it is checked by default. Click Select links to select the ports for which you want to enable RMON. It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2. The Select Links check box is enabled only when you uncheck the Configure on all links check box.
9-7
Table 9-2
Description Name of the port. Name of the device where the port is connected. The IP address of the device.
True
Select check boxes corresponding to the ports for which you want to enable RMON. Click Configure to enable RMON on the selected ports. The following command is configured on the selected ports:
rmon collection history
Example:
rmon collection history
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line Interface (CLI) only.
Commands to Disable RMON
For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable
Restrict Topology Maps to display only authorized devices. For details, see Viewing Restricted Topology. Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps. For details, see Configuring Fault Poller Settings For Topology.
9-8
OL-20721-01
Chapter 9
Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View. The configuration screen is displayed. Select Display Only the Authorized devices in Topology Maps. Click Apply. Topology Maps display only the devices you are authorized to view. If Topology Services is already launched, close it and relaunch for the change to take effect.
Step 2 Step 3
Important Notes
It becomes an unauthorized device. The device is not shown in Topology maps in the consecutive relaunches. When the changed IP address is given as root in N-hop view portlet, it results in an error.
9-9
CH A P T E R
10
Understanding Notifications and Subscriptions Customizing LMS Events Configuring Event Sets and Notification Groups for Subscriptions Managing Fault SNMP Trap Notifications Managing Fault E-Mail Configurations Managing Fault Syslog Notifications Configuring Fault SNMP Trap Receiving and Forwarding Performance SNMP Trap Notification Groups Performance Syslog Notification Groups Defining Automated Actions Defining Syslog Message Filters Inventory and Config Collection Failure Notification IPSLA Syslog Configuration
10-1
If you work with static groups, no further devices can be added to those groups. If you set up dynamic groups, then any device that fits the criteria for the groups will be added to those groups.
After you have configured your subscription, you can name it according to your needs. Regardless of whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a subscription containing a notification group. The final step in configuring your notification subscription is specifying the notification recipients.
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications. Notification Services tracks events on device types, not on device components. For details on Notifications and Subscriptions, see the following topics:
If you want to monitor a specific set of events, create an event set that contains the events you want to monitor. Otherwise, all events will be monitored. Create a notification group that specifies the criteria the Fault Management module should use when generating notifications:
One or more event sets (if no event set is specified, all events are monitored) Devices, event severity and status
You can specify the notification group name, along with entering identifying information (using the Customer ID and Customer Revision fields).
10-2
OL-20721-01
Chapter 10
3.
4.
Notification Types
The Fault Management module in LMS 4.1 provides three types of notifications:
SNMP Trap NotificationFault Management module generates traps with information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can also generate SNMP trap notifications for specified events. Using SNMP trap notification is different from forwarding raw traps to another server before they have been processed by LMS.
E-mail NotificationLMS generates e-mail messages containing information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail in text format. You can specify that you want the e-mail to only contain an informational subject line or can customize the e-mail subject. For information on the customizing the e-mail subject, see Managing Fault E-Mail Subject Customization. Syslog NotificationLMS generates Syslog messages that can be forwarded to Syslog daemons on remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to any value between 250 and 1024 characters by editing the notification properties file. To do this:
Procedure
Step 1 Step 2
Open the configuration file NMSROOT/objects/nos/config/nos.properties. Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250 MAX_EMAIL_DES=250 MAX_SYSLOG_DES=250
10-3
Step 3
Stop and restart the Cisco Prime daemon manager on the LMS server.
a.
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
b.
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file /opt/CSCOpx/objects/nos/config/nos.properties as follows: To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:
DevicesThe devices or device groups of importance to the recipients. Event severity and statusOne or more event severity levels and status. You can also customize the names of the events used by Notification Services, and Fault History. See Customizing LMS Events. RecipientsOne or more hosts to receive SNMP traps or users to receive e-mail. For Syslog notifications, the recipient would be the remote host containing a Syslog daemon configured to listen for Syslog messages. NameA user-defined name to identify the subscription.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS compares the device, severity, and state against subscriptions and sends a notification when there is a match. Matches can be determined by user-configured event sets and notification groups. The procedure for configuring notification groups is described in Configuring Event Sets and Notification Groups for Subscriptions.
10-4
OL-20721-01
Chapter 10
LMS assigns one severity to each event and changes the state of an event over time, responding to user input and changes on the device. Table 10-1 lists values for severity and explains how the state of an event changes over time.
Note
You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1 Event Severity and Status
Critical Informational
Status
ActiveThe event is live. ACKA user has manually acknowledged the event. A user can acknowledge only active events. ClearedThe event is no longer active. Events that have been cleared either expire or, if associated with a suspended device, remain in LMS until a user resumes or deletes the device.
Customizing Names: When you customize an event name, that name is reflected in all notifications, and in Fault History. The new event name is used for all instances of an event, regardless of the component on which the event occurs. You can easily revert to the default event names as needed. The Notification Customization page also lists the new name and default name, so you can easily check which names have been changed. Customizing Event Severity: The event severity can be customized using the New Event Severity feature. You can select Critical or Warning or Informational from the drop-down list.
Select Admin > Network > Notification and Action Settings > Fault Notification Customization. The Notification Customization page appears. Select the event names you want to customize by clicking the check box beside each event name. Enter your new names in the New Event Description fields. Select the event severity from the New Event Severity drop-down list. You can select Critical or Informational. Enter any notes for information in the Troubleshooting Information field. Click Save to save your changes locally. Click Apply for the saved settings to take effect. The confirmation window appears.
10-5
Step 8
Click Yes. The changes are applied to LMS. To revert to default event names:
a. b.
From the Notification Customization page, select the events you want to restore to their default names, and click Restore factory settings. Apply your changes by clicking Yes when the confirmation window appears.
Event sets list the events you want monitored for notifications Notification groups contain the criteria that LMS should use when generating a notification:
One or more event sets, or all events Devices Event status and severity Fields for user-specified additional information you want to include with the subscription
Creating event sets and notification groups are described in the following topics:
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications.
10-6
OL-20721-01
Chapter 10
Notification and Action Settings Configuring Event Sets and Notification Groups for Subscriptions
Select Admin > Network > Notification and Action Settings > Event Sets: The Event Sets page appears. The page contains the following information: Field Event Code Description Severity A-I Description Notification Services code for the event. This number cannot be changed and is used to map default names to customized names. Event description (user-defined or default). Event severity. Event set label. If an X appears in this column, the corresponding event belongs to that event set.
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Step 2
For each event set you want to configure, select events by doing either of the following:
Select specific events by clicking the editable field under the label, and selecting X. Select or deselect all events for an event set using the Select or the Deselect button.
Step 3
Click Apply. If you want to create a notification subscription, first create a notification group that uses your event set. See Configuring Fault Notification Groups.
One or more event sets, if desired (otherwise, the notification group will contain all events) Devices Event status and severity Fields for user-specified additional information you want to include with the subscription Whether the group is static or dynamic
You can configure a maximum of 64 notification groups. Notification Services will not refilter the devices if there is a change in the device list you may access. This section contains: Setting Up a Fault Notification Group as Static or Dynamic
Note
You cannot delete a notification group that is being used by a running subscription.
10-7
Select Admin > Network > Notification and Action Settings > Fault Notification Group. Click Add to create a notification group. The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click the appropriate button and follow the instructions.)
Step 3
Specify the devices, event sets (if desired), and event severity and status. Click Next. If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the mega menu.
Step 4
Specify the notification group name, and enter any desired identifying information in the Customer ID and Customer Revision fields.
For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the notification. For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any notifications:
Customer ID: Customer Revision: *
Click Next. Create the notification group by clicking Finish. To create a notification subscription, follow the instructions in one of these topics:
Adding an SNMP Trap Notification Subscription Adding and Editing an E-Mail Notification Subscription Adding a Syslog Notification Subscription
Note
Notification groups can be static or dynamic; you cannot have a mix of group types.
10-8
OL-20721-01
Chapter 10
To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties and set the following value: DYNAMIC_NOTIF_GROUPS=1 For additional information, see the following topics:
SubscriptionThe name of the user-defined request for notification. StatusThe subscription status; can be either of the following:
RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2 SNMP Trap Notification Subscriptions
Task Add
Sample Usage
Reference
Add a subscription that will send SNMP trap notification Adding an SNMP Trap for one device with an event of any severity (critical or Notification Subscription informational) and any status (active, acknowledged, or cleared). View the notification group and hosts that comprise the subscription. Change the trap recipients/notification groups that comprise the subscription. Temporarily stop sending SNMP trap notifications to a host. Temporarily stop sending SNMP trap notifications about a device group. Start sending SNMP trap notifications to a host again. Start sending SNMP trap notifications about a device group using a previously suspended subscription. Suspending an SNMP Trap Notification Subscription Resuming an SNMP Trap Notification Subscription Editing an SNMP Trap Notification Subscription
Edit
Suspend
Resume
Delete
Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap Notification Subscription longer useful. Remove redundant SNMP trap notification subscriptions.
10-9
Note
Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page.
Before You Begin
You must create a notification group before you can create an SNMP trap notification subscription. Refer to Configuring Fault Notification Groups. To add an SNMP trap notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Click Add. Complete the Trap Subscription Save: Add window:
a. b.
Step 2 Step 3
Enter a subscription name. Select a notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
c. Step 4
An IP address or DNS name for the hostname. Restart the NOSServer to pick up the change in the host name when host name is used for the trap server and there is a change in that host name.
b. Step 5
A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 5.) A comment. (This is optional).
Click Next.
Review the information that you entered and click Finish. The SNMP Trap Notifications page is displayed, showing the new subscription.
Note
10-10
OL-20721-01
Chapter 10
Note
Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page. Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to edit by clicking the radio button beside it. Click Edit. No information is saved until you complete Step 5. Edit the Trap Subscription Save: Edit window:
a. b.
Step 1
Step 2 Step 3
Step 4
Change the subscription name. Select another notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
c. Step 5
Click Next. To add one or more recipients, for each host, enter:
Add or delete a recipient host or change the port number for a host:
a.
An IP address or DNS name for the hostname. A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 6.) A comment. This is optional.
b. c. Step 6
To delete a recipient, delete the hostname, port number, and comment, if any. Click Next.
Review the information that you entered and click the Finish. The SNMP Trap Notifications page is displayed.
10-11
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to suspend by clicking the radio button beside it. Click Suspend. Click OK in the confirmation dialog box. The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to resume by clicking the radio button beside it. Click Resume. Click OK in the confirmation dialog box. The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.
10-12
OL-20721-01
Chapter 10
Note
You can also suspend a subscription. Suspending a subscription causes the subscription to not be used until a user resumes it. To delete an SNMP trap notification subscription:
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. Select the subscription you want to delete by clicking the radio button beside it. Click Delete. Click OK in the confirmation dialog box. The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.
Managing Fault E-Mail Notification Subscriptions Managing Fault E-Mail Subject Customization
You can use the E-Mail Configuration page to configure E-mail notification subscription and to customize the E-mail subject. The E-Mail Configuration page displays the following information:
E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are based on Notification Groups. E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.
Note
You may not be able to use some of these functions if you do not have the required privileges.
SubscriptionThe name of the user-defined request for notification. StatusThe subscription status; can be either of the following:
RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
10-13
You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3 E-Mail Notification Subscriptions
Task Add
Sample Usage Add a subscription that will send e-mail notification to a user for one device with an event of any severity (critical or informational) and any status (active, acknowledged, or cleared). See Adding and Editing an E-Mail Notification Subscription for more information.
Edit
View the notification group and e-mail recipients that comprise the subscription. Change the e-mail recipients/notification group that comprise the subscription. Temporarily stop sending e-mail notifications to a user. Temporarily stop sending e-mail notifications about a device group. Start sending e-mail notifications to a user again. Start sending e-mail notifications about a device group using a previously suspended subscription. Remove e-mail notification subscriptions that are no longer useful. Remove redundant e-mail notification subscriptions.
Suspend Resume
Delete
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.
Before You Begin
You must create a notification group before you can create an E-Mail Notification subscription. Refer to Configuring Fault Notification Groups. To add or edit a subscription for e-mail notification:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email notification. The E-Mail Notification Subscriptions page appears. You can do one of the following:
Step 2
Click Add. Click Edit. You can edit an e-mail notification subscription regardless of its status (Running or Suspended). After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.
10-14
OL-20721-01
Chapter 10
Click Delete. Click OK in the confirmation dialog box. The E-Mail Subscriptions page appears. The subscription is no longer displayed. Select the subscription you want to suspend by clicking the radio button beside it and click Suspend. Click OK in the confirmation dialog box. The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended. After you suspend an e-mail notification subscription, LMS stops using the subscription to send e-mail notification.
Select the subscription you want to resume by clicking the radio button beside it and click Resume. Click OK in the confirmation dialog box. The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After you resume an e-mail notification subscription, LMS starts using the subscription to determine when e-mail notification should be sent in response to an event.
Step 3
When you add or edit a subscription for e-mail notification, a page appears with the following fields: Field Subscription Name Notification Group Description Enter a subscription names. Select a notification group. If you are upgrading LMS and want to use the e-mail recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
Step 4 Step 5
Click Next. Enter the following e-mail information: Field SMTP Server Description The name of the default Simple Mail Transfer Protocol (SMTP) server may already be displayed. The server is specified using Admin > System > SMTP Default Server. You may also enter a fully qualified DNS name or IP address for an SMTP server. To select from any non-default SMTP servers in use by existing subscriptions, click the SMTP Servers button. Sender Address Enter the e-mail address that notifications should be sent from. If the senders e-mail service is hosted on the SMTP server specified, you need enter only the username. You do not need to enter the domain name.
10-15
Description Enter one or more e-mail addresses that notifications should be sent to, separating multiple addresses with either a comma or a semicolon. If a recipients e-mail service is hosted on the SMTP server specified, you need to enter only the username. You do not need to enter the domain name. By default, e-mail notification supplies a fully detailed e-mail message. To omit the message body and send only a subject line, select the Headers Only check box.
Step 6 Step 7
Click the Next button located at the bottom of the page. Review the information that you entered and click Finish. The E-Mail Notification Subscriptions page is displayed, showing the new subscription.
Note
Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You can use these subjects along with the default available subjects while sending e-mail notifications. By default, following list of e-mail subject attributes are displayed in the Available Subjects for E-Mail box:
ifAlias sysLocation sysContact user_defined_field_0 user_defined_field_1 user_defined_field_2 user_defined_field_3
When you import devices from DCR, the subject information gets updated into LMS database and they are displayed as available subjects for e-mails.
Selected Subjects for E-mail: The selected subjects including the default ones in the selected order displayed by the side of the available subjects.
10-16
OL-20721-01
Chapter 10
Select Admin > Network > Notification and Action Settings > Fault - Email subject customization. The available and selected lists of the subject attributes for e-mail are displayed. To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list. By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail box.
Event ID Device Name Time Severity Event Name Status Select the subject attribute from Available Subjects for E-Mail. Click Add. The selected subject attribute is added to the Selected Subjects for E-Mail list. You can add a subject attribute only from the Available Subjects list to the Selected Subjects list. You cannot add a subject attribute from the Selected subject list to the Available Subject list.
To add a subject:
a. b.
Select the subject attribute from Selected Subjects for E-Mail. Click Remove. The selected subject attribute is removed from the Selected list and added to the Available subjects for E-Mail list. You can remove a subject attribute only from the Selected Subjects list and not from the Available Subjects list.
Step 2 Step 3
Click Up or Down to rearrange the order of the selected e-mail subject attributes. Click Apply to save the customized e-mail subject attributes.
SubscriptionThe name of the user-defined request for notification. Notification GroupThe name of notification group that is applied to the subscription. StatusThe subscription status; can be either of the following:
RunningFault Management module is using the subscription while monitoring events to
10-17
You are completely in control of subscriptions. Fault Management module does not change or delete subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks listed in Table 10-4.
Table 10-4 Syslog Notification Subscriptions
Task Add
Sample Usage
Reference
Add a subscription that will send a Syslog notification to Adding a Syslog Notification Subscription a remote machine for one device with an event of any severity (critical or informational) and any status (active, acknowledged, or cleared). View the notification group and Syslog recipient that comprise the subscription. Change the Syslog recipients/notification group that comprise the subscription. Temporarily stop sending Syslog notifications to a remote host. Temporarily stop sending Syslog notifications about a device group. Suspending a Syslog Notification Subscription Editing a Syslog Notification Subscription
Edit
Suspend
Resume
Start sending Syslog notifications to a remote host again. Resuming a Syslog Notification Subscription Start sending Syslog notifications about a device group using a previously suspended subscription.
Delete
Remove Syslog notification subscriptions that are no longer useful. Remove redundant Syslog notification subscriptions.
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.
10-18
OL-20721-01
Chapter 10
You must create a notification group before you can create a Syslog Notification subscription. Refer to Configuring Fault Notification Groups. A remote machines Syslog daemon must be configured to listen on a specified port, and you must enter this information in Step 3 of the following procedure. LMS uses the default port 514.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Click Add.
a. b. c.
Step 2
Enter a subscription name. Select a notification group. Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity are used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows:
Critical = 2 Information = 6
You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional.
d. Step 3
An IP address or DNS name for the hostname. A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 5.) A comment. This is optional.
b. Step 4 Step 5
Click Next.
Enter the name of the subscription in the Save As field and click Next. Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed with the new subscription.
Note
10-19
Note
Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page. Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to edit by clicking the radio button beside it. Click Edit. Edit the Syslog Subscription Save: Edit window:
a. b. c.
Step 1
Change the subscription name. Select a different notification group. Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity is used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows:
Critical = 2 Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional.
d. Step 5
Click Next. To add one or more recipients, for each host, enter:
Add or delete a recipient host or change the port number for a host:
a.
An IP address or DNS name for the hostname. A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 7.) A comment. This is optional.
b. c. Step 6 Step 7
To delete a recipient, delete the hostname, port number, and comment, if any. Click Next.
Click the Next button located at the bottom of the page. Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed.
10-20
OL-20721-01
Chapter 10
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to suspend by clicking the radio button beside it. Click Suspend. Click OK in the confirmation dialog box. The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to resume by clicking the radio button beside it. Click Resume. Click OK in the confirmation dialog box. The Syslog Notification Subscriptions page is displayed. The subscription status is Running.
Note
You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes it. To delete a syslog notification subscription:
Step 1 Step 2
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. Select the subscription you want to delete by clicking the radio button beside it.
10-21
Step 3 Step 4
Click Delete. Click OK in the confirmation dialog box. The Syslog Subscriptions page appears. The subscription is no longer displayed.
Enabling Devices to Send Traps to LMS Enabling Cisco IOS-Based Devices to Send Traps to LMS Enabling Catalyst Devices to Send SNMP Traps to LMS Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs Updating the SNMP Trap Receiving Port Configuring SNMP Trap Forwarding
LMS will only forward SNMP traps from devices in the LMS inventory. It will not change the trap formatit will forward the raw trap in the format in which the trap was received from the device. However, you must enable SNMP on your devices and you must do one of the following:
Configure SNMP to send traps directly to LMS Integrate SNMP trap receiving with an NMS or a trap daemon
Note
The ports and protocols used by Cisco Prime are listed in Installing and Migrating to CiscoWorks LAN Management Solution 4.1 .
If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs. Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must be enabled and the device must be configured to send SNMP traps to the LMS server. Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface appropriate for your device:
Enabling Cisco IOS-Based Devices to Send Traps to LMS Enabling Catalyst Devices to Send SNMP Traps to LMS
10-22
OL-20721-01
Chapter 10
Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding
string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the SNMP trap receiving host (the LMS server). For more information, see the appropriate command reference guide. To enable Cisco IOS-Based devices to send traps to LMS:
Step 1 Step 2 Step 3 Step 4
Log into Cisco.com. Select Products & Services > Cisco IOS Software. Select the Cisco IOS software release version used by your IOS-based devices. Select Technical Documentation and select the appropriate command reference guide.
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the SNMP trap receiving host (the LMS server). For more information, see the appropriate command reference guide.
Step 1 Step 2 Step 3 Step 4
Log into Cisco.com. Select Products & Services > Cisco Switches. Select the appropriate Cisco Catalyst series switch. Select Technical Documentation and select the appropriate command reference guide.
10-23
If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to CiscoWorks LAN Management Solution 4.1 . This guide also provides information on supported versions). You do not need to install any adapters if HP OpenView or NetView is installed locally. Add the host where LMS is running to the list of trap destinations in your network devices. See Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS will use by default.) If your network devices are already sending traps to another management application, configure that application to forward traps to LMS.
Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5 Configuration Scenarios for Trap Receiving
Scenario Network devices send traps to port 162 of the host where LMS is running. LMS receives the traps and forwards them to the NMS.
Advantages
No reconfiguration of the NMS is required. No reconfiguration of network devices is required. LMS provides a reliable trap reception and forwarding mechanism. NMS continues to receive traps on port 162. Network devices continue to send traps to port 162. No reconfiguration of the NMS is required. No reconfiguration of network devices is required. LMS does not receive traps dropped by the NMS.
NMS receives traps on default port 162 and forwards them to port 162 on the host where LMS is running.
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings. Enter the port number in the Receiving Port text box. Click Apply.
For a list of ports that are already in use, see Installing and Migrating to CiscoWorks LAN Management Solution 4.1 . If you have two instances of the DfmServer process running, traps will be forwarded from the first instance to the second instance.
10-24
OL-20721-01
Chapter 10
Your login determines whether or not you can perform this task. View the Cisco Prime Permission Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user role. LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap formatit will forward the raw trap in the format in which it was received from the device. All traps are forwarded in V1 (SNMP Version) format.
Step 1 Step 2
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. For each host, enter:
An IP address or DNS name for the hostname. A port number on which the host can receive traps.
Step 3
Click Apply.
Description Name of the Trap Receiver Group. Click on the Name hyperlink to view the details of the Trap Receiver Group created.
Number of Trap Receivers added to the Trap Receiver Group. Creates a Trap Receiver Group. See Creating a Trap Receiver Group. Modifies an existing Trap Receiver group. See Editing a Trap Receiver Group.
10-25
Table 10-6
Description Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver Group. Filters information based on the criteria that you select from the drop-down list. The drop-down list contains the following criteria: All Group Name See Filtering Trap Receiver Groups
You can perform the following tasks from the Trap Receiver Groups dialog box:
Creating a Trap Receiver Group Editing a Trap Receiver Group Deleting a Trap Receiver Group Filtering Trap Receiver Groups
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups page appears.
Step 2
Click Create. The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box. Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7 Trap Group Configuration
Description Enter the name of the Trap Receiver Group. For example, Trap Receiver Group 1. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &).
Receiver Details
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered.
Port
Enter the Port Number on which Trap Receiver is listening for traps. The default port value is 162. This field is optional.
10-26
OL-20721-01
Chapter 10
Table 10-7
Description Enter the community string that appears in the trap message. The default community string is public. This field is optional. Creates the Trap Receiver Group. Adds more hosts to the present Group. Cancels the creation of Trap Receiver Group.
Enter a descriptive name for the Trap Group name in the GroupName field. Enter the IP address or hostname of the destination to which the trap should be delivered in the Host field. Enter the Port Number on which Trap Receiver is listening for traps in the Port field. Enter the community string that appears in the trap message in Community field. The community string will be displayed as asterisks.
Note
You can add as many as five hosts or devices to the Trap Group by default.
Click Add More to add another host information to the Trap Group. Go to Step 4 to continue. Click Create to create the Trap Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.
10-27
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups dialog box appears.
Step 2 Step 3
Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver Group Name. Click Edit. The Edit Trap Receiver Group dialog box appears, displaying the earlier settings. Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Table 10-8 Trap Group Configuration
Description Name of the Trap Receiver Group. For example, Trap Receiver
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered.
Enter the Port Number on which Trap Receiver is listening for traps. For example, 162 Enter the community string that appears in the trap message. The default community string is public. Updates the Trap Receiver Group. Adds more hosts to the present Group. Cancels the modification of the Trap Receiver Group.
10-28
OL-20721-01
Chapter 10
Click AddMore in the Trap Group Configuration dialog box. Make necessary changes to the Receiver Details. Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Group Name by checking the appropriate check box. You can select multiple Trap Receiver Groups by checking their respective check boxes. Click Delete. A message appears, prompting you to confirm the deletion, Click OK to delete the Trap Receiver Groups. Or Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully. The Trap Receiver Groups dialog box appears.
Step 3
Step 4
10-29
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Group dialog box appears.
Select a criteria for filtering from the drop-down list. Enter the data to be filtered. Click Show. The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information based on the filter criteria. Table 10-9 describes the criteria to filter.
Table 10-9 Trap Receiver Groups Field Description
Description Select Group Name and enter the data. You can use either of the following methods to filter by entering:
Complete Group name Any wildcard characters of the Trap Receiver Group name (such as *trap, trap*)
10-30
OL-20721-01
Chapter 10
Field Syslog Group Name Number of Receivers Create (button) Edit (button) Delete (button) Filter (button)
Description Name of the Syslog Receiver Group. For example, Syslog Group Number of Syslog Receivers added to the Syslog Receiver Group. Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group. Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver Group. Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver Group. Filters information based on the criteria that you select from the drop-down list. The drop-down list contains the following criteria:
See Filtering Trap Receiver Groups Update Facility (button) Sends the Syslog message to the receiver, based on the facility level selected in the drop-down list. The drop-down list contains the following criteria:
10-31
You can perform the following tasks from the Syslog Receiver Groups dialog box:
Creating a Syslog Receiver Group Editing a Syslog Receiver Group Deleting a Syslog Receiver Group Filtering Syslog Receiver Groups
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog appears. Click Create. The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11 Syslog Groups Configuration
Step 2
Description Enter the name of the Syslog Group name. For example, Syslog Group. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &).
Receiver Details
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the syslog message should be delivered. This IP address should be DNS resolvable.
Port
Enter the Port Number on which Syslog Receiver is listening for syslog messages. The default port value is 514. This field is optional. Creates the Syslog Receiver Group Adds more hosts to the present Group Cancels the creation of Syslog Receiver Group
Enter a descriptive name for the Syslog Group name in the GroupName field. Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in the Host field. Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.
10-32
OL-20721-01
Chapter 10
Note
You can add as many as five hosts or devices to the Syslog Group by default. To add more than five hosts to the Syslog Group,
Step 1 Step 2
Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue. Click Create to create the Syslog Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver Group Name. Click Edit. The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-12 Syslog Groups Configuration
Step 2 Step 3
Description Name of the Syslog Group name. For example, Syslog Group.
Host
Enter the host name or IP address. for example 10.77.201.52 Enter the IP address or hostname of the destination to which the Syslog message should be delivered.
Port
Enter the Port Number on which Syslog Receiver is listening for Syslog messages. The default port number is 512.
10-33
Table 10-12
Description Updates the Syslog Receiver Group. Adds more hosts to the present Group. Cancels the modification of the Syslog Receiver Group.
Make the necessary changes to the Receiver Details. To add more receivers to the current configuration:
Click AddMore in the Syslog Group Configuration dialog box. Make the necessary changes to the Receiver Details. Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Select the Syslog Group Name by checking the appropriate check box. You can select multiple Syslog Receiver Groups by checking their respective check boxes.
Step 2
10-34
OL-20721-01
Chapter 10
Step 3
Click Delete. A message appears, prompting you to confirm the deletion. Click OK to delete the Syslog Receiver Groups. Or Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Syslog Receiver Group is deleted successfully. The Syslog Receiver Groups dialog box appears.
Step 4
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The List of Syslog Receiver Group dialog box appears. Select a criteria for filtering from the drop-down list. Enter the data to be filtered. Click Show. The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information based on the filter criteria. Table 10-13 describes the criteria to filter.
Table 10-13 Syslog Receiver Groups Field Description
Description Select Group Name and enter the data. You can use any of the following methods to filter by entering:
Complete Group name Any wildcard characters of the Syslog Receiver Group name (such as *Syslog, Syslog*)
10-35
Creating an Automated Action Editing an Automated Action Guidelines for Writing Automated Script Enabling or Disabling an Automated Action Exporting or Importing an Automated Action Deleting an Automated Action Automated Action: An Example
When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions, a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are two system-defined automated actions (the rest are user-defined). The system-defined automated actions are:
Inventory FetchTo fetch inventory from the device. Config FetchTo fetch configuration from the device.
You can edit these system-defined automated actions, but you cannot delete them. These actions are enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable. Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating system device. You can then edit Config Fetch automated action and you can delete SYS-6-CFG_CHG-*SNMP* message type. In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices or not. The columns in the Automated Actions dialog box are: Column Name Status Type Description Name of the automated action. Status of the automated action at creation timeEnabled, or disabled Type of automated actionE-mail, script or URL.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
10-36
OL-20721-01
Chapter 10
Using the automated actions dialog box, you can do the following tasks: Task Create an automated action (see Creating an Automated Action). Edit an automated action (see Editing an Automated Action). Enable or Disable an automated action (see Enabling or Disabling an Automated Action) Import or Export an automated action (see Exporting or Importing an Automated Action) Delete an automated action (see Deleting an Automated Action). Button Create Edit Enable/Disable Import/Export Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set up an automated action that sends an e-mail when a specific Syslog message is received. On Windows, you cannot set up an automated action to execute an.exe file that interacts with the Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics
Defining Automated Actions Creating an Automated Action Editing an Automated Action Enabling or Disabling an Automated Action Exporting or Importing an Automated Action Deleting an Automated Action Automated Action: An Example Guidelines for Writing Automated Script
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can choose whether to include interfaces of selected devices or not. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create. A dialog box appears for device selection. Select All Managed Devices or Choose Devices. If you select the All Managed Devices option:
Step 3
You cannot select the individual devices or device categories from the device selector. All managed devices are considered. The syslog messages from the various device interfaces are considered for creating automated actions.
10-37
If you select Choose Devices option, you must select the required devices.
Step 4
Click Next. A dialog box appears in the Define Message Type page. Enter a unique name for the automated action that you are creating. Select either Enabled or Disabled as the status for the action at creation time. Select the Syslog message types for which you want to trigger the automated action from the Define New Message Type section of the dialog box. Click Next. The Automated Action Type dialog box appears. Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
Step 9
If you select E-mail, enter the following information in the Automated Action Type dialog box: Description List of comma separated e-mail addresses. Mandatory field. Subject of the e-mail. Content that you want the e-mail to contain.
If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
$D (for the device) $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog
10-38
OL-20721-01
Chapter 10
Click Browse. The Server Side File Browser dialog box appears. Select the file (*.sh on Unix and *.bat on Windows).
b. Step 10 Step 11
If the executable program produces any errors or writes to the console, the errors will be logged as Info messages in the SyslogAnalyzer.log. This file is available at: On UNIX, /opt/CSCOpx/log directory On Windows, NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Actions page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Select an automated action from the drop-down list and click Edit. The Select Devices dialog box appears. Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to:
Step 3
Change the Message Filter TypeFrom Enabled to Disabled, or vice, versa. Add a message type Edit a message type Delete a message type Select a message type from system-defined message types
Step 4
Click Next.
10-39
Step 5
The Automated Action Type dialog box appears. This dialog box allows you to change the type of action. For example, you can change from E-mail to URL or Script.
For E-mail, enter or change the following information in the Automated Action type dialog box: Description List of comma separated e-mail addresses. Subject of the e-mail (optional). Content that you want the e-mail to contain. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent with the E-mail ID as the sender's address
For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
$D (for the device) $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog
10-40
OL-20721-01
Chapter 10
Click Browse. The External Config Selector dialog box appears. Select the file (*.sh on Unix and *.bat on Windows).
b. Step 6
Click Finish. The edited automated action appears in the dialog box on the Automated Action page.
Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.1 server and put this file in: For Solaris/Soft Appliance: /var/adm/CSCOpx/files/scripts/syslog directory For Windows: NSMROOT/files/scripts/syslog Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory. Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh /opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl -text_message "MEssage: $2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from nobody@nowhere.com -smtp mail-server-name.nowhere.com
Step 2
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Step 3
Select the required automated action from the list in the dialog box. Click Enable/Disable to toggle its status. The dialog box in the Automated Action page is refreshed and it displays the changed state for the specified automated action.
10-41
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Select an automated action. You can select more than one automated action. If you do not select an automated action before clicking the Export/Import button, then only the Import option will be available. The Export option will be disabled
Step 3
Click Export/Import. The Export/Import Automated Actions dialog box appears with the Export or Import options. Select either Export or Import. Either:
Step 4 Step 5
Enter the location of the file to be exported or imported. Click Browse. The Server Side File Browser appears. You can select a valid file, and click OK.
Or
Click OK.
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Step 3
Select the required automated action from the list in the dialog box. Click Delete. You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.
10-42
OL-20721-01
Chapter 10
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 1
Step 2
Click Create. The Devices Selection dialog box appears. Select the required devices and click Next. The Define Message Type dialog box appears. Enter a unique name for the automated action that you are creating. Select either Enabled, or Disabled as the status for the action at creation time. Click Select. The Select System Defined Message Types dialog box appears. Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined Message Types list, and click OK. The dialog box on the Define Message Type page appears. Click Next. The Automated Action Type dialog box appears. Select the type of actionE-mail, Script, or URL. If you had selected Email in Step 9: Enter the following information:
Step 3
Step 7
Step 8
Step 9
Description List of comma-separated e-mail addresses. Subject of the e-mail (optional). Content that you want the e-mail to contain. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). If a syslog is found with the matching type for managed (normal) devices, an e-mail is sent with the E-mail ID as the sender's address. Then go to Step 10. If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action. Then go to Step 10.
10-43
If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
$D (for the device) $M (for the complete syslog message).
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and $M is replaced with the URL-encoded syslog message.
Step 10
Select a managed router that is already sending Syslog messages to the LMS server and generate a SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in. b. In enable mode enter enable, then enter a password. c. At the config prompt enter configure terminal. d. Change the banner by entering:
banner motd z This is a test banner z end
Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:
On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has been configured to receive Syslog messages. On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory. Where NMSROOT is the LMS installation directory.
Step 3
Verify that there is a message from the managed router whose banner-of-the-day was changed. This message appears at the bottom of the log.
If the message is in the file, an e-mail is mailed to the e-mail ID specified. If the message is not in the file, the router has not been configured properly to send Syslog messages to the LMS Server.
10-44
OL-20721-01
Chapter 10
Creating a Filter Editing a Filter Enabling or Disabling a Filter Exporting or Importing a Filter Deleting a Filter
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To launch the message filters dialog box:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box appears in the Message Filters page. A list of all message filters is displayed in this dialog box, along with the names, and the status of each filterEnabled, or Disabled.
Step 2
Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either Drop or Keep.
If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop filters from further processing. If you select Keep, Collector allows only the syslogs that match any of the Keep filters, for further processing.
Note Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Specify whether interfaces of selected devices should be included. In the dialog box that displays the message filters, you can do the following tasks:
Task Create a filter (see Creating a Filter). Edit a filter (see Editing a Filter). Enable or disable a filter (see Enabling or Disabling a Filter). Export or import a filter. (see Exporting or Importing a Filter). Delete a filter (see Deleting a Filter).
10-45
Creating a Filter
You can create a filter for Syslog messages by:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box with a list of filters, appears in the Message Filter page. Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.
Step 2
If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop filters from further processing. If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further processing.
Note Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Click Create. The dialog box appears for device selection. Select All Managed Devices or Choose Devices. If you select the All Managed Devices option:
Step 4
You cannot select the individual devices or device categories from the device selector. All managed devices are considered. The syslog messages from the various device interfaces are considered for creating message filters.
If you select the Choose Devices option, you must select the required devices.
Step 5
Click Next. .A dialog box appears in the Define Message Type page. Enter a unique name for the filter. Select either the Enabled, or the Disabled status for the filter at creation time. Select the Syslog message types for which you want to apply the filter. Click Finish. The list of filters in the message filter dialog box on the Message Filters page is refreshed.
Editing a Filter
To edit a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, displaying the list of filters, appears in the Message Filter page. Select a filter by clicking on its check box, and click Edit. The Select Devices dialog box appears.
Step 2
10-46
OL-20721-01
Chapter 10
Step 3
Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to:
Change the filter StatusFrom Enabled to Disabled, or vice, versa. Add a message type Edit a message type Delete a message type Select a message type from system-defined message types
Step 4
Click Finish after you make all your changes. The edited filter appears in the dialog box on the Message Filter page.
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Select the required filter from the list in the dialog box. Click Enable/Disable to toggle its status. The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified filter.
Step 2 Step 3
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Select a filter. You can select more than one filter. Click Export/Import. The Export/Import dialog box appears with the Export or Import options. Select either Export or Import.
Step 2 Step 3
Step 4
10-47
Step 5
Either:
Enter the location of the file to be exported or imported. Or Click Browse. The Server Side File Browser appears. Select a valid file location, and click OK. The file location appears in the Export/Import dialog box.
a.
b.
Step 6
Click OK.
Deleting a Filter
To delete a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, displaying the list of filters, appears in the Message Filter page. Select the required filter from the list in the dialog box. Click Delete. When you confirm the deletion, the filter is deleted.
Step 2 Step 3
Configuring Trap Notification Messages Examples for Collection Failure Notification Fields in a Trap Notification Message
You can use the Collection Failure Notification option to configure the destination Server and Port to receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per device from the LMS server whenever the collection does not happen. Other network management stations can use this trap to know about LMS Inventory or Config collection failure status. You can check or uncheck the options available in this page to enable or disable the sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.
10-48
OL-20721-01
Chapter 10
Notification and Action Settings Inventory and Config Collection Failure Notification
Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Table 10-14 Collection Failure Notification
Field All
Description Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
Config Collection
Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed servers. Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
Inventory Collection
Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed servers. Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
The name or IP address of the destination server. The port number of the destination server. The names of the destination servers along with their ports which are configured to receive the trap notifications. Use the Add button to add the destination server and port information. On clicking Add, the server and port information get reflected in the List of Destinations list. Use the Delete button to remove server and port information from the List of Destinations. To do so, select one or more server and port entry from the list of Destinations list and click on Delete to remove the entries from the list. Click to accept the changes made.
Add Delete
Apply
10-49
Select Admin > Network > Notification and Action Settings > Inventory and Config collection failure notification. The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog box.
Step 2
You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the configurations for all the devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per device.
Example for Inventory Collection Failure
You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Inventory Collection option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Inventory Collection Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the inventory information for all devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory Collection Failure per device.
10-50
OL-20721-01
Chapter 10
Description Network device for which the inventory or configuration collection has failed. Time at which the inventory or configuration collection job failed. The message that describes the reason for the collection failure. Some examples of trap error messages:
Inventory Collection Failed due to SNMP TimeOut Exception. Config Collection Failed due to authentication failure.
Application Name LMS application that caused this change or identified the change and generated the notification.
Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration. The IPSLA Syslog Configuration page appears. Click Enable If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. This enables the generation of the IPSLAs specific traps through the system logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details. Or If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. (LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details.
Step 2
Note
In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be greater than LMS 4.1
10-51
CH A P T E R
11
Setting Up Preferences Performing Change Audit Tasks Performing Maintenance Tasks Defining Exception Periods Defining Change Audit Automated Actions Software Management Administration Tasks Setting Change Report Filters
11-1
Setting Up Preferences
You can use this feature to set up your editing preferences. Config Editor remembers your preferred mode, even across different invocations of the application. You can change the mode using the Device and Version, Pattern Search, Baseline or External Configuration option but the changes do not affect the default settings. To set up preferences:
Step 1
Select Configuration > Tools > Config Editor > Edit Mode Preference. The User Preferences dialog box appears. Set the default edit mode:
Step 2
Select Processed to display the file in the Processed mode. The configuration file appears at the configlet level (a set of related configuration commands). The default is Processed.
Select Raw to display the file in the Raw mode. The entire file appears as shown in the device.
Step 3
Determine changes being made in the network during critical operations time System administrators can define the start and end times during the day when network changes should not be made. Based on this selection you can quickly see, for a given day, whether changes were made when they should not be. See Defining Exception Periods for defining the exception periods. Define automated actions on creation of change audit record Automated action gets triggered on creation of the change audit record. You can define any number of automated actions. The supported automated actions are, E-mail, Traps, and Automated scripts See Defining Change Audit Automated Actions for defining the Change Audit automated actions. Monitor your software image distribution and download history for software changes made using the Software Management application. Software Management automatically sends network change data to the Change Audit summary and details tables.
Track any configuration file changes Device Configuration automatically sends data on configuration file changes to the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
11-2
OL-20721-01
Chapter 11
Monitor inventory additions, deletions, or changes Inventory tracks specific messages or monitors any and all changes in your network inventory. To set inventory filters, use the Inventory Change Filter option. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
View all the latest changes that occurred in the network over the last 24 hours 24-Hour Reports provides a quick way to access the latest changes in the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
Purging the Change Audit records Frees disk space and maintains your Change Audit records at a manageable size. You can either schedule for periodic purge or perform a forced purge of Change Audit data. See Performing Maintenance Tasks for scheduling a periodic purge. Generating change audit data in XML format
cwcli export changeaudit
is a command line tool that also provides servlet access to change audit data. This tool uses the existing Change Audit log data and generates the Change Audit log data in XML format.
Set the debug mode for Change Audit application You can set the debug mode for Change Audit application in the Log Level Settings dialog box (Select Admin > System > Debug Settings > Config and Image Management Debugging settings; select Change Audit from the Application drop-down list.).
Select Reports > Audit. Select Change Audit from the first drop-down list box. Select Standard from the second drop-down list box.
Setting the Purge Policy Performing a Forced Purge Config Change Filter
11-3
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To set the Change Audit Purge Policy:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Purge Policy. The Purge Policy dialog box appears in the Periodic Purge Settings pane. Enter the following information: Description Enter the number of days. Only Change Audit records older than the number of days that you specify here, will be purged. The default is 180 days. Enter the number of days. Only Audit Trail records older than the number of days that you specify here, will be purged. The default is 180 days.
Step 2
Field Purge change audit records older than Purge audit trail records older than
Scheduling
Run Type
You can specify when you want to run the Purge job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu:
DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date at You can select the date and time (hours and minutes) to schedule. Enter the start time, in the hh:mm:ss format (23:00:00).
11-4
OL-20721-01
Chapter 11
Field
Job Info
Description The system default job description, ChangeAudit Records - default purge job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
Caution
You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted. Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes made to a Purge policy.
Step 3
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To perform a Change Audit Forced Purge:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Force Purge. The Purge Policy dialog box appears. Enter the information required to perform a Forced Purge: Description Enter the number of days. Only Change Audit records older than the number of days that you specify here, will be purged. Enter the number of days. Only Audit Trail records older than the number of days that you specify here, will be purged.
Step 2
Field Purge change audit records older than Purge audit trail records older than
11-5
Field
Scheduling
Description You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu:
Run Type
ImmediateRuns this task immediately. OnceRuns this task once at the specified date and time.
Date
Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar icon and select the date. The Date field is enabled only if you have selected Once as the Run Type. Enter the start time, in the hh:mm:ss format (23:00:00). The At field is enabled only if you have selected Once as the Run Type
at
Job Info
Enter a description for the job. This is mandatory. Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
Step 3
11-6
OL-20721-01
Chapter 11
Select Admin > Network > Change Audit Settings > Config Change Filter. The Config Change Filter dialog box appears. Check or uncheck the Enable VLAN Change Audit Filter option.
Step 2
Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created for devices that have a VLAN configuration. Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for devices that have VLAN configuration. By default, this option is unchecked.
Step 3
Click either Apply to apply the option or click Cancel to discard the changes.
11-7
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select:
Step 1
Step 2
Days of the week from the Day drop-down list box Start and end times from the Start Time and the End Time drop-down list box.
Step 3
Click Add. The defined exception profile appears in the List of Defined Exception Periods pane. To enable the exception period, see Enabling and Disabling an Exception Period.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select one or more exception profiles in the List of Defined Exception Periods pane. Click Enable/Disable.
Step 1
Step 2 Step 3
If you have selected Enabled, then the exception period report is generated for that specified time frame. If you have selected Disabled, then the exception period report is not generated for that whole day. For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then there will not be any exception period report generated for Monday.
11-8
OL-20721-01
Chapter 11
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select a day from the Day drop-down list box for which you want to change the exception period. Change the start and end times in the Start Time and the End Time drop-down list box. If required you can also enable or disable the status for the exception period. Click Add. The edited exception profile appears in the List of Defined Exception Period dialog box. This will overwrite the existing exception profile for that day.
Step 1
Step 2 Step 3
Step 4
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select one or more exception profiles in the List of defined Exception Periods pane. Click Delete.
Step 1
Step 2 Step 3
11-9
E-mail Traps Automated scripts Understanding the Automated Action Window Creating an Automated Action Editing an Automated Action Enabling and Disabling an Automated Action Exporting and Importing an Automated Action Deleting an Automated Action
You perform the following tasks from this window: Tasks Creating an Automated Action Enabling and Disabling an Automated Action Editing an Automated Action Description Creating an automated action. Enabling and disabling a set of automated actions. This button gets activated only after selecting an automated action. Editing an automated action. This button gets activated only after selecting an automated action. Exporting and Importing an Automated Action Deleting an Automated Action Exporting and importing a set of automated actions. Deleting a set of automated actions. This button gets activated only after selecting an automated action.
11-10
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Change Audit Automated Actions
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions. The Automated Action dialog box appears. Click Create. The Define Automated Action dialog box appears. Enter the following: Field Name Status Application Category Mode User Description Name for the automated action. Select either Enabled or Disabled For the automated action to trigger. Select the name of the application on which the automated action has to be triggered. Select the types of the changes, for example, configuration, inventory, or software on which the automated action has to be triggered. Select the connection mode on connection modes on which the automated action has to be triggered. Select the user name on which the automated action has to be triggered.
Step 1
Step 2
Step 3
Step 4
Click Next. The Automated Action Type dialog box appears. Select either E-mail or Trap or Script. Based on your selection, enter the following data: Description Enter the E-mail ID for which the trigger has to be notified. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the sender's address.
Step 5
Field Send To
Subject Content
Enter the subject of the e-mail. Enter the content of the e-mail.
11-11
Field
Description
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit. Ensure that you have copied these files:
CISCO-ENCASE-MIB.my CISCO-ENCASE-APP-NAME-MIB.my
into the destination system to receive the traps. These files are available in the following directories on LMS server: On UNIX: /opt/CSCOpx/objects/share/mibs On Windows: NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server.
a. b.
Enter the Server and Port details in the Define Trap field. Click Add. The server and port information appears in the List of Destinations text box. If you want delete, the server and port information, select the server and port information from the List of Destinations text box and click Delete.
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute from within the casuser account. The following are the parameters for change audit automated action that will appear in the script:
Application Name Category User Name Description Connection Mode Host Name
The script files must be available at this location: On UNIX: /var/adm/CSCOpx/files/scripts/changeaudit On Windows: NMSROOT/files/scripts/changeaudit To select the script file:
a.
Click Browse. The Server Side File Browser dialog box appears with the predefined location. Select the script file (*.sh on Unix and *.bat on Windows) Click OK.
b. c.
11-12
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Change Audit Automated Actions
Step 6
Click Finish. The Automated Action window appears with the defined automated action.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select an Automated Action. Click Edit. (See step 3 to step 5 in Creating an Automated Action.). Click Finish. The Automated Action window appears with the updated data.
Step 1
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select one or more Automated actions. Click Enable/Disable. The Automated Action window appears with the updated data.
Step 1
Step 2 Step 3
11-13
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. If you want to export an Automated action, then select the automated actions else go to next step. Click Export/Import. The Export/Import dialog box appears. Select the task to be performedExport or Import. Either:
Step 1
Step 2 Step 3
Step 4 Step 5
Enter the filename along with the absolute path. Click Browse, The Server Side File Browser dialog box appears. Select a folder. Click OK. Enter the filename.
Or
a. b. c. Step 6
Click OK.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select a or a set of Automated actions. Click Delete. The Automated Action window appears with the updated data.
Step 1
Step 2 Step 3
11-14
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Software Management Administration Tasks
Viewing/Editing Preferences
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences. The options you specify here are applicable to Software Management tasks such as image distribution, image import, etc. This section contains:
Selecting and Ordering Protocol Order How Recommendation Filters Work for an IOS Image
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To view and edit the preferences:
Step 1
Select Admin > Network > Software Image Management > View/Edit Preferences. The View/Edit Preferences dialog box appears. Enter the following: Description New directory to store software images. By default the software images are stored at this location: On Solaris/Soft Appliance: /var/adm/CSCOpx/files/rme/ repository/ On Windows: NMSROOT/files/rme/repository Where NMSROOT is the Cisco Prime installed directory. Usage Notes If you enter a new name, all existing files are moved to this directory. If the directory does not have enough space, the files are not moved and an error message appears. If the specified directory does not exist, Software Management creates a new directory before moving the files to the new directory. The new directory should be empty. The new directory specified by you should have the permission for casuser:casusers in Solaris/Soft Appliance and casuser should have Full Control in Windows.
Step 2
Field
Repository Management
Image Location
11-15
Field
Distribution
Description
Usage Notes
Script Location
On UNIX, the scripts should have read, write, and execute You can specify only shell scripts (*.sh) on UNIX and batch permissions for the owner (casuser) and read and execute permissions for group casusers. That is, the script should have 750 files (*.bat) on Windows. permission. The script files must be available On Windows, the script should have read, write, and execute at this location: permissions for casuser/Administrator. On UNIX: The other users should have only read permission. You must /var/adm/CSCOpx/files/scripts/ ensure that the scripts contained in the file have permissions to swim execute from within the casuser account. On Windows: This script is run before and after completing each device software NMSROOT/files/scripts/swim upgrade for all scheduled jobs. To select the script file:
a.
Click Browse. The Server Side File Browser dialog box appears with the predefined location.
b. c.
Select the script file (*.sh on Unix and *.bat on Windows) Click OK.
You can use Clear to clear your selections for Script Location. This clears all previous values. Script Timeout (seconds) Protocol Order Number of seconds the users script can run (default = 90). Specify an order of preferred protocol for image import/distribution. The supported protocols are:
Software Management waits for the time specified before concluding that the script has failed. This preferred protocol order is followed only for those devices that permit more than one protocol for image transfer. In devices, where multiple protocol option is not available for image transfers, Software Management uses its own knowledge and selects the relevant protocol to upgrade the device. For fetching configuration from device, the protocol settings of Configuration Management is used. Software Management uses the same protocol for fetch and download of configurations. You can set the Configuration Management protocol order using Admin > Collection Settings > Config > Config Transport Settings.
11-16
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Software Management Administration Tasks
Field Use SSH for software image upgrade and software image import through CLI (with fallback to TELNET).
Description Uses this protocol to connect to the devices. By default, Telnet is used to connect to the devices. If SSH fails, then Telnet is used to connect to the devices.
Usage Notes The device must support SSH for Software Management to use this protocol. Software Management uses command line interface to upgrade software images and to import software images. When you select the SSH protocol for the Software Management, the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed and Telnet is used to connect to the device. See the Software Management Functional Supported Device tables on Cisco.com for SSH and CLI device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html
Recommendation Filters (See How Recommendation Filters Work for an IOS Image.)
Include Cisco.com images for image recommendation Include General deployment images Include latest maintenance release (of each major release).
During image distribution, recommend Cisco.com images for Cisco devices. Includes only GD images. For Cisco IOS devices only.
Includes the latest major releases For Cisco IOS devices only. of IOS images. For example, if Release 12.2(5) was latest maintenance version in the 12.2 major release, the recommended image is IOS 12.2(5). For Cisco IOS devices only.
Include images higher Includes the images that are than running image. newer than the images running on your device. For example, if the device is running Release 11.2(3), the recommended images are 11.2(4) and later.
11-17
Description Include only images that have the same feature subset as the current image. For example, if you want IOS images with the ENTERPRISE IPSEC feature, the recommended images contain the latest version. This version contains feature subset that fits the Flash.
Password Policy
Enter a username and password for running a specific Software Management job. If you enter a username and password, Software Management application uses this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository.
If you have enabled User Configurable option, you can disable this option while scheduling the distribution jobs. If you have disabled User Configurable option, you must enter the username and password while scheduling the distribution jobs.
These passwords are used only to connect to devices for which Software Management uses CLI, Telnet, and SSH.for software upgrades. See the Software Management Functional Supported Device tables on Cisco.com for CLI, Telnet and SSH device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html
Step 3
Either:
Click Apply to save your changes. Click Defaults to display the default configuration. Click Cancel to discard the values entered and revert to previously saved values.
11-18
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Software Management Administration Tasks
Select a protocol from the Available Protocols pane. Click Add or double click the mouse.
Select a protocol from the Selected Protocol Order pane. Click Remove or double click the mouse.
Select the protocols from the Selected Protocol Order pane. Click Remove. You can either select the protocols individually or use the mouse to select all of them and click Remove. Select a protocol from the Available Protocols pane. Click Add or double click the mouse.
Step 3 Step 4
11-19
Option Number 1
Include Latest Mainten ance Release (of Each Major Release) Not selected
image version are present, the image with a higher compatible feature than the running image is recommended.
Similar images in Cisco.com and Software Management
The image feature can be the same or a superset of the running image.
If a higher version is not available, then no recommendation is made. 2 Not selected Not selected Not selected Selected The recommended list contains images that have the same feature set as that of the running image. The images with the highest version among the recommended image list are recommended. 3 Not selected Not selected Selected Not selected The recommend list contains all types of releases (deployment status). The images with the highest version among recommended image list are recommended. The feature set of the recommended image may be superior than the running image. 4 Not selected Selected Not selected Not selected The latest maintenance version in each release is available in the recommend image list. The latest image version is recommended.
11-20
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Software Management Administration Tasks
Table 11-1
Option Number 5
Include Images Higher Than Running Image Not selected Not selected
Recommendation The images with deployment status identified as GD are available in the recommended image list and other recommendation flow remains the same as the option 1.
6 7
Selected Same as option5. However, the recommended list contains images that have the same feature set as that of running image. Same as option 5. However, the image with the highest version in the recommended image list is recommended. The feature set of the recommended image may be superior than the running image.
Selected Selected Same as option 6. However, the image with the highest version in the recommended image list is recommended. All recommend images will have the same feature subset as the running image.
Not selected
The images with the highest version among recommended image list are recommended. The images of GD types of releases are available in the recommended image list.
10
Selected The images with the same feature as that of running image is available in the recommended list and the latest maintenance version of all release is available in the recommended list. Only an image with higher version than running image is recommended. The recommended images can have only GD status.
11
Same as option 9. In addition to this, an image with the higher version than running image is also recommended.
11-21
To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog box, first select the application, Change Audit, and then select the Exception Period Report from the respective drop-down lists. To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory Change report from the respective drop-down lists.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. To set Inventory change filters:
Step 1
Select Admin > Network > Change Audit Settings > Inventory Change Filter. The Inventory Change Filter dialog box appears. Select a group from the Select a Group drop-down list. See Table 11-2. The dialog box refreshes to display the filters available for the attribute group that you selected. Select the attributes that you do not want to monitor for changes. Click Save. A confirmation dialog box appears. Click OK to save the details. You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.
Step 2
Step 3 Step 4
Step 5
11-22
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute Orderable Part Number Tag CLE Identifier Mfg Assembly Revision Mfg Assembly Number Physical Index
Description Orderable part number of asset. Asset tag. Represents CLIE (Common Language Equipment Identifier) code for the physical entity. Manufacturing assembly revision of asset. Manufacturing assembly number of asset. Physical index of asset Operational status of backplane. Indicates the relative position of this child component among all its sibling components. Name of manufacturer. Name of physical entity. Configuration of backplane slots Name of model. Type of vendor. Serial number of backplane. Description of backplane. Type of component. Index of backplane. FRU of backplane. Field-replaceable unit is a hardware component that can be removed and replaced on site. Alias name of backplane. Type of bridge. Number of ports in the bridge. Base address of bridge.
Back Plane
Operational Status Parent Relative Position Manufacturer Name Physical Entity Name Slot Configuration Model Name Vendor Type Serial Number Description Component Type Index Field Replaceable Unit
Alias Name
Bridge
11-23
Table 11-2
Custom Report Group/Attribute Chassis Model Name Chassis Serial Number Chassis Vendor Type Chassis Version Report Published Description Field Replaceable Unit Component Type Alias Name Index Parent Relative Position Physical Entity Name Free Slots Slot Capacity Power Available (Watts) Power Consumption (Watts) Power Consumption (%) Power Remaining (Watts) Operational Status Manufacturer Name Slot Configuration
Description Name of the chassis model. Serial number of the chassis. Type of vendor. Version number of the chassis. Indicates whether Report is published or not. Displays the value as True or False. Description of chassis. FRU of chassis. Type of component. Alias name of chassis. Physical index of chassis. Indicates the relative position of this child component among all its sibling components. Name of physical entity. Free slots in chassis. Slot capacity of chassis. Power available at chassis level Power consumption at chassis level Percentage of power consumption at chassis level. Power remaining at chassis level. Operational status of chassis. Name of manufacturer. Slot configuration of chassis. Physical index of component. FRU of component. Alias name of component. Indicates the relative position of this child component among all its sibling components. Operational status of component. Name of manufacturer. Name of component. Slot configuration of component. Name of model. Vendor type of component. Component serial number. Description of component. Type of component.
Component
Index Field Replaceable Unit Alias Name Parent Relative Position Operational Status Manufacturer Name Name Slots Configured Model Name Vendor Type Serial Number Description Component Type
11-24
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute Alias Name Operational Status Manufacturer Name Slot Configuration Container Model Name Container Vendor Type Parent Relative Position Container Serial Number Physical Entity Name Description Component Type Index Field Replaceable Unit
Description Alias name of container. Operational status of container. Name of manufacturer of container. Slot configuration of container. Model name of container. Vendor type of container. Parent Relative Position of container. Serial number of container. Physical entity name of container. Description of container. Type of container component. Index of container. FRU of container. Name of model of fan. Vendor type of fan. Parent Relative Position of fan. Serial number of fan. Description of fan. Physical entity name of fan. Component type of fan. Index of fan. FRU of fan. Alias name of fan. Operational status of fan. Name of manufacturer of fan. Slot configuration of fan. Module index of flash.
Fan
Fan Model Name Fan Vendor Type Parent Relative Position Fan Serial Number Description Physical Entity Name Component Type Index Field Replaceable Unit Alias Name Operational Status Manufacturer Name Slot Configuration
Flash
Module Index
11-25
Table 11-2
Custom Report Group/Attribute Removable Jumper Controller Chip Count Size (MB) Partition Count Maximum Partitions Minimum Partition Size (MB) Name Index Description
Description Indicates whether the flash device removable. Jumper of the flash device. Flash device controller. Flash device chip count. Total flash device size in MB. Partition count of flash device. Maximum partitions in flash device. Minimum partition size of flash device. Name of the flash device. Index of flash device. Description of flash device. Flash file index. Flash file status. Checksum of flash file. Size of flash file. Name of flash file. Algorithm of the flash partition Flash filename length. Whether an erase is needed. Method of upgrade of flash partition. Status of flash partition. Free space in MB. Flash partition size in MB. Name of flash partition. Flash partition index.
Flash File
Flash Partition
Algorithm Filename Length Erase Needed Upgrade Method Status Free (MB) Size (MB) Name Index
11-26
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute IP Address Index Address State Address Type Protocol of Address Max Re-assemble Size Broadcast Address Network Mask
Description IP Address of the device. IP Address index. IP Address state. Type of IP Address. Protocol of IP Address. Maximum re-assemble size. Broadcast address. Network mask of IP Address. ROM system software version. Version of ROM. System Boot Variable System image file. Minimum Boot Flash in MB. Minimum NVRAM in MB. Minimum DRAM in MB. Media of image. Image feature Image module. Software image present on the device. Build time of image. Image family. Image system description. Version of the software image on the device. Description of image. Processor index of image. Maximum transmission unit. Maximum packet size, in bytes, that this interface can handle. Interface alias. Time of last change. Operational status of interface. Administrative status of interface. Speed of interface in Mbps. Type of interface. Description of interface. Name of interface Physical address of interface.
Image
ROM Sys Version ROM Version System Boot Variable System Image File Minimum Boot Flash (MB) Minimum NVRAM (MB) Minimum DRAM (MB) Media Feature Module Image Build Time Family System Description Version Description Processor Index
Interface
MTU Alias Last Changed Operational Status Admin Status Speed (Mbps) Type Description Name Physical Address
11-27
Table 11-2
Description Index of interface. Identifier of interface. FlexLink status of the interface. Whether the interface is Span enabled Processor index. Total memory in MB. Lowest free block of memory in MB. Largest free block of memory in MB. Free memory in MB Used memory in MB. Validity of memory pool. Alternate memory pool. Name of the memory pool. Memory pool type.
Memory
Processor Index Total Memory (MB) Lowest Free Block (MB) Largest Free Block (MB) Free (MB) Used (MB) Validity Alternate Pool Name Type
Memory Pool
11-28
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute Parent Relative Position Field Replaceable Unit Alias Name Reset Reason Admin Status Additional Status Module IP Address Hardware Encryption Slot Number Inline Power Capable Parent Type Multiservice Parent Index Number of Slots FW Version SW Version HW Version Operational Status Manufacturer Name Physical Entity Name Slot Configuration Model Name Vendor Type Serial Number Description Component Type Index
Description Parent Relative Position of module. FRU of module. Alias name of module. Module reset reason. Administrative status of module Additional status of module IP Address of module Hardware encryption of module Slot number of module Inline power capability of module Module parent type. Is this a multiservice module Parent index of module Number of slots in module Firmware version of module Software version of module Module hardware version. Operational status of module Name of manufacturer of module Physical entity name of module Slot configuration of module Name of module. Vendor type of the module. Serial number of module. Description of module Component type of module Index of module
11-29
Table 11-2
Custom Report Group/Attribute Manufacturer Name Slot Configuration Port Model Name Port Vendor Type Port Serial Number Parent Relative Position Description Component Type Physical Entity Name Port Index Field Replaceable Unit Alias Name Status Operational Status POE Admin Status POE Power Allocated
Description Port manufacturer name. Slot configuration of port. Model name of port. Port vendor type. Serial number of port. Parent Relative Position of port. Description of port. Port component type. Physical Entity Name of port. Port index. FRU of port. Alias name of port. Status of port Operational Status of port The POE Port Admin Status. The amount of power allocated from the Power Sourcing Equipment (PSE) for the Powered device. This is a POE device specific attribute. The maximum amount of power that the PSE makes available to the Powered device connected to the Port interface. This is a POE device specific attribute. Power consumption percentage of the port. Power consumption of the port. Power available for a powered device connected to the port. Power remaining for a powered device connected to the port. Port interface number.
Number
11-30
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute Parent Relative Position Physical Entity Name Admin Status Operational Status Manufacturer Name Field Replaceable Unit Slot Configuration Alias Name Power Supply Model Name Power Supply Vendor Type Power Supply Serial Number Description Component Type Index
Description Parent Relative Position of power supply. Physical Entity Name of power supply. Administrative status of power supply. Operational status of power supply. Manufacturer Name of power supply. FRU of power supply. Slot configuration of power supply. Alias name of power supply. Model name of power supply. Vendor type of power supply. Serial number of power supply. Description of power supply. Component type of power supply. Index of power supply.
11-31
Table 11-2
Custom Report Group/Attribute Field Replaceable Unit Alias Name Slot Number Parent Type Parent Index Reboot Config Register Value Config Register Value Physical Entity Name NVRAM Used (KB) NVRAM Size (KB) RAM Size (MB) Operational Status Manufacturer Name Slot Configuration Model Name Reset Reason Vendor Type Admin Status Serial Number Additional Status Description Module IP Address Component Type Hardware Encryption Index Inline Power Capable Multiservice Number of Slots FW Version SW Version HW Version Parent Relative Position
Description Processor FRU. Alias name of processor. Slot number of processor. Parent type of processor. Parent index of processor. Reboot configuration register value. Configuration register value Name of physical entity. Size of the processor NVRAM that has been utilized, in KB. Size of the processor NVRAM in KB. Size of processor RAM in MB. Operational status of processor. Manufacturer name of processor. Slot configuration of processor. Name of the processor model. Processor reset reason. Processor vendor type. Administrative status of processor. Serial number of processor. Additional status of processor. Description of processor. Module IP Address of processor. Component type of processor. Hardware encryption. Index of processor. Inline power capability of processor. Multiservice. Number of slots in processor. Firmware version of processor. Software version of processor. Hardware version of processor. Parent Relative Position of processor.
11-32
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Custom Report Group/Attribute Parent Relative Position Physical Entity Name Operational Status Manufacturer Name Field Replaceable Unit Alias Name Slot Configuration Sensor Model Name Sensor Vendor Type Sensor Serial Number Description Component Type Index
Description Parent Relative Position of sensor. Name of physical entity of sensor. Operational status of sensor Manufacturer name of sensor FRU of sensor Alias name of sensor Slot configuration of sensor Model name of sensor Vendor type of sensor Serial number of sensor Description of sensor Component type of sensor Index of sensor Serial number of slot. Description of slot. Component type of slot. Index of slot. Parent Relative Position of slot. Physical Entity Name of slot. Operational Status of slot. Name of manufacturer of slot. FRU of slot. Configuration of slot. Alias name of slot. Model name of slot. Vendor type of slot. FRU of stack. Operational status of stack. Alias name of stack Manufacturer name of stack Slot configuration of stack Model name of stack Vendor type of stack Serial number of stack Description of stack Parent Relative Position of stack
Slot
Serial Number Description Component Type Index Parent Relative Position Physical Entity Name Operational Status Manufacturer Name Field Replaceable Unit Slot Configuration Alias Name Model Name Vendor Type
Stack
Field Replaceable Unit Operational Status Alias Name Manufacturer Name Slot Configuration Stack Model Name Stack Vendor Type Stack Serial Number Description Parent Relative Position
11-33
Table 11-2
Description Stack component type. Index of stack. Physical Entity Name of stack. Index of system application Software serial number of system application. Software version of system application Name of software product. Software manufacturer of system application System Up Time. Host name of the system Management type of system. Modularity of system. OSI layer services of system. System name. System Object ID of the device. Date and time of last system update. System location. System contact. Domain name of the system. Description of the system.
Sys Application
Index Software Serial Number Software Version Software Product Name Software Manufacturer
System
SysUpTime Host Name Management Type Modular OSI Layer Services System Name System Object ID Last Updated At Location Contact Domain Name Description
11-34
OL-20721-01
CH A P T E R
12
Managing Jobs
In LMS 4.1, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs. LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group of users designated as job Approvers approves each job before it can run. This section contains the following:
Using Job Browser Configuring Default Job Policies Configuring NetShow Job Policies Enabling Approval and Approving Jobs Using Job Approval Job Approval Workflow Using Device Selector
12-1
Managing Jobs
Column Job ID
Description Unique number assigned to this task at creation time. This number is never reused. There are two formats:
Job ID: Identifies the task. This does not maintain a history. For Example:1001
JobID.Instance ID: Here, in addition to the task, the instance of the task can also be identified. For example: 1001.1, 1001.2
Type
Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Job states include:
Run Status
Running Waiting for approval Scheduled (pending) Succeeded Succeeded with Info Failed Crashed Cancelled Suspended Rejected Missed Start Failed at Start
Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be:
12-2
OL-20721-01
Chapter 12
Table 12-1
Column Status
Description Provides the status of the current jobs. The status of the current jobs is displayed as succeeded or failed. It also displays the failure reasons. Username of the job creator. Date and time at which the job was scheduled. Date and time at which the job was completed.
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria, enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs pertaining to that category are displayed. Column All Job ID Description Displays all jobs in Job Browser. This is the default filter type. Unique ID of the job. For example, 1007.0. Job IDs have N.x format, where x stands for the number of instances of that job. For example, 1007.4 indicates that the Job ID is 1007 and it is the fifth instance of that job. You should enter a valid Job ID as filter value. You can also:
Enter multiple Job IDs separated by commas Include the wildcard character * (asterisk) in the Job ID value Enter a range of Job IDs 1002 1010.5 1004,1008.8, 1004 1007* 1001-1010 1019.20-1019.100
Type
Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Filters and displays all jobs that match a job type value in Job Browser. You must select a job type from the list of available types.
12-3
Managing Jobs
Running Waiting for approval Scheduled (pending) Succeeded Succeeded with Info Failed Crashed Cancelled Suspended Rejected Missed Start Failed at Start
Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be:
Description
Description of the job. Filters and displays all jobs with a specified description. You cannot leave the description field blank when you select this filter type.
Owner
Username of the job creator. Filters and displays all jobs that are scheduled by a user. You can select a user from the drop-down list of users as a filter value.
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
Stop buttonStops or cancels a running job. You will be prompted to confirm the cancellation of the job. However, the job is stopped only after the devices currently being processed are successfully completed. This is to ensure that no device is left in an inconsistent state. Delete buttonDeletes the selected job from the job browser. You can select more than one job to delete. You will be asked to confirm the deletion.
Note
12-4
OL-20721-01
Chapter 12
This section also explains about Defining the Default Job Policies.
12-5
Managing Jobs
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Configuration Job Settings > Config Job Policies. The Config Job Policies dialog box appears. Select one application from the drop-down list. You can select one of the following options:
Step 1
Step 2
Step 3
Based on your selection, enter the following information: Description Usage Notes
Select what the job should do if it fails to run on the You can create rollback commands for a job in device. You can stop or continue the job, and roll the following ways: back configuration changes to the failed device or to Using a system-defined template. all devices configured by the job. Rollback commands are created You can select one of the options: automatically by the template. Stop on failureStops the job on failure. The Banner system-defined template does
Ignore failure and continueContinues the job on failure. Rollback device and stopRolls back the changes on the failed device and stops the job. This is applicable only to NetConfig application. Rollback device and continueRolls back the changes on the failed device and continues the job. This is applicable only to NetConfig application. Rollback job on failureRolls back the changes on all devices and stops the job. This is applicable only to NetConfig application. This field appears only if you select either Config Editor or NetConfig application.
not support rollback. You cannot create rollback commands using this template. Creating a user template. Allows you to enter rollback commands into the template. When you use the Adhoc and Telnet Password templates, you cannot create rollback commands.
Note
12-6
OL-20721-01
Chapter 12
Field Name
Description
Usage Notes Notification is sent when the job is started and completed.
E-mail Notification Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to display job details. If you are not logged in, do so commas. using log in panel. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Sync Archive before Job Execution Copy Running Config to Startup The job archives the running configuration before making configuration changes.
Note
None.
This field appears if you select either Config Editor or NetConfig application. Does not apply to Catalyst OS devices.
The job writes the running configuration to the startup configuration on each device after configuration changes are made successfully.
Note
This appears if you select either Config Editor or NetConfig application. None. You can use this option even if you have configured only the Telnet password (without configuring username) on your device. You must enter a string in the Login Username field. Do not leave the Login Username field blank. The Login Username string will be ignored while connecting to the device since the device is configured only for the Telnet password. See Usage Scenarios When Job Password is Configured on Devices.
The Job Password Policy is enabled for all the jobs. The Archive Management, Config Editor, and NetConfig jobs use this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository. These device credentials are entered while scheduling a job.
The job is considered a failure when the most recent None. configuration version in the configuration archive is not identical to the most recent configuration version that was in the configuration archive when you created the job.
Note
Delete Config after The configuration file is deleted after the download. download Note This appears if you select Config Editor.
12-7
Managing Jobs
Description Allows you to configure the job to run on multiple devices at the same time (Parallel execution) or in sequence (Sequential Execution).
Usage Notes If you select sequential execution, you can select Device Order in the Job Schedule and Options dialog box to set the order of the device.
1. 2.
Select a device in the Set Device Order dialog box. Either: Click the Move Up or Move Down arrows to change its place in the order. Click Done to save the current order. Or Close the dialog box without making any changes.
You cannot alter the device sequence for Archive Management application jobs such as Sync Archive, Check Compliance and Deploy, etc. Sequential Execution is not supported for the following jobs:
Manual Sync Archive Periodic Config Collection and Polling cwcli config get
User Configurable
Select this check box next to any field to make corresponding policy user configurable.
You can configure a user-configurable policy while defining job. You cannot modify non-user-configurable policies.
Step 4
Click Apply. A message appears, Policy values changed successfully. Click OK.
Step 5
The following tables list the usage scenarios and their implications for Configuration application when job password is configured on devices.
Table 12-2When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write) Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) Table 12-4When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)
12-8
OL-20721-01
Chapter 12
Table 12-2
When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write)
Config Editor Not applicable Not applicable Not applicable Not applicable
Update archive request Fails through user interface Update archive request Not applicable through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli config NetConfig Job Config Editor job Fails
Fails
Not applicable
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Not applicable
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices
Update archive request through user interface Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
12-9
Managing Jobs
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Not applicable
Not applicable
Table 12-4
When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP
Scenario Device is added into LMS Update archive request through user interface Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Archive Mgmt Succeeds Succeeds Succeeds Succeeds Succeeds Succeeds Succeeds Not applicable Not applicable
cwcli config Not applicable Not applicable Succeeds Not applicable Not applicable Not applicable Succeeds Not applicable Not applicable
NetConfig Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Succeeds Not applicable
Config Editor Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Succeeds
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices
Not applicable
Not applicable
Not applicable
12-10
OL-20721-01
Chapter 12
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write) (continued)
Scenario Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Not applicable Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Defining Default Job Policies The default job policies that NetShow support are E-Mail Notification, Enable Job Password, and Execution Policy.
Purging Configuration Management Jobs The Job Purge option provides a centralized location for you to schedule purge operations. Defining Protocol Order You can define the protocol order for NetShow through the Protocol Ordering option in the Config Management feature in LMS. This section also gives details on Masking Credentials
12-11
Managing Jobs
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To define these default Job Policies:
Step 1
Select Admin > Network > Configuration Job Settings > Config Job Policies. The Job Policy dialog box appears. Select NetShow from the Application drop-down list: Enter the following information in the Job Policy dialog box: Description Usage Notes Notification is sent when job is started and completed. Notification e-mails include a URL to enter to display job details. If you are not logged in, log in using the login panel.
Step 2 Step 3
Field Name
E-mail Notification Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Enable Job Password
You can use this option even if you have configured only the Telnet password NetShow jobs use this username and password to connect to (without configuring username) on your the device, instead of taking these credentials from the device. Device and Credential Repository. You must enter a string in the Login These device credentials are entered while scheduling a job. Username field. Do not leave it blank. The Job Password Policy is enabled for all the jobs. The Login Username string is ignored while connecting to the device since the device is configured only for the Telnet password.
Execution Policy
Allows you to configure the job to run on multiple devices at None. the same time (Parallel Execution) or in sequence (Sequential Execution).
12-12
OL-20721-01
Chapter 12
Step 4
Click Apply. A message appears, Policy values changed successfully. Click OK.
Step 5
DailyDaily at the specified time. WeeklyWeekly on the day of the week and at the specified time. Monthly Monthly on the day of the month and at the specified time. (A month comprises 30 days).
12-13
Managing Jobs
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Description Schedule a job purging. Enable a job for purging after you schedule it. Disable the purge after enabling a job for purging. Purge a job immediately.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To define the protocol order for NetShow:
Step 1
Select Admin > Collection Settings > Config > Config Transport Settings. The Transport Settings dialog box appears. Select NetShow from the Application drop-down list: Select a protocol from the Available Protocols pane and click Add. NetShow supports only Telnet and SSH. If you want to remove a protocol or change the protocol order, you can remove the protocol using the Remove button and then add it again. The protocols that you have selected appear in the Selected Protocol Order pane. Click Apply. A message appears, New settings saved successfully. Click OK. The protocol used for communicating with the device is based on the order in which the protocols are listed here.
Step 2 Step 3
Step 4
Step 5
12-14
OL-20721-01
Chapter 12
Managing Jobs Enabling Approval and Approving Jobs Using Job Approval
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials of a particular command, you must specify the command in the NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre dCmds.properties file. In this file you can specify all the commands whose output should be processed to mask the credentials. We recommend that you enter the complete command in the file. For example, you must enter show running-config, not show run. This file contains some default commands like show running-config.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform job approval tasks.
Responsibilities Creates and maintains the Approver lists Approves/rejects a job, or changes the schedule for a job. To select the log level settings for the Job Approval application, select Admin > System > Debug Settings > Config and Image Management Debugging settings. Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker Checker.
12-15
Managing Jobs
Specifies user/Approver information (see Specifying Approver Details.) Creates one or more job Approver lists (see Creating and Editing Approver Lists). Assigns Approver lists (see Assigning Approver Lists). Sets up Job Approval (see Setting Up Job Approval).
The planner analyzes the network and prompts the network engineer to schedule a job to perform a needed network change. The job creator uses a Cisco Prime application to create a job.The application must have an Approver list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not immediately). All Approvers on the Approver list receive an automatic email notification. The job Approvers approve or reject the job (see Approving and Rejecting Jobs) and give their comments. The job creator and all Approvers on the Approver list receive an automatic e-mail notification. A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is approved, it runs as scheduled.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To specify Approver details:
Step 1
Select Admin > Network > Configuration Job Settings > Approver Details. The Approver Details dialog box appears. Click Synchronize with Local User Database. All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers will be the same as that added in LMS. (You can create a valid Cisco Prime user using the Local User Setup option under Admin > System > User Management > Local User Setup). If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one e-mail, separated by commas
Step 2
12-16
OL-20721-01
Chapter 12
Step 3
Click Save to save your changes. All approvers, have to be manually added to LMS. To do this, enter the name of the Approver that you want to add in the New Approver field, enter a valid e-mail ID for that user in the E-mail Address field, and click Save. The Approver that you added, appears in the Approvers box.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To create and edit Approvers lists:
Step 1
Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists. The Create/Edit Approver List dialog box appears. Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an alphanumeric name. Click Add. A message appears:
List
Step 2 Step 3
Listname has no users. To save the list successfully, add users and click Save.
Step 4
Click OK to proceed. The newly-created list appears in the lists box. (If previously-created lists exist, you can highlight a list to see the List Members in the Users group of fields.)
Step 5
Add users to the newly-created list, by highlighting the list. In the Users group of fields, the Available Users box lists users who have Approver permissions. Only these users can be added to Approver lists to approve jobs.
To add a user to the Approver List, select the name from the Available Users list box, and click Add. The name appears in the List Members list box. To remove a user from the Approver list, select the name from the List Members list box, then click Remove. The name is removed from the List Members list box.
Step 6
Click Save. The Approver Lists box displays the name of the new Approver list and the users on this list appear in the box below Approver Lists.
12-17
Managing Jobs
Select the list. The approvers of the list appear in the List Members list box. Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users group of fields. Select the list. Click Delete. A message appears:
Are you sure you wish to delete? Approval will be disabled for applications to which the Listname is assigned!
b.
c.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To assign an Approver list:
Step 1
Select Admin > Network > Configuration Job Settings > Assign Approver Lists. The Assign Approver Lists dialog box appears. Select the required Approver list from the drop-down list box for that application. Repeat this for each of the applications listed here. Click Assign. The selected Approver lists are assigned to the applications.
Step 2 Step 3
NetConfig NetShow Config Editor Archive Management. See Using Job Approval for Archive Management for details. Software Management. See Using Job Approval for Software Management for details
12-18
OL-20721-01
Chapter 12
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. To set up Job Approval:
Step 1
Select Admin > Network > Configuration Job Settings > Approval Policies. The Approval Policies dialog box appears. You can enable or disable Job Approval for the following applications:
NetConfig NetShow Config Editor Archive Management. Software Management. Select the Enable check box that corresponds to an application, to enable Job Approval. Deselect the Enable check box that corresponds to an application, to disable Job Approval. Select the All check box to enable Job Approval, for all applications to which it is applicable. Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
Step 2
Set up Job Approval for the various applications that support job approval, by doing one of the following:
Step 3
Click Apply to apply your changes. After you enable Job Approval, two additional fields appear in the job schedule wizard of the applications. These are:
You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies). This means all jobs require approval before they can run. Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. For more details on enabling job approval see Setting Up Job Approval. The following Archive Management tasks require approval if you have enabled Job Approval: Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary) Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration from the device and there is no change to the device configuration.
12-19
Managing Jobs
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule and Options dialog box:
Approval CommentApproval comments for the job approver. Maker E-MailE-mail-ID of the job creator.
You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies) which means all jobs require approval before they can run. Only users with Approver permissions can approve Software Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. The following Software Management tasks require approval if you have enabled Job Approval:
Adding images to Software Repository (Configuration > Tools > Software Image Management > Software Distribution) using:
Cisco.com Device URL Network
Distribution software images (Configuration > Tools > Software Image Management > Software Distribution) using any one of these methods:
Distributing by Devices [Basic] Distributing by Devices [Advanced] Distributing by Images Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options dialog box, you get these two options:
Maker CommentsApproval comments for the job approver. Maker E-MailE-mail ID of the job creator.
12-20
OL-20721-01
Chapter 12
The e-mail displays these details: Details Job ID Job Description Job Schedule Server Name Server Time-zone: Maker Comments URLS Description ID of the job that has been put up for approval. Description of the job. Date and time for which the job has been scheduled. Name of the server. Time zone of the server. Comments for the Approver, entered by the job creator. Two URLs to launch dialog boxes for:
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. You need to be a user with an Approver role.
Note
You will be able to select only those jobs for which you are a part of the Approver List. The other jobs, for which you are not a part of the Approver List, will be disabled. To approve or reject jobs:
Step 1
Select Admin > Jobs > Approval. The Jobs Pending Approval dialog box appears with the following information about the scheduled jobs on the system:
Column Job ID
Description Unique number assigned to the job when it is created. For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the details of the job.
Job owner. Application that registered job. When job is scheduled to run. Name of Approver list whose members can approve job. Job description, entered by job creator. You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your criteria and click Filter.
12-21
Managing Jobs
Step 2
Either:
Select the job and click Approve to approve the job. The job is approved. Or Select Next. The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details before approving or rejecting it. Fields in the Job Details box are:
Field
Job
Description ID of the job (display only). To see the detailed description of the job, click the View Job Details hyperlink.
ID
Schedule Options
Run Type
ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. To change, select the required run type from the drop-down list.
12-22
OL-20721-01
Chapter 12
Field
Current Schedule
Description Scheduled date and time of the job. Click Change Schedule to change the schedule of the job. You must click the Change Schedule button for the changed schedule to take effect. If you do not click this button, the changed schedule will not be set.
Date
Approver
Comments
Step 3
Enter your comments. This field is mandatory only if you are rejecting a job. Click Approve. The job is approved. If you want to reject the job, enter comments in the Comments text box and then click Reject.
Using Simple Search Using Advanced Search Using the All Tab Using the Search Results Tab Using the Selection Tab
Note
If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you while performing the tasks are based on your role and associated privileges that are defined in Cisco Secure ACS.
12-23
Managing Jobs
The Device Selector pane contains the following field/buttons: Field/Button Search Input Description Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters * amd "?". For example: 192.168.10.1*, 192.168.20.* Search Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Using Simple Search. Advanced Search Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Using Advanced Search. All Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Using the All Tab. Search Results Selection Displays all the search results from Search or Advanced Search. For more information, see Using the Search Results Tab. Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. For more information, see Using the Selection Tab. Figure 12-1 shows the new device selector.
Figure 12-1 Device Selector
12-24
OL-20721-01
Chapter 12
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device name.
You can enter multiple device names separated with a comma. You can also enter wildcard character, * or ? for selecting multiple devices. For example: You can enter device names in these many ways to select multiple devices:
192.168.80.140, 192.168.135.101, rtr805 192.168.80.*, 192.168.* 192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices For example, 192.*.80.*. This is not allowed.
You must enter either the complete device name or enter the partial device name appended with wildcard character *. That is,
No devices are selected, if you enter only 192.168 in the Device Name text box. You have to enter either 192.168* or 192.168.10.10.
The search is not case-sensitive. The devices that are selected is a unique list. There are no duplicate entries of devices. For example: If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20, 192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2* c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node. However, the selected devices count that is displayed in the Device Selector is only three and not five.
The All Devices node is expanded without selecting any devices, if the search criteria is not satisfied. The objects selected text displays 0 (zero) device selected.
12-25
Managing Jobs
This dialog box contains the following fields and buttons (See Table 12-6):
Table 12-6 Advanced Search Dialog Box
ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects.
This field appears only after a rule expression is added in the Rule Text box. Object Type Type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. Variable Operator Device attributes, based on which you can define the group. See Advanced Search Rule Attribute. Operator to be used in the rule. The list of possible operators changes based on the Variable selected.
12-26
OL-20721-01
Chapter 12
Table 12-6
Field/Buttons Value
Description The value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. The wildcard characters are not supported. Used to add the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. Used to search for devices based on the defined rule.
If you have not selected any device nodes, then advanced search is applied only for All Devices node. You can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. Each rule expression contains the following: object type.variable operator value Object TypeThe type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. VariableDevice attributes, based on which you can define the group. See the Advanced Search Rule Attribute. OperatorOperator to be used in the rule. The list of possible operators changes based on the Variable selected. ValueValue of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values.
If you are entering the rule expressions manually, the rule expression must follow this syntax: object type.variable operator value If you are entering more than one rule expression, you must enter logical operators OR, AND or EXCLUDE after every rule expression. You must use Check Syntax button only when you add a rule manually or when you modify a rule expressions in the Rule Text.
The advanced search operation is not case-sensitive. To delete the rules in the Rule Text box, select the complete rule including the logical operator and press the Delete key on your keyboard. If you want to perform a new search, click Clear All before selecting any new devices.
12-27
Managing Jobs
Table 12-7 lists the available device advanced search rule attributes that you can use for defining advanced search.
Table 12-7 Advanced Search Rule Attribute
Description CLE identifier of the asset. Orderable part number of the asset. User-defined identifier of the asset Name of the model. Number of slots in that chassis. Total port count of the chassis. Serial number of the chassis. Vendor type of the chassis. Version number of the chassis. Name of the flash file. Flash file size in MB. Model name of the flash device. Free space in MB. Flash partition name. Flash partition size in MB. Total flash device size in MB. ROM system software version Version of ROM. Image system description Running image version. Device IP address. Version of IP, IPv4 or IPv6 Network Mask address Free memory in MB. Name of the memory. Total RAM size in MB. Memory type. Used memory in MB. Module hardware version. Name of the model. Total ports on that module. Serial number of the module. Vendor type for the module.
Chassis
Flash
Image
IP Address
Memory
Module
12-28
OL-20721-01
Chapter 12
Table 12-7
Description Name of the model. Size of the processor NVRAM in MB. Size of the processor NVRAM that has been utilized, in MB. Total port count of the processor Size of the processor RAM in MB. Serial number of the processor. Vendor type of the processor. Device state such as Normal, Alias, etc. Device contact person name. Description of the system. Device domain name. Device location information. System Object ID of the device (sysObjectID).
State System
The following example describes the procedure for selecting devices whose IP address starts with 192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state. The devices in your network are:
192.168.101.200 with network mask 255.255.255.128 192.168.101.201 with network mask 255.255.255.0 192.168.102.251 with network mask 255.255.255.0 192.168.102.202 with network mask 255.255.255.19 192.168.200.210 with network mask 255.255.255.128
Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Select,
a. b. c.
Step 2
Step 3
Click Add Rule Expression. The rule is added into the Rule Text.
12-29
Managing Jobs
Step 4
Select,
a. b. c. d.
And as Logical Operator IP.Address as Variable Contains as Operator Enter 192.168.101 for Value.
Step 5
Click Add Rule Expression. The rule is added into the Rule Text. Select,
a. b. c. d.
Step 6
OR as Logical Operator IP.Network_Mask as Variable Equals as Operator Enter 255.255.255.0 for Value.
Step 7
Click Add Rule Expression. The rule is added into the Rule Text. Click Search. The Device Selection dialog box appears. The devices that satisfied the search condition are selected. That is these two devices are selected.
Step 8
192.168.101.200 with network mask 255.255.255.128 192.168.101.201 with network mask 255.255.255.0 192.168.102.251 with network mask 255.255.255.0
The following is the list of device folders under the All tab:
The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and Pre-deployed states. This folder does not include devices in Suspended and Conflicting states. The Normal Devices folder lists devices that has been successfully contacted by LMS or the device has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.). The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as SNMP). The Previous selection folder lists LMS devices that were selected in previous LMS task in the same session. Saved device list folder lists devices that are saved explicitly by you while generating the Inventory Reports, View Credential Verification Report and Error Report.
12-30
OL-20721-01
Chapter 12
Only one Saved device list is created within the device selector. If concurrent users have created Saved device list, only the last created Saved device list appears in the Device Selector. The previous Saved device list is overwritten with the latest.
Note
You can use the Previous selection and Saved device groups only when you are working on a application. You cannot use these device groups when you are working on another Cisco Prime application. That is, if you are working on the Campus Manager application, these groups must not be used.
The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined by you at the time of creating the User-defined groups. See Managing RME Device, Port and Module Groups Using Group Administration for further details on User-defined groups.
Based on the applications that are installed on your LMS Server, you will also view device folders related to other Cisco Prime applications: CiscoWorks_ApplicationName@CiscoWorks_ServerHostName For example: For Cisco Prime Common Services, you will see: CS@CiscoWorks_ServerHostName. In a stand-alone system, server name is not appended. For example, for Common Services, you will see CS.
Other application folders are displayed in LMS based on the settings. For more details, see Common Services Online Help. In Device Selector, the other Cisco Prime application device folders will list only devices. For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you will view on device list, A, B, and C.
and is available in Device and Credentials). However, that device is not supported by applications. (Inventory, Software Management, and Configuration Management). There are two types of device selectors in LMS:
In the single device selector, you can select a device only at the leaf-level (device-level). The radio buttons at the node-level (folder-level) are grayed out.
12-31
Managing Jobs
In the multiple device selector, you can select devices at both the node-level and leaf-level. The following are the usage notes for the multiple device selector:
If you select devices at the node-level, all devices listed under this node are selected. For example, if you select the All Devices node, all devices under this node are selected. If you expand a device node, you cannot select devices at the node-level. You need to select devices individually at the leaf-level. For example, if you expand the All Devices node, you cannot select devices at the All Devices node-level (the check-box is grayed out). You need to select devices individually under the All Devices node.
If you select devices at a node-level and expand that particular node, you can deselect the devices only at the leaf-level and not at the node-level. For example, if you select the Normal Devices node and expand the same, you can deselect the devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level (the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all the devices.
You can select multiple device nodes to perform the tasks. For example, you can select the Previous selection and the Saved device list nodes together to perform the tasks.
Selection Using All Tab Selection Using Search Selection Combining All and Search
You can select devices using the tree view in the All tab. This tab displays all devices that are available in LMS.
Selection Using Search
You can search devices using Search or Advanced Search. The list of devices matching the search criteria is shown under the Search Results tab. You can select the required devices from the Search Results tab. The Selection tab reflects whatever you selected from Search Results. If you click the All tab now, the devices selected from Search Results will be shown in the All Devices group.
12-32
OL-20721-01
Chapter 12
After you select devices using the All tab, you can add a few more devices using Search. You can enter the search criteria and search using Search or Advanced Search and the Search Results tab displays the devices matching the criteria. You can select the required devices from the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected devices from Search Results under the All Devices group also. You can enter another search criteria and select more devices. The selected devices are accumulated in the All tab from the Selection tab, as you select more devices.
Note
The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of devices you have selected. It launches the Selection tab when you click on it.
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. The Edit Devices dialog box appears.
Step 2 Step 3
Select the devices for which you want to edit the device attributes. See Using Device Selector for further information. Click Edit Device Attributes. The Device Attributes dialog box appears. Click Inline Edit. The Device Attributes Information dialog box appears. Select a device from the Devices pane. Edit the device attributes in the Device Information pane. You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other devices that are listed in the Devices pane.
Step 4
Step 5 Step 6
Step 7 Step 8
Click Modify in the Device Attributes Information dialog box. Click Apply in the Device Attributes dialog box.
12-33
Managing Jobs
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. The Devices dialog box appears.
Step 2 Step 3
Select the devices for which you want to edit the device attributes. See Using Device Selector for further information Click Edit Device Attributes. The Device Attributes dialog box appears. Click Export. The Export Device Attributes to File dialog box appears.
a.
Step 4
Click OK in the Export Device Attributes to File dialog box. The notification window displays Data exported successfully. Click OK in the notification window.
c. Step 5
Edit the exported file. You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout, and Natted IP Address. You cannot edit the Device Display Name (device_identity) and add new device entries. See Device Attributes Export File Format for more information. Click Import in the Device Attributes dialog box. The Import Device Attributes to File dialog box appears. We recommend that you import the same file that you have exported after editing. If any new device entries are added, these device entries are ignored. Only device entries that match the existing device entries are imported.
a.
Step 6
Click OK in the Import Device Attributes to File dialog box. The notification window displays Data imported successfully. Click OK in the notification window.
c.
The Device Attributes window refreshes to display the updated device attributes.
12-34
OL-20721-01
Chapter 12
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for details.
See Editing Device Attributes section to know the minimum and maximum values for the device attributes. Also see Attribute Error Report for more information.
Step 7
Device Display Name Display name of the device. Serial Number Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255. The default value is Default Not Defined. This attribute is available when you either export or edit the device attributes from the Devices window.
SNMP Retry Number of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. SNMP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection. Telnet Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit.
Note
The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH Timeout.
Natted IP Address The server ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to enable support for NAT. The default value is Default Not Defined. TFTP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again.
12-35
Managing Jobs
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value limit. This attribute is available only when you edit the device attributes from the Device Attributes window. Do any one of the following to edit the device attributes:
Set the device attributes value for a single device using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline Edit. See To edit the device attributes for a single device Set the device attributes value for the bulk of devices using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Export. See To edit the device attributes for the bulk of devices
Note
View Permission Report to check if you have the required privileges to perform this task.
Note
The Attribute Error Report link is available only if importing of device attributes causes error.
; ;Start of section 0 - DM Export ; ;HEADER: device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,RMEId ; 192.168.8.4,Default Not Defined,2,2,36,Default Not Defined
12-36
OL-20721-01
Chapter 12
Where,
device_identityDisplay
serial_numberCisco manufacturing serial number from chassis. You can enter 0 to 255 alphanumeric characters. The default value is Default Not Defined. SNMPRetryCountNumber of times, system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. SNMPTimeoutDuration
of time the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection.
TelnetTimeoutDuration of time the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit. Natted IP Addressserver ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary. The default value is Default Not Defined.
12-37
CH A P T E R
13
Performing Software Updates Performing Device Update Scheduling Device Package Downloads Using the Software Center CLI Utility
13-1
Bundles Installed dialog box that lists the bundles installed. Products Installed dialog box that lists the applications installed.
These dialog boxes display the bundle or product name, the version, and the date on which the software was installed. To sort the table by version or date of installation, click on the Version / Installed Date link. You can click the product name links to view the Applications and Packages Installed with the Product page that gives the details of the installed applications, patches, and packages of the product. See You can navigate further down for each product to get a detailed list of all individual OS level packages installed on the system, along with the versions. The Software Updates page provides two options:
Select Software Updates Download Software Updates Viewing the List of Installed Applications and Packages Selecting Software Updates Downloading Software Updates
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed dialog box and click the link provided on a product. A new window displays the details of:
Step 2
Patches InstalledProvides details about the patches installed on the product, the patch version and the date on which the patches were installed. Application InstalledProvides details of the applications installed, the application version, and the date on which the applications were installed. Packages InstalledProvides details about the packages installed on the product, the package version with patch level, and the date on which the packages were installed.
13-2
OL-20721-01
Chapter 13
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed dialog box and select the check box corresponding to the product for which you want to select update. You can select multiple products by selecting the corresponding check boxes. Click Select Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password to connect to Cisco.com, for software updates. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter the Proxy server username and password.
Step 2
Step 3
Step 4
Step 5
Click Next. A list of available Software Updates for the selected product appears. Select the Software Update you need to download and click Next. You can filter the required images based on Type, Package Name, Product Name, and Available Version With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 6
Step 7
Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub-directories. By default, the destination location is:
Click Finish to confirm download of the selected packages. If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.
13-3
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed table and select the check box corresponding to the product for which you want to download the update. You can select multiple products by selecting the corresponding check boxes. Click Download Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password. Both are mandatory. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password.
Step 2
Step 3
Step 4
Step 5
Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories. By default, the destination location is:
Step 6
Click Finish to confirm the download operation. To return to the Software Update page, click Cancel.
13-4
OL-20721-01
Chapter 13
You can also check for the device updates and delete the device packages using the Device Update page. This section contains the following:
Viewing Package Map Viewing Device Map Checking for Updates Deleting Packages
13-5
Select Admin > System > Software Center > Device Update. The Device Updates page appears. Select the check box corresponding to the product for which you want to check for updates and click Check for Updates. The Source Location page appears. You can check for updates at Cisco.com or a server.
Step 2
To check for updates at Cisco.com, select the Cisco.com radio button. To check for updates from a server, select the Enter Server Path radio button and enter the path or browse to the location using the Browse tab.
Step 3
Click Next. The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for updates at Cisco.com.
Step 4
Enter your Cisco.com username and password. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password.
Step 5
Click Next. The Available Packages and Installed Packages page appears. It displays:
Package Name: Name of the package. Type: Type of the update. For example, whether the update is a device package or IDU package. Product Name: Product for which the update is available. Installed Version: Current version of that product installed in the server. Available version: Version of the product that is available (Other than the installed version). Readme Details: Links to the Readme files associated with the update. Posted date: Date on which the update was posted on Cisco.com. Size: Size of the update.
Step 6
Select the check box corresponding to the package that you wish to update and click Next. The Device Update page appears. You can either install the device packages or download them.
To install device packages, select the Install Device Packages radio button. To download device packages, select the Download Device Packages radio button.
13-6
OL-20721-01
Chapter 13
Enter the folder in File Selection field or click Browse to select the destination directory. By default, the destination location is:
/opt/psu_download (On Solaris/Soft Appliance) System Drive:\psu_download (On Windows)
b.
Set the frequency of downloads, select the run type from the Run Type drop-down list. The options are:
Immediate Once
If you choose any of the options other than Immediate, set the date and time.
Select the date from the date picker. The date picker displays the date from the client system. Specify the time from the drop-down lists. c. d.
Enter a description for the download job in the Job Description field. This is mandatory. Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. Click Next. The Summary window displays the details. Click Finish to confirm. Click Next. The Summary window displays the details. Click Finish to confirm. A message that the daemons are restarted, appears.
e.
f.
b.
Step 7
Click OK to continue.
Deleting Packages
You can also delete packages that are outdated or you no longer use. To delete a package:
Step 1
Select Admin > System > Software Center > Device Update. The Device Update page appears. Select the check box corresponding to the product and click Delete Packages. The wizard displays a window that has the Package name, the Product name, and the Installed version details.
Step 2
Step 3
Select the check box corresponding to the Package you want to delete.
13-7
You can filter the available device packages based on Package Name, Product Name, Installed Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4
Click Next. The Summary window appears with the details of the Product and the Packages selected. Click Finish to confirm deletion.
Step 5
To make changes in the previous windows, click Back. To cancel the operation, click Cancel.
After you have confirmed the Delete Packages operation, a message that the daemons are restarted appears.
Step 6
Click OK to continue.
Download all latest device packages of products installed in the machine. Download newer versions of currently installed packages. Download the specified packages (comma separated).
You have to provide your Cisco.com credentials and the location to which the packages should be downloaded. To schedule device package downloads:
Step 1
Select Admin > System > Software Center > Schedule Device Downloads. The Schedule Device Downloads dialog box appears. Enter your Cisco.com username and password. Enter the Proxy server username and password only if you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup.
Step 2
Step 3
Enter the destination location, or browse to the location using the Browse tab. By default, the destination location is:
13-8
OL-20721-01
Chapter 13
Step 4
Download the latest versions of all packages Download only the latest versions of currently installed packages Download specified packages
Note
You must enter the device package name without any extension. The package name is case-sensitive.
Step 5 Step 6
Select the run type from the Run Type drop-down list, to set the frequency of downloads. Select the date from the drop-down calendar, and specify the time using the drop-down lists. The calendar displays the date from the client system. Enter a description for the download job in the Job Description field. This is mandatory. Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. Click Apply to apply the changes. Or Click Cancel to exit without saving changes.
Step 7 Step 8
Step 9
Note
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs > Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The Scheduled Job table records and displays the downloads to the server. You can view the log from the server or any client workstation. To view Scheduled Job Details: Select Admin > System > Software Center > Scheduled Job Details. The Scheduled Job Details page appears with the following information:
JobJob ID of the job that is scheduled by Cisco Prime user. DateTime and the date on which the job was run. Applicable ProductsProducts to which the download is applicable.
You can delete the information on a job from the list. To delete a job information, select a job from the list, and click Delete. The job information is deleted only from this page. However, this remains in the Job Browser page.
13-9
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table shows the list of immediate downloads, installations and un-installations of device packages carried out. You can view the log from the server or any client workstation. To view the Event Log: Select Admin > System > Software Center > Event Log. The Event Log page appears with the following information:
Product NameName of the product. DescriptionSummary of the activity. DateDate and time when the operations were carried out. Event TypeShows one of the following:
Device Package Downloads Software Download Install Device Packages / Uninstall Device Packages
StatusStatus of the event (Completed Successfully, Failed or Executed). Click on the Status link to get more details on the operation.
You can delete either all the event logs or specific event logs from the list. Select the log entries and click Delete to delete the selected entries.
PSUCli.bat (on Windows) PSUCli.sh (on Solaris/Soft Appliance) Download Software Updates. Download Device Package Updates. Install Device Packages. Uninstall Device Packages. Query Updates on the LMS Server. List Dependent Device Packages. List Device Packages Version.
13-10
OL-20721-01
Chapter 13
Working With Software Center Using the Software Center CLI Utility
To install new device packages from Cisco.com, you have to first download the packages from Cisco.com, save them to a directory in your computer, and then install them, specifying the directory. To get help on command usage, enter:
This lists the commands, options, and valid product names. This section explains the following:
Querying Updates on the LMS Server Installing Device Packages Uninstalling Device Packages Downloading Software Updates Downloading Device Updates Listing Dependent Device Packages Listing Device Packages Version
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. Lists the packages (default source location is installed repository of the product). all packages available at the source location.
-query (-q)
-allSelects -src
Note
You must enter the device package name without any extension. The package name is case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -q -all This lists all the installed packages for LMS in the installed repository for LMS. To list all packages in the specified directory for LMS, enter: NMSROOT\bin\PSUCli.bat -p rme -src dir -q
13-11
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. packages (from user specified directory). all packages available at the source location.
Note
You must enter the device package name without any extension. The package name is case-sensitive.
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000 This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. Uninstalls packages (from user specified directory). all packages available at the source location.
Note
You must enter the device package name without any extension. The package name is case-sensitive.
13-12
OL-20721-01
Chapter 13
Working With Software Center Using the Software Center CLI Utility
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -u -all This uninstalls all packages of LMS, from the installed repository.
-dst download directorySpecify the directory to which you want to download the Software Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it.
-allSelects
PackageNamesNames of the software update package available on Cisco.com, for example, cwcs3_0_4_win, cwcs3_0_6_sol_k9.
Note
You must enter the software update package name without any extension. The package name is case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any one of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.
-p productSpecify the Product for which you want to download the Device Update. Invoking CLI with -h option lists the valid product names.
13-13
download directorySpecify the directory to which you want to download the Device Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it.
-allSelects
Note
You must enter the device package name without any extension. The package name is case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. the base or dependent packages for the specified packages present
-pkgDependents (-pdep)List
Note
You must enter the device package name without any extension. The package name is case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000 This lists all dependent packages of LMS Cat5000 device package installed.
13-14
OL-20721-01
Chapter 13
Working With Software Center Using the Software Center CLI Utility
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. theversions of all or specified packages present in the source location. all packages available at the source location.
Note
You must enter the device package name without any extension. The package name is case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000 This lists the version of the LMS Cat5000 device package installed.
13-15
CH A P T E R
14
Understanding Discrepancies and Best Practices Deviations Interpreting Discrepancies Interpreting Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation
View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices > Discrepancies. View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices > Deviation. Acknowledge Discrepancies. Acknowledge Best Practices Deviations. Resolve Discrepancies and Best Practices Deviations. Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and Syslog Generation.
14-1
Link Duplex Mismatch Link Speed Mismatch Link Trunk/NonTrunk Mismatch Port Fast Enabled on Trunk Port BPDU Filter Disabled on Access Ports BPDU-Guard Disabled on Access Ports Loop Guard and Port Fast Enabled on Ports UDLD Disabled on Link Ports CDP Enabled on Access Ports High Availability not Operational
Interpreting Discrepancies
This section contains information on each of the discrepancy reported in LMS. It describes the discrepancy, the impact it has on the network, and ways to resolve it. The user interface in LMS displays commands you can use to make configuration changes on devices to resolve discrepancies. This section contains:
Trunking Related Discrepancies VLAN-VTP Related Discrepancies Link Related Discrepancies Port Related Discrepancy Device Related Discrepancy Spanning Tree Related Discrepancy
Trunk Negotiation Across VTP Boundary Native VLANs Mismatch Trunk VLANs Mismatch Trunk VLAN Protocol Mismatch
14-2
OL-20721-01
Chapter 14
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of different VTP domains) fails.
Fix
You cannot fix this discrepancy using LMS. To fix the discrepancy on switches using Cisco IOS:
Step 1 Step 2
Make sure that the Trunk mode is ON, on both sides of the link. Enter the following command:
switchport trunk encapsulation switchport mode trunk end
dot1q | isl
Step 3
Or
show interface
Make sure that the Trunk mode is ON, on both sides of the link. .Enter the following command:
set trunk
Step 3
mod/port
14-3
Note
This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport trunk native vlan command for Cisco IOS switches to specify the native VLAN. You cannot fix this discrepancy through LMS. For more information on configuring VLANs, see the document Creating and Maintaining VLANs at the following location: http://www.cisco.com/en/US/partner/products/hw/switches/ps637/ products_configuration_guide_chapter09186a008007f261.html
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching encapsulation types. However, the network traffic across the link is affected because of the mismatch.
14-4
OL-20721-01
Chapter 14
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy through LMS.
VTP Disconnected Domain No VTP Server in Domain with at least One VTP Client
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same VTP domain. You cannot fix this discrepancy through LMS.
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no alternative or backup server. This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when the existing primary server or server mode device has gone down temporarily and if the server mode device does not come up. If you do not configure at least one server, the devices become unreachable. LMS discovers only the client-mode devices in the domain and ignores the rest.
14-5
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is temporarily down, configure another device as server. You cannot fix this discrepancy through LMS. For more information on VTP domain, see the document Configuring VTP at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/vtp.html
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a full-duplex device transmits whenever it has something to send, regardless of other devices. If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will consider this either a collision (during the slot time), or a late collision (after the slot time). Since the full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet. A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
14-6
OL-20721-01
Chapter 14
Figure 14-1
Duplex Mismatch
A (root) Half-Duplex Half-Duplex: Still runs carrier sense and collision detection Collision C BPDU lost to be retransmitted A Full-Duplex Does not do carrier sense
X
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated between devices. To fix the discrepancy on switches using Cisco IOS:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
duplex auto end
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
130876
14-7
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
set port speed
mod/port auto
where:
Step 2
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
A manually-set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.
Impact
LMS displays commands to resolve link speed mismatch. To fix the discrepancy on switches using Cisco IOS:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
speed auto end
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
14-8
OL-20721-01
Chapter 14
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
set port speed
mod/port auto
where:
Step 2
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode. To fix the discrepancy on switches using the Catalyst operating system:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
set trunk
mod/port desirable
where:
Step 2
desirable
causes the port to negotiate actively with the neighboring port to become a trunk link
mod/port specifies the number of the module and the port or ports on the module
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
14-9
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
switchport mode dynamic desirable end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange and when you enter the show port command, the port status shows errdisable.
Fix
Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so on). Re-enable the port.
14-10
OL-20721-01
Chapter 14
You cannot fix this discrepancy through LMS. For more information on the errDisable state, see the document Recovering From errDisable Port State on the CatOS Platforms at the following location: http://www.cisco.com/en/US/partner/tech/tk389/tk214/technologies_tech_note09186a0080093dcb.sht ml
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge Protocol Data Units (BPDUs) are being transmitted and received on those ports.
14-11
Fix
LMS provides commands for disabling PortFast on ports. To fix the discrepancy on switches using the Catalyst operating system:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
no spanning-tree portfast end
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
Channel Ports Related Best Practices Deviations Spanning Tree Related Best Practices Deviations Trunk Ports Related Best Practices Deviations VLAN Related Best Practices Deviations Link Ports Related Best Practice Deviation Access Ports Related Best Practice Deviation Cisco Catalyst 6000 Devices Related Best Practice Deviation
14-12
OL-20721-01
Chapter 14
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable modes. Ports configured in on or off mode do not exchange PAgP packets. To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the most robust behavior if one side or the other encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are:
A port in desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. A port in the Auto mode can form an EtherChannel with another port in the Desirable mode. A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto mode, since neither port initiates negotiation. A port in the On mode can form a channel only with a port in the On mode because ports in On mode do not exchange PAgP packets. A port in Off mode cannot form a channel with any port.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.
14-13
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: set port channel mod/port mode auto Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: channel-group Channel group number mode auto Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable mode. Ports configured in On or Off mode do not exchange PAgP packets. For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are:
A port in Desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. A port in Auto mode can form an EtherChannel with another port in Desirable mode.
14-14
OL-20721-01
Chapter 14
A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since neither port initiates negotiation. A port in On mode can form a channel only with another port also in On mode, because ports in this mode do not exchange PAgP packets. A port in Off mode cannot form a channel with any port.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command:
set port channel
Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command:
channel-group Channel group number mode desirable
Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
BPDU Filter Disabled on Access Ports BPDU-Guard Disabled on Access Ports BackboneFast Disabled in Switch UplinkFast not Enabled Loop Guard and Port Fast Enabled on Ports
14-15
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.
Fix
LMS provides commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set spantree bpdu-filter
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
spanning-tree bpdufilter enable end
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-16
OL-20721-01
Chapter 14
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
Fix
LMS displays commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set spantree bpdu-guard
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDUGuard
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
spanning-tree bpduguard enable end
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-17
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning tree operation. BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP, you can reduce convergence times from the default of 50 seconds to 30 seconds. Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to Switch B is in the blocking state.
Figure 14-2 BackboneFast Example Before Indirect Link Failure
Switch A (Root) L1
Switch B
L2
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire. BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch B to Switch A. This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the topology to account for the failure of link L1.
14-18
OL-20721-01
Chapter 14
Figure 14-3
Switch B
Switch C
Fix
Enable BackboneFast on all switches in a switch cloud. To enable BackboneFast Globally on a Catalyst operating system:
Step 1
Step 2
Step 2
You cannot fix this Best Practice Deviation through LMS. For more information on Spanning Tree related configuration, see the document Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/stp_enha.ht ml
11244
BackboneFast transitions port through listening and learning states to forwarding state
14-19
Note
This Best Practice Deviation is not applicable if the device is not an access layer switch. Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access layer. Do not use on switches without the implied topology knowledge of a backup root linktypically, distribution and core switches in Cisco's multilayer design. It can be added without disruption to a production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It operates without modifying STP, and its purpose is to speed up convergence time in a specific circumstance to less than three seconds, rather than the typical 30-second delay. Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected directly to Switch B is in the blocking state.
Figure 14-4 UplinkFast Example Before Direct Link Failure
Switch A (Root) L1
Switch B
L2
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5 seconds.
14-20
OL-20721-01
Chapter 14
Figure 14-5
Switch A (Root) L1
Switch B
L2 Link failure
Fix
Enable UplinkFast on all access layer switches. To enable Uplink Fast on Catalyst operating system:
Step 1
Step 2
Step 2
You cannot fix this Best Practice Deviation through LMS. For more information on Spanning Tree related configuration, see the document Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/stp_enha.ht ml
14-21
Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of BPDUs stops, the last known BPDU is retained until the Max Age timer expires. When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need to block the port. The port moves through the STP states until it begins to forward traffic. The switch then forms a bridging loop. In its final state, the port becomes a Designated Port. To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is allowed to behave normally. When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role. After BPDUs are received on the port again, loop guard allows the port to move through the normal STP states and become active. In this way, Loop Guard automatically governs ports without the need for manual intervention.
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network and the STP parameters. This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data passes through the port. Owing to this, some user applications can time out during the period. To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. This way the port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port. To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set spantree portfast disable
Step 2
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-22
OL-20721-01
Chapter 14
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
spanning-tree portfast disable
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports. To fix it through LMS, on switches using the Catalyst operating system:
Step 1 Step 2 Step 3
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set port host mod/port
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-23
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
switchport mode access
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best Practice Deviation.
Table 14-1 Trunking Configuration 1
Modes On
On None. (Trunking)
Auto
Auto
Reports Best None. Practice (Not Deviation. Trunking) (Trunking) None. (Trunking) Reports Best Practice Deviation. (Trunking) Reports Best Practice Deviation. (Not Trunking)
Reports Best Practice Deviation. (Not Trunking) Reports Best Practice Deviation. (Not Trunking)
Desirable
Nonegotiate
None. (Trunking)
None. (Trunking)
Off
14-24
OL-20721-01
Chapter 14
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1 for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1 Step 2 Step 3
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set trunk mod/port desirable
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
switchport mode dynamic desirable
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-25
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names in transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain. You cannot fix this Best Practice Deviation through LMS.
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the server mode devices. You cannot fix this Best Practice Deviation through LMS.
14-26
OL-20721-01
Chapter 14
If you disable UDLD, it could result in Spanning Tree loops. Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a transceiver.
Figure 14-6 Unidirectional Links
B Blocking
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop. To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports. For maximum protection against symptoms resulting from uni-directional links, we recommend that you enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the message interval to the default 15 seconds.
Fix
LMS provides commands to enable UDLD on link ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set udld enable mod/port
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-27
130877
X
B unblocks its port and can forward traffic this way......
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix displays the following command:
udld port end
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
In parts of the network where a high level of security is required (such as Internet-facing de-militarized zones), you should turn off CDP.
14-28
OL-20721-01
Chapter 14
Fix
LMS provides commands to disable CDP on switches. To fix the Best Practice Deviation on switches running Catalyst operating system:
Step 1 Step 2 Step 3
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set cdp disable mod/port
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
no cdp enable
Step 4
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
High Availability:
Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum productivity in a network. Allows you to minimize the switch-over time from active supervisor engine to the standby supervisor engine, if the active supervisor engine fails.
14-29
Allows the active supervisor engine to communicate with the standby supervisor engine, keeping feature protocol states synchronized. Provides a versioning option that allows you to run different software images on the active and standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability feature for normal operation. LMS provides commands for enabling High Availability. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set system highavailability enable
Step 2
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
For more information on Supervisor engines and High Availability, see the document Configuring Redundancy at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/6.x/configuration/guide/redund.htm l
Select Admin > Network > Best Practices Deviation Settings. The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies configured to send Syslog messages by clicking the corresponding View Details link.
Step 2
To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it. Checking all the check boxes results in a report displaying all discrepancies and Best Practice Deviations in the network.
To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding check box.
14-30
OL-20721-01
Chapter 14
Discrepancies and Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation
Step 3
Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check Configure Syslog and click Next. A list of the selected Discrepancies and Best Practice Deviations appears. Check Send Syslogs and enter the name of the server in the Syslog Server field. Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages and click Next. A summary of the selected Discrepancies and Best Practice Deviations appears. Click Finish.
Step 4 Step 5
Step 6
You can use the filters to display discrepancy reports for specific devices, link or network types. This makes it easy to find a particular discrepancy for a particular type. You can use more than one filter at the same time, but results will vary.
If you select more than one filter in the same top-level category, Boolean OR is used. For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter criteria will be displayed in the report.
If you select more than one filter from different top-level categories, Boolean AND is used. For example, if you select both a Link type and a Port type filter from the discrepancy filter, any link that fulfils both filter criteria will appear in the report.
14-31
CH A P T E R
15
Report Setting
Describes how to configure some settings for generating reports and set a report publish location. This section contains the following sections:
Specifying User Tracking Report Purge Policy Specifying Domain Name Display Set Report Publish Location
Select Admin > Network > Purge Settings > User Tracking Report Purge Policy. The Report Settings dialog box appears. Check the relevant check box:
Step 2
You must specify in days, or weeks, or months the period for which you want to retain the report archives or jobs.
Step 3
Click Save.
15-1
Report Setting
Select Admin > Network > Display Settings > Domain Name Display. The Domain Name Display window appears. Select the format for displaying the domain names in User Tracking Reports. You can:
Step 2
Show full domain name suffix Hide full domain name suffix Hide specified domain name suffix If you want to hide the specified domain name suffix, enter the domain name suffix in the field.
Step 3
Click Save.
Note
Ensure that the casuser is assigned the required write permission to publish the PDF format of the report to the directory path. To set a report publish location:
Step 1 Step 2
Select Reports > Report Settings > Report Publish Path. Select Report Location. The Default Report Publish Location page appears, displaying Default Location Settings dialog box. Table 15-1 describes the field in the Default Location Settings dialog box.
Table 15-1 Default Location Settings Fields
Description Directory path where the PDF format of the reports are published. Use the Browse button to select a directory path. The Server Side File Browser dialog box is launched. You can select the directory path in this dialog box.
Step 3
Click Browse. The Server Side File Browser dialog box appears.
15-2
OL-20721-01
Chapter 15
Step 4 Step 5
Select the directory path from the Server Side File Browser dialog box. Click OK. The directory path is displayed in the Report Location field. Click Apply to save the default directory path settings or Cancel to reset the directory path.
Step 6
15-3
CH A P T E R
16
Purge Settings
Describes how to configure the purge settings of all modules in LMS. This section contains the following sections:
Purging Reports Jobs and Archived Reports Purging VRF Management Reports Jobs and Archived Reports Purging Configurations from the Configuration Archive Syslog Administrative Tasks Setting the Syslog Purge Policy Purging Configuration Management Jobs Performance Purge Jobs Performance Purge Data View Performance Purge Details IPSLA Data Purging Settings Configuring the Daily Fault History Purging Schedule
Select Admin > Network > Purge Settings > Layer2 Services Purge Settings. The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the Purge Policy for archives or jobs here.
Step 2
Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives. For instance, if you select 44 days, LMS purges archives that are older than 44 days. Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks. Click Save.
Step 3
Step 4
16-1
Purge Settings
Select Admin > Network > Purge Settings > VRF Management Purge Settings. The Purge Settings dialog box appears. Specify the Purge Policy for archives or jobs. Check the Purge Archives Older Than to specify the periodicity at which to purge archives. For instance, if you select 44 days, VRF Management purges archives that are older than 44 days. Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks. Click Save.
Step 2 Step 3
Step 4
Step 5
Number of versions to retain. Maximum number of versions of each configuration to be retained. The oldest configuration is purged when the maximum number is reached. For example, if you set the maximum versions to retain to 10, when the eleventh version of a configuration is archived, the earliest (first version) is purged to retain total number of latest archived versions at 10.
Age. Configurations older than the number of days that you specify are purged. The Labeled configuration files are not purged even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than options in the Archive Purge Settings window) unless you enable the Purge labeled files option in the Archive Purge Settings window. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options.
Archive Management will not purge the configuration files, if there are only two versions of these files in the archive. Archived configurations that match the purge criteria that you set are purged from the system. This purge policy applies to Running configuration only.
Caution
Ensure that the configuration change detection schedule does not conflict with purging, since both processes are database-intensive. Also backup your system frequently to prevent losing versions.
16-2
OL-20721-01
Chapter 16
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The workflow to define the Configuration Archive purge policy is:
Step 1
Select Admin > Network > Purge Settings > Config Archive Purge Settings. The Archive Purge Setup dialog box appears. Select Enable. Click Change to schedule a Purge job. The Config Purge Job Schedule dialog box appears. Enter the following information: Description You can specify when you want to purge the configuration archive files. To do this, select one of these options from the drop-down menu:
Step 2 Step 3
Step 4
Field
Scheduling
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule the job. The system default job description, Default archive purge job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from the E-mail ID.
16-3
Purge Settings
Step 5
Specify when to purge configuration files from the archive by selecting one or all of the following purge policies:
Click Maximum versions to retain and enter the number of configurations to be retained. Click Purge versions older than and enter the number of days, weeks, or months. Click Purge labeled files to delete the labeled configuration files. The Purge labeled files option must be used either with the Maximum versions to retain or Purge versions older than options. You cannot use this option without enabling either Maximum versions to retain or Purge versions older than options. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options. The Labeled configuration files are not deleted even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled files option. These purge policies are applied sequentially. That is, if you have enabled all the three purge policies, LMS applies the Purge policies in this sequence:
a. b. c.
Maximum versions to retain Purge versions older than Purge labeled files
Archive Management does not purge the configuration files, if there are only two versions of these files in the archive.
Step 6
Click Apply. A message appears, New settings saved successfully. Click OK. You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
Step 7
Back up Syslog messages (see Setting the Syslog Backup Policy). Purge Syslog messages (see Setting the Syslog Purge Policy). Perform a Forced Purge (see Performing a Syslog Forced Purge).
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks.
16-4
OL-20721-01
Chapter 16
In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers irrespective of the permissions given to the directory for backup on purge. In Windows, the backup file inherits the permission and ownership of the directory it is created in, which is the directory selected as the backup location (on purge).
View the Permission Report (Reports > System > Users > Permission) to check if you have the privileges required to perform this task. To set up the backup policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Backup Settings. The Backup Policy dialog box appears. By default, the backup policy is set to disabled. Select Enable to enable the backup process for Syslog messages, after configuring backup. Click Browse to select the backup file location. The Server Side File Browser dialog box appears. In the Server Side File Browser dialog box:
a.
Step 2 Step 3
Specify the external directory. The external directory must be under the syslog directory, or a sub-directory within the syslog directory. For example, $NMSROOT/files/rme/syslog/sysbackup. The external directory cannot be outside the syslog directory. If you attempt to navigate outside the syslog directory, an error message appears.
b. c. Step 4 Step 5
Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB. Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter multiple e-mail addresses separated with commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail ID.) If you also want a notification to be sent when the backup is a success, select Also Notify on Success. Either click Save to save the backup configuration details that you have specified or click Reset to clear the values that you specified and reset to the previously saved values in the dialog box. If you have clicked Save, the backup will continue to save the data even after the data has exceeded the specified size of the backup file. However, the system will send an e-mail asking you to cleanup the backup file.
Step 6
16-5
Purge Settings
Select Admin > Network > Purge Settings > Syslog Purge Settings. The Purge Policy dialog box appears. Specify the number of days in the Purge records older than field. Only the records older than the number of days that you specify here, will be purged. The default value is 7 days. This is a mandatory field.
Step 2
Caution
You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted. If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.
Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly. Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For example, 02-Dec-2004). This is a mandatory field. Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field. The Job Description field has a default descriptionSyslog Records - default purge job. Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6
Either click Save to save the purge policy that you have specified or click Reset. to clear the values that you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).
16-6
OL-20721-01
Chapter 16
Select Admin > Network > Purge Settings > Syslog Force Purge. The Force Purge dialog box appears. Enter the information required to perform a Forced Purge: Description Enter the number of days. Only the records older than the number of days that you specify here, will be purged. This is a mandatory field. If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.
Step 2
Scheduling
Run Type
If you select Immediate, all the other options will be disabled for you. If you select Once, you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the scheduled purge is complete. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Date
Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field. The Date field is enabled only if you have selected Once as the Run Type. Enter the start time, in the hh:mm:ss format (23:00:00). The at field is enabled only if you have selected Once as the Run Type.
at
16-7
Purge Settings
Field
Job Info
Description Enter a description for the forced purge job. The Job Description field is enabled only if you have selected Once as the Run Type. This is a mandatory field.
Job Description
Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You can enter more than one e-mail ID separated by commas. The e-mail field is enabled only if you have selected Once as the Run Type. Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 3
Click Submit for the Forced Purge to become effective. To clear the values that you specified and reset the defaults in the dialog box, click Reset.
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).
Scheduling a Configuration Management Purge Job Enabling a Configuration Management Purge Job Disabling a Configuration Management Purge Job Performing an Immediate Purge for Configuration Management Jobs
The Job Purge option provides a centralized location for you to schedule Purge operations for the following Configuration Management jobs:
Credential Verification JobsPurge all Credential Verification jobs. This also includes credential verification edit jobs. Software Management JobsPurge all Software Management jobs such as Image Import, Image Distribution, etc. Netconfig JobsPurge all NetConfig jobs. Archive Management JobsPurge Archive Management jobs such as Compliance Check, and Deploy Compliance Results. Archive Update JobsPurge Archive Management collection jobs, Default config collection job. Archive Poller JobsPurge Archive Management polling jobs, Default config polling job. Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.
16-8
OL-20721-01
Chapter 16
Config Editor JobsPurge all Config Editor jobs. CwConfig JobsPurge all cwcli config jobs such as Get Config, Put Config, etc. Inventory Collector JobsPurge Inventory collection jobs. Inventory Poller JobsPurge Inventory polling jobs. Reports JobsPurge all Reports jobs Reports Archive JobsAll reports that are archived are purged. You can view all reports that are archived in the Archives window (Reports > Report Archives > Inventory and Syslog). NetShow JobsPurge all NetShow jobs.
You cannot purge the jobs that are in the running state. The Job Purge contains the following information: Column Application Status Policy Job ID Description Lists the application for which the Purge is applicable. Whether a Purge job is enabled or disabled. This value is in days. Data older than the specified value, will be purged. You can change this value as required. This is a mandatory field. The default is 180 days. Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not change even when you disable or enable or change the schedule of the Purge job. For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge Now task. Scheduled At Schedule Type Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00. Specifies the type of schedule for the Purge job:
DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the following tasks using the Job Purge window: Button Schedule Enable Disable Purge Now Description Schedules a Purge job. After you schedule a job, you can enable Purge. After you schedule a job, if you have enabled the Purge job, you can choose to disable it. Perform Immediate Purge. You can select more than one application to purge in a single step. After selecting the applications, click on this button to purge jobs.
16-9
Purge Settings
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. To create a Purge job, Select Schedule. The Purge Schedule dialog box appears for the selected application.
Step 2
Field
Scheduling
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date
1.
Click on the date picker icon and select the date, month and year. Your selection appears in the Date field in this format: dd Mmm yyyy (example: 14 Nov 2004).
2. Job Info
Select the time (hh and mm) from the drop-down lists in the at fields.
Days
The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days. Based on the option that you selected, you see a default job description. For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
Job Description
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.
Step 3
Click Done. The Purge job appears in the Job Purge dialog box.
Note
You cannot purge the jobs that are in the running state.
16-10
OL-20721-01
Chapter 16
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Enable. A confirmation message appears:
There is a purge schedule and it is enabled.
Step 2
Step 3
Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Disable. A confirmation message appears:
There is a purge schedule and it is disabled.
Step 2
Step 3
Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.
16-11
Purge Settings
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Purge Now. The Explorer User Prompt dialog box appears. Enter the number of days jobs that have to be purged. The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. You can enter only whole numbers for days. You cannot enter fractions of days. Click OK. The Purge Job Details window appears displaying the purged job details.
Step 2
Step 3
Step 4
Note
You cannot purge the jobs that are in the running state.
Quick Report JobsPurge all Quick Report jobs older than the specified number of days. Custom Report JobsPurge all Custom Report jobs older than the specified number of days. Threshold Report JobsPurge all Threshold Report jobs older than the specified number of days. Poller Report JobsPurge all Poller Report jobs older than the specified number of days. Failure Tracker JobsPurge all Failure Tracker jobs older than the specified number of days. TrendWatch jobsPurge all TrendWatch jobs older than the specified number of days. TrendWatch Summary jobsPurge all TrendWatch summary jobs older than the specified number of days. Summarizer JobsPurge all Summarizer jobs older than the specified number of days. Data Purge jobsPurge all Data Purge jobs older than the specified number of days.
16-12
OL-20721-01
Chapter 16
Job Purge jobsPurge all Job Purge jobs older than the specified number of days. Maintenance jobsPurge all Maintenance jobs older than the specified number of days.
Select Admin > Network > Purge Settings > Performance Job Purge Settings. Select Job Purge. The Job Purge Settings page appears, displaying Job Purge Schedule dialog box. Table 16-1 describes the fields in the Job Purge Schedule dialog box.
Table 16-1 Job Purge Schedule Fields
Field/Button
Scheduling
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
For Daily jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the purge is scheduled. Select the date by clicking the calendar icon and time from the drop-down list.
Purge Policy
Days
The default setting for purging archived job data is 30 days. That is, job data older than 30 days will be deleted. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days.
Job purge is scheduled at the specified Run Type and Date for the job data older than the days specified in the Days field. Job purge is done immediately for the job data older than the days specified in the Days field.
16-13
Purge Settings
Step 3
See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box.
Step 4
Click Apply to schedule job purge or Purge Now to immediately perform job purge.
If you click Apply, a message appears confirming that the purge settings are applied successfully. If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
We recommend that you wait for any activity currently running in the system to stop before purging jobs. By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.
30 Minute Summarization recordsPurge all 30-minute summarization data records older than the specified number of days. 3 Hour Summarization recordsPurge all 3-hour summarization data records older than the specified number of days. 12 Hour Summarization recordsPurge all 12-hour summarization data records older than the specified number of days. Poller failure recordsPurge all failure data records older than the specified number of days. Threshold violation recordsPurge all threshold violation data records older than the specified number of days. Audit trail recordsPurge all audit trail data records older than the specified number of days. TrendWatch violation recordsPurge all TrendWatch violation data records older than the specified number of days. Status change details recordsPurge all status change details data records older than the specified number of days.
16-14
OL-20721-01
Chapter 16
Note
It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running. To schedule Data Purge:
Step 1 Step 2
Select Admin > Network > Purge Settings > Performance data purge settings. Select Data Purge. The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box. Table 16-2 describes the fields in the Data Purge Schedule dialog box.
Table 16-2 Data Purge Schedule Fields
Field/Button
Purge Schedule
Run Type
HourlyRuns hourly. DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
By default, Daily is set as the default Run Type schedule for Data Purge. For example, if you have scheduled Run Type as Daily for Data Purge job at 10:00 a.m. on November 1, the next instance of this Data Purge job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 Data Purge job has not been completed before 10:00 a.m. November 2, then the next Data Purge job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the Data Purge job is scheduled. Select the date by clicking the calendar icon and time from the drop-down list.
16-15
Purge Settings
Table 16-2
Field/Button
Purge Policy
Description The following are the default settings for purging the following data:
Days
5 Minute's Summarization records3 days 30 Minute's Summarization records15 days 3 Hour Summarization records90 days 12 Hour Summarization records365 days Poller failure records1 day Threshold violation records180 days Audit trail records90 days TrendWatch violation records180 days Status change details records15 days
The default data purge settings provides optimal performance of Cisco Prime LMS. You can also change the default purge settings as required. However, the performance of Cisco Prime LMS may not be as expected. You can enter only whole numbers for days. You cannot enter fractions of days. This is a mandatory field. Apply (button) Purge Now (button)
Step 3
Data purge is scheduled at the specified Run Type and Date for the data older than the days specified in the Days field. Data purge is done immediately for the data older than the days specified in the Days field.
See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box.
Step 4
Click Apply to schedule the data purge or Purge Now to immediately perform the data purge.
If you click Apply, a message appears confirming that data purge settings are applied successfully. If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.
16-16
OL-20721-01
Chapter 16
Select Admin > Network > Purge Settings > Performance Data Purge Summary. Select Purge Details. The Purge Details page appears, displaying Show Purge Details dialog box. Table 16-3 describes the fields in the Show Purge Details dialog box.
Table 16-3 Show Purge Details Fields
Field Details
Description Displays the purge details of the Data Purge job. The following purge information is displayed:
Next Data Purge Job scheduled at No. of Poll Failure records purged No. of Audit Trail records purged No. of Threshold Violation records purged No. of Polled records purged Last Job Purge completed at No. of TrendWatch violation records purged
Value
16-17
Purge Settings
LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the Purge period is not specified, it purges the historical data based on the default values. The minute-based reports are purged daily by default. To purge Historical reports:
Step 1
Select Admin > Network > Purge Settings > IPSLA data Purge Settings. The Purge Settings page appears. Specify the Purge period. For more information, see Table 16-4. Click Apply. A message appears that the Purge settings are updated successfully. Click OK.
Step 2 Step 3
Step 4
16-18
OL-20721-01
Chapter 16
Table 16-4
Purging Reports
Granularity Minute
Purge Period Specify the number of days for which you want to keep the minute historical data in the database. The default value is 1 day. Specify the number of days for which you want to keep the hourly historical data in the database. The default value is 32 days. Specify the number of days for which you want to keep the daily historical data in the database. The default value is 180 days. Specify the number of weeks for which you want to keep the weekly historical data in the database. The default value is 12 weeks. Specify the number of months for which you want to keep the monthly historical data in the database. The default value is 12 months. Allows you to purge the Audit reports.The audit reports older than the number of days you specify will be purged. The default purge period for Audit reports is 180 days. This frees disk space and maintains your audit reports at a manageable size.
Hourly
Daily
Weekly
Monthly
16-19
Purge Settings
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks. Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain only 31 days of data. You can select the time of day that purging begins. By default, purging begins at 00:00.
Before You Begin
Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict with the other scheduled jobs listed there. Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.
Step 1 Step 2
Select Admin > Network > Purge Settings > Fault History Purging Schedule. Select the Purge Time:
Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type. For more information, see Configuring Fault Management Rediscovery Schedules.
16-20
OL-20721-01
CH A P T E R
17
Debugging Options
Debugging Settings menu allows the administrator to set the debugging settings of various modules in LMS. This section contains:
Configuring Discovery Logging Maintaining Log Files Performance Debugging Settings Config and Image Management Debugging Settings Configuring Logging Fault Debugging Settings Setting Debugging Options for Topology and User Tracking Setting VRF Lite Debugging Options
Discovery Framework Data Collector Discovery Util System Module Cluster Module ARP Module AUS Module Credential Module
17-1
Debugging Options
Neighbor Module Pingsweep Module RouterPeer Module RT Module CSDiscoveryAdaptor Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default. To enable the debugging option for the LMS Device Discovery components:
Step 1 Step 2 Step 3 Step 4
Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery Logging Configuration page appears. Select one or more Discovery modules or components from the Disabled Modules list box. Click Add to add the components to the Enabled Modules list box. Click Apply. Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to Disabled Modules list box using the Remove button.
Deleting the unwanted log files from the Cisco Prime installation directory Using the logrot functionality. See Configuring Log Files Rotation for more information. On Solaris/Soft Appliancevar/adm/CSCOpx/log On WindowsNMSROOT\log
Caution
As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To prevent loss of data, make sure you are not running any critical tasks. This section explains the following:
Maintaining Log Files on Solaris/Soft Appliance Maintaining Log Files on Windows About Cisco Prime Common Services Log Files Viewing and Maintaining LMS Log File Details Fault Management Log Files
17-2
OL-20721-01
Chapter 17
Make sure the new location has sufficient disk space. Log in as the superuser, and enter the root password. Stop all processes, and enter /etc/init.d/dmgtd stop. Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Step 5
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Step 7
Restart the system, and enter /etc/init.d/dmgtd start Select Reports > System > Status > Log File to view your log changes.
Make sure the new location has sufficient disk space. Go to the command line and make sure you have the correct permissions. Stop all processes by entering:
net stop crmdmgtd
Step 4
Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Verify the procedure was successful by examining the contents of the log files in the following location: NMSROOT\log\ Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 5
Step 6
Step 7
Select Reports > System > Status > Log File to view your log changes.
17-3
Debugging Options
File core*
Description Logs for Authentication, Authorization and Accounting process Backup and restore logs
/MDC/Apache/logs/ Normal top-level log directories Normal top-level log directories Normal top-level log directories
Log for General Cisco Prime LMS errors Log for Perl interpreter errors Log for Proxy activity Log for Cisco Prime LMS events Log for all Daemon Manager-controlled processes (On Solaris/Soft Appliance only). Syslogs received from device/machine (On Windows only). CRMLogger debugging information and messages from device/machine (On Windows only). Log for Sybase database operations Log for Database password changes Log to restore the database to factory settings Log for Daemon Manager interactions with Sybase database Database condition log
Normal top-level Windows log directory only Normal top-level Windows log directory only
syslog.log
syslog_debug.log
Database Services
Normal top-level log directories Normal top-level log directories Normal top-level log directories Normal top-level log directories
/objects/db/win32/
dbcond8.log
17-4
OL-20721-01
Chapter 17
File dcr.log
Description Logs for Device and Credentials Administration activities Logs to detect and delete Unreachable devices Logs to import and export Device and Credentials Administration
Normal top-level log directories Device and Credentials Administration Import and Export Module Device Center Device Discovery Role Management Disk Space Monitoring Services Event Distribution Services Event Services Grouping Service Normal top-level log directories
DCRDevPoll.log dcrimpexp.log, DCRServer.log (Windows Only), daemons.log (Solaris/Soft Appliance Only) SnmpWalk* SnmpSet* CSDiscovery.log, ngdiscovery.log CSDeviceSelector.log cam.log diskWatcher.log
Normal top-level log directories Normal top-level log directories Normal top-level log directories
Log for SNMP Walk Log for SNMP Set Device discovery logs Device Selector log file Role Management log file Logs storing the disk space information Logs for Event Distribution Services activities Logs for Event Services Log for Grouping Service client Log for Grouping Service server Logs for NameServiceMonitor from JacORB package (On Windows only) Logs for various Jobs
Device Selector Normal top-level log directories /MDC/log/ Normal top-level log directories
EDS-GCF.log, EDS.log
Normal top-level log directories Normal top-level log directories Normal top-level log directories
JacORB
Job Services
Normal top-level Windows log directory only Normal top-level log directories Normal top-level log directories Normal top-level log directories
daemons.log (Solaris/Soft Appliance Only), jrm.log (Windows Only) LicenseServer.log license.log lwms.log psu.log
License Server activity Product license changes Lightweight Messaging Service activity Log for Software Center related activities
17-5
Debugging Options
File access.log, error.log, mod_jk.log ssl.log jasper-YYYYMMDD.log, servlet-YYYYMMDD.log, stderr.log, stdout.log, changeport.log CSRegistryServer.log TomcatMonitor.log
Description Logs for Apache activity Log for Apache activity Logs for all Tomcat activities
Normal top-level log directories Logs for Common Services backend processes Normal top-level log directories Normal top-level log directories
Port change information Log for CSRegistryServer process Log for TomcatMonitor process
Location in Windows
Purpose
NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data log og/ani.log Collection process. NMSROOT/log/AN IServer.log NMSROOT/log/Ca mpus.log /var/adm/CSCOpx/l Debugs og/dmgtd.log ANIServer process /var/adm/CSCOpx/l Debugs og/Campus.log Topology and Layer 2 Services module of LMS
AniServer.log
ANIServer
Campus.log
CampusOGSSer Topology and NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs ver.log Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and OGSServer ver.log Layer 2 Services OGSServer process CampusOGSCli OGS client ent.log NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs mpusOGSClient.log og/CampusOGSClie Topology and nt.log Layer 2 Services OGSClient
17-6
OL-20721-01
Chapter 17
Table 17-1
Log File
Module
Location in Windows
Purpose
campusportal.lo Portal g
NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the pusportla.log og/campusportal.lo Topology and g Layer 2 Services portlets. NMSROOT/log/Cm apps.log /var/adm/CSCOpx/l Debugs all the og/Cmpapps.log UI pages for User Tracking
Cmapps.log
macuhic.log
NMSROOT/log/mac /var/adm/CSCOpx/l Debugs uhic.log og/macuhic.log MACUHIC process for Dynamic UT NMSROOT/log/ut.l og /var/adm/CSCOpx/l Debugs the User og/ut.log Tracking module
ut.log utlite.log
NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite e.log og/utlite.log.log Server. NMSROOT/log/ UTMajorAcquisitio n.log NMSROOT/log/ Utm.log /var/adm/CSCOpx/l Debugs og/dmgtd.log UTMajorAcquisi tion process. /var/adm/CSCOpx/l Debugs og/utm.log UTManager process of Dynamic UT /var/adm/CSCOpx/l Debugs VRF og/Vnmclient.log Lite UI /var/adm/CSCOpx/l Debugs VRF og/Vnmcollector.lo Lite Collector process. g /var/adm/CSCOpx/l Debugs the og/VNMDeviceSele device selector ctor.log provided by VRF Lite. /var/adm/CSCOpx/l Debugs VRF og/Vnmserver.log Lite Server process /var/adm/CSCOpx/ Vnmutils.log Debugs utility classes used by VRF Lite client and server.
Vnmclient.log
VRF Lite UI
Vnmcollector.lo VRF Lite g Collector VNMDeviceSel VRF Lite ector.log Device selector
Vnmserver.log
VRF Lite Server NMSROOT/log/Vn merver.log VRF Lite UI and NMSROOT/log/Vn Server mutils.log
Vnmutils.log
17-7
Debugging Options
Note
NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx. When a log file reaches its maximum size, the module backs up the file and starts writing to a new log file. The module appends a number to the backup file, until it reaches the maximum allowed backups. In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM 10:22 AM 03:17 AM 4,481,607 5,120,447 5,120,105 TISServer.log TISServer.log.1 TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Table 17-2 Fault Management Log Files by Module
Function/Module Alerts and Activities Display Inventory Interactor Inventory Collector Polling and Threshold Adapter Detailed Device View Daily Purging Schedule Event Processing Adapters
Folder in NMSROOT\log\dfmLogs Log Files AAD cfi cfi cfi DDV DPS epa AAD.log Interactor.log/Interactor1.log InventoryCollector.log/Inventory Collector1.log
adapterServer.log/adapterServer1. 1000 log dfmEvents.log/dfmEvents1.log EPM.log FHCollector.log FHUI.log DfmLogService.log MultiProcLogger.log licenseCheck.log nos.log DFMOGSServer.log 15000 1000 500 10000 100 5000 30000
2
Event Promulgation Module Fault History Logging Services Processes with multiple threads License (device limit) Notification Services Fault Management Object Grouping Service Server
5 2 2 5 2 2 152
17-8
OL-20721-01
Chapter 17
Table 17-2
Function/Module Polling and Threshold Manager Polling and Threshold Manager (database) Polling and Threshold Manager (grouping services)
Folder in NMSROOT\log\dfmLogs Log Files PTM PTM PTM PTMClient.log PTMServer.log PTMDB.log PTMOGS.log PTMPTA.log Rediscovery.log DCRAdapter.log DeviceManagement.log TISServer.log vgm.log
Maximum Size (KB) 1000 1000 1000 1000 100 1000 1000 1000 1000
Polling and Threshold Manager (Polling PTM and Threshold Adapter) Rediscovery Schedule Device and Credentials Repository Adapter Device Management Inventory Service View Group Management Rediscovery TIS TIS TIS VGM
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance. 2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Table 17-3
Function/Module Inventory
On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log/
When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts writing to a new log file. The maximum number of backup log files stored for each application is two.
17-9
Debugging Options
Select Admin > System > Debug Settings > Performance Debugging Settings. Select Log Level Settings. The Set Application Logging Levels dialog box appears. Select the application module from the drop-down list. The sub-module for the selected application module appear in the Module field. Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance Management modules are logged with appropriate log level message. The logging levels are:
Step 3
Step 4
The logging level is set as Info, by default. Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides information on the files to which these logs are stored.
Table 17-4 Set Application Logging Levels Fields
Sub-module Poller Management Template Management Threshold Setup TrendWatch Setup Report Management Report Job Browser Admin Pages Trap Group Management Syslog Group Management Live Graph LMS Portlets Device Center
Description Set logging level for the entire system Set logging level for Device Performance Management User Interface modules
17-10
OL-20721-01
Chapter 17
Table 17-4
Sub-module Polling Engine Instance Querying Threshold Monitor Device Access Layer Device Management UPMProcess PollerUPMProcess TemplateUPMProcess ThresholdUPMProcess IfAdmin Status
Description Set logging level for Device Performance Management (UPMProcess) modules
UPMProcess.log upm_process.log
IfAdminStatus.log Set logging level for Device Performance Management For example, HumReportJob_1003_479.log Job modules upm_summarizer.log upm_purge.log HumReportJob_<JobId>_<InstanceId>.log For example, HumReportJob_1003_479.log upm_ctm.log Set logging level for UPMCTMOperations modules HumReportJob_<JobId>_<InstanceId>.log
JOBS
UPMCTMOperations
Step 5
Click Apply to set the logging level or Reset to apply the default logging level. A message appears confirming that the logging levels are successfully updated.
Windows: NMSROOT\log, where NMSROOT is the Cisco Prime installation directory. Solaris/Soft Appliance: /var/adm/CSCOpx/log.
Select Admin > System > Debug Settings > IPSLA Debugging Settings. The Log Level Settings page appears. Select either All or Module Level from the Application drop-down list.
Step 2
17-11
Debugging Options
Step 3
Select the appropriate log level from the Logging Level drop-down list. For more information, see Table 17-5. Click Apply to set the log levels. A message appears that the log levels have been successfully updated. To clear the settings, click Cancel. Click OK.
Table 17-5 IPSLA Log Level Settings
Step 4
Step 5
Field Module
Set Application Logging Levels All Module Level FATAL ERROR WARN INFO DEBUG
Logging Level
Select one of the following logging levels from the drop-down list.
Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Table 17-6 Modules and Log File Names
Modules in IPSLA Performance Management IPMCLI IPMServer IPMClient IPMJob IPM OGS IPM CTM Operations IPMPortal IPMPoller IPMBase IPM TS
Log File Names ipmcli.log ipmserver.log ipmclient.log jobid.log, jobid.subjobid.log collectorGroup.log, IPMOGSClient.log, IPMOGSServer.log ipm_ctm.log ipmportal.log ipmpoller.log ipm_base.log TS_IPSLA.log
17-12
OL-20721-01
Chapter 17
On Windows: NMSROOT/log, where NMSROOT is the Cisco Prime installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log
Select Admin > System > Debug Settings > Config and Image Management Debugging settings. The Set Application Logging Levels dialog box appears. Select the Application from the drop-down list. Select the appropriate log level from the Logging Level drop-down list. The fields in the Set Application Logging Levels dialog box are:
Step 2 Step 3
Module
Description Changes the logging level for the entire system. Changes the logging level for Archive Management. Changes the logging level for Bug Toolkit. Changes the logging level for Change Audit. Changes the logging level for Change Audit UI. Changes the logging level for CLI Framework. Changes the logging level for Config CLI. Changes the logging level for NetConfig CLI. Changes the logging level for Config Editor. Changes the logging level for Configuration Jobs. Changes the logging level for Configuration Job Browser. This log file is used for config purge jobs
Bug Toolkit
ChangeAudit
Change Audit
ChangeAudit.log
Change Audit User ChangeAuditUI.log Interface cli.log ConfigCLI.log netcfgcli.log CfgEdit.log logs under %NMSROOT%\files\rme\jobs\Net ConfigJob cjp.log
CLIFramework ConfigCLI
CLI Framework
ConfigEditor ConfigJob
ConfigJobManager
17-13
Debugging Options
Description Changes the logging level for Contract Connections Changes the logging level for CTM JRM Server. Changes the logging level for Common reporting Infrastructure.
DeviceManagement
Device Management User Interface Check Device Attributes User Interface Device Credential Verification Jobs Device Management Operations
Changes the logging level for Device Management. Changes the logging level for Check Device Attributes User Interface Changes the logging level for Device Credential Verification jobs. Changes the logging level for Device Management Operations. Changes the logging level for Device Selector. Changes the logging level for the IC Server. Changes the logging level for Inventory Collection User Interface.
cda.log
DeviceSelector ICServer
Device Selector
Inventory Collection Service Inventory Collection User Interface Inventory Collection Jobs
Changes the logging level for Creates job logs under %NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs. rver Changes the logging level for the Installation modules.
Install
Restore Config and CCRImport.log Image Management CCR Config and Image Management PSU Adapter Migration
InventoryPoller
Inventory Poller
Creates job logs under Changes the logging level for %NMSROOT%\files\rme\jobs\InvP Inventory Poller. oller invreports.log MakerChecker.log Changes the logging level for Inventory Reports. Changes the logging level for the Job Approval module.
InvReports MakerChecker
17-14
OL-20721-01
Chapter 17
Application NetConfig
Log File Names netconfigclient.log rmeextnserver.log Tracks the backend functionalities when VRF Lite or IPSLA Performance Management invokes the extension API.
NetShow Portlets
NetShow Client Config and Image Management Portlets Common Config and Image Management Functions Config and Image Management CSTM Server
NetShowClient.log RMEPortlets.log
Changes the logging level for NetShow client. Changes the logging level for Inventory, Config & Image Management Portlets. Changes the logging level for the common Inventory, Config & Image Management functions such as, Job Management tasks, purge tasks, etc. Changes the logging level for CSTM Server. Changes the logging level for the user interface of Software Management and the Software Management job creation workflows. Changes the logging level for Software Management jobs. Changes the logging level for Syslog Analyzer.
RMECommon
rme.log
RMECSTMServer
rme_ctm.log
SoftwareMgmt
swim_debug.log
SyslogAnalyzer
SyslogAnalyzerUI.log VirtualSwitchClient.log
Changes the logging level for Syslog Analyzer User Interface. Changes the logging level for Virtual Switching System.
VirtualSwitch
17-15
Debugging Options
Application EnergyWise
Module
Description Changes the logging level for the user interface of EnergyWise Log for provisioning EnergyWise Device and EndPoints. Log for EnergyWise Monitoring jobs. Log for EnergyWise Device Endpoint, and Domain collection. Log for EnergyWise Policy Compliance check. Log for EnergyWise Data Purge Settings Log for applying EnergyWise to Endpoints.
EnergyWise Device EnergyWiseCollection.log Endpoint, and EnergyWiseNative.log Domain collection EnergyWise Policy Compliance EnergyWise Data Purge Settings Applying EnergyWise Policies to Endpoints EnergyWiseComplianceCheck.log EnergyWiseNativeCompliance.log EnergyWise_Purge.log EnergyWiseNativePolicy.log
To track the port and module group backend evaluation exceptions and changes, the following logs are maintained:
Step 4 Step 5
PMCOGSServer.log PMCOGSClient.log
Click Reset to apply the default logging levels. Click Apply after you set the log levels, A message appears, that the log levels have been successfully updated.
17-16
OL-20721-01
Chapter 17
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable the debugging option for the selected component, the log levels in the respective properties file is changed to DEBUG and the debug messages are recorded in the corresponding log files You can only enable or disable the debugging option. You cannot choose to set different log levels such as INFO,WARNING, FATAL and ERROR. To debug Faults, see Fault Debugging Settings To enable the debugging option for the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box displays the following details: Item Component Log File(s) Location Description Debug Mode Description List of components for which you can enable or disable the debug option Directory of the log files for the selected application Brief description about the selected application Option to enable or disable the debug mode
Step 2
Select the component from the Component drop-down list box. You can select to enable the debugging option for the available Common Services components. The available components include:
CS Device Groups CS Device Selector CS Home CS Portlets This component is listed in the drop-down list box only when you have installed the LMS Portal application in LMS Server.
Core Admin Module DCR Bulk Import and Export Device Center Device and Credentials Repository Home Page Admin Licensing LMS Setup Center Getting Started This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS Server.
17-17
Debugging Options
Step 3
Select the Enable option to enable debugging for the selected application. By default, the Debug Mode is set to disabled.
Note
You can only choose the enable or disable option. You cannot change the log levels to some other value.
Step 4
Click Apply to save the changes. The changes will come into effect after 60 seconds. You can enable the debugging option for only one component at a time.
To disable the debug mode for all the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box appears. Click Reset All to disable the debug mode for all the Common Services components. The log levels are restored as they are before enabling the debugging option.
Step 2
Collect more data when needed by increasing the logging level Return to the default logging level as the norm System Administrator Network Administrator Network Operator
This task can be performed by a user logged in to Fault Management in any of the following roles:
You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable Incharge Debugging for more information. To set the Fault Management debug settings: Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings page is displayed.
Note
You cannot disable logging. Fault Management will always write error and fatal messages to application log files. For each Fault Management functional module, the Error check box is always selected; you cannot deselect it.
17-18
OL-20721-01
Chapter 17
Step 2
For each module that you want to change, select one (or deselect all) of the following logging levels:
WarningLog error messages and warning messages InformationalLog error, warning, and informational messages DebugLog error, warning, informational, and debug messages
Note Step 2
Deselecting all check boxes for a module returns it to Error, the default logging level.
Review your changes. To cancel your changes, click the Cancel button. Otherwise, click the Apply button. When you click Apply it starts to reset the changed logging levels for the Fault Management functional modules.
To do this:
Step 1
Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging Settings page. The Incharge Command Execution page appears. Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module in LMS. The logs are available at:
Step 2
On Windows:
NMSROOT\objects\smarts\local\logs\DFM.log NMSROOT\objects\smarts\local\logs\DFM1.log
On Solaris/Soft Appliance:
/opt/CSCOpx/objects/smarts/local/logs/DFM.log /opt/CSCOpx/objects/smarts/local/logs/DFM1.log
17-19
Debugging Options
Step 3
You can execute any Incharge command in the Command text box, click Run and view the results in the Result column. Some sample commands that you can exceute are:
Data Collection (see Setting up Debugging Options for Data Collection) Configuration and Reports (see Setting up Debugging Options for Network Reports) Device Groups (see Setting Debugging Options for Device Groups) Topology (see Setting Debugging Options for Topology) User Tracking Server (see Debugging Options for User Tracking Server) Dynamic User Tracking (see Debugging Dynamic Updates) User Tracking Reports (see Debugging Options for User Tracking Reports) Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console) CiscoView (see Debugging Options for CiscoView)
Select Admin > System > Debug Settings > Data Collection. The Debugging Options dialog box appears. Modify the debugging options as specified in Table 17-7.
Table 17-7 Data Collection Debugging Options for Data Collection
Step 2
Description
Usage Notes
Select this option to enable You can select the modules for debugging logging for Data Collection. only if you select this option. Specify the modules on which you need to enable debugging. Click Select to view the available modules and select the modules in which you want to enable debug. For details on Debug modules, see Selecting Data Collection Debug Modules
17-20
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
Table 17-7
Description
Usage Notes
Name of the log file in The default log file is NMSROOT\log\ani.log which the trace messages are to be recorded. Maximum size of the log file None in lines IP Addresses (IPv4 or IPv6 Addresses) of devices for which you need to log debugging messages. You can enter multiple IP addresses, separated by commas. This field is enabled only when the Device Level Debugging option is enabled.
Step 3
Click Apply.
17-21
Debugging Options
Module framework
Description
Constructs and maintains data in the memory. Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. topo Provides network topology computation and layouts. Enable debugging for this module if you have problems with Topology computation of devices. vlad
Discovers VTP domains, VLANs, port-in-VLAN configurations Performs VLAN configuration tasks Determines Spanning Tree state
Enable debugging for this module if you have problems with VTP, VLAN reports, and configuration. ccm Discovers Cisco CallManager (CCM). Enable debugging for this module if you encounter issues with data collected for CCM. vmpsadmin
Discovers end-user hosts on the network Records end-user host information in the ANI database Manages requests for scheduling user and host discoveries, ping sweeps, database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking. dcrp status Provides computation of network discrepancies. Enable debugging for this module if you have problems in Discrepancy reports. Enables status polling on previously discovered devices. Enable debugging for this module if you have problems with device and link status polling. apps Discovers application hosts such as MCS. Enable debugging for this module if you encounter issues with data collected on application hosts. stp Discovers all STP related information from the network. Enable debugging for this module if you have problems with STP reports and configuration.
17-22
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
Table 17-8
Module stpeng
Description
Performs STP configuration tasks Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and configuration. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you have problems specific to a particular device type. Click OK to save the selected modules or click Cancel to exit.
Select Admin > System > Debug Settings > Layer2 Configuration and Reports The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
INFO Only informational messages are recorded in the log file. DEBUG All messages related to Configuration and Reports are recorded in the log file. FATAL Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Campus.log
Step 3
Click Apply.
17-23
Debugging Options
Select Admin > System Administration > Debug Settings > Device Groups. The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
INFO Only informational messages are recorded in the log file. This is the default option. DEBUG All client side messages are recorded in the log file. FATAL Messages related to fatal errors are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\CampusDeviceSelector.log
Step 3
Click Apply.
Select Start > Settings > Control Panel > Java. Select the Advanced tab. The corresponding tree structure is displayed. Go to the tree and select Java Console > Show Console. Click Apply and then OK. The Java console is displayed when you launch Topology Services.
Step 3 Step 4
Note
In case you close the Java Console, to reopen it, close the Topology window and relaunch it.
17-24
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
To enable debugging:
Step 1
Select Admin > System > Debug Settings > Topology. The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
TRACE Only informational messages are displayed in the Java Console. DEBUG All Topology Services client side messages are displayed in the Java Console. ERROR Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3
Click Apply.
Close the Topology Services window. Change the settings in the LMS Administration page. Re-launch Topology services.
Select Admin > System > Debug Settings > User Tracking Server. The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-9 User Tracking Server Side Debugging Options
Description Check this option to enable logging for User Tracking Server side activities. Specify the modules on which you need to enable debugging.
Usage Notes You can select the modules for debugging only after you select this option. Click Select to view the available modules and select the modules in which debug is to be enabled. Table 17-8 lists the debug modules available for User Tracking Server.
Modules
File Name
Name of the log file in The default log file is NMSROOT\log\ut.log which the trace messages are to be recorded.
17-25
Debugging Options
Table 17-9
Description Maximum size of the file in lines IP addresses of devices for which you need to log debugging messages. You can enter multiple IP addresses, separated by commas.
Usage Notes
This field is enabled only when the Device Level Debugging option is enabled.
Step 2
Click Apply.
Description Provides user tracking functionality. Enable debugging for this if user tracking fails to discover end hosts as expected.
Constructs and maintains data in the memory. Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you encounter issues specific to a particular device type. Click OK to save the selected modules or click Cancel to exit.
Select Admin > System > Debug Settings > Dynamic User Tracking. The debugging page appears. Check Enable Debug to set the options.
Step 2
17-26
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
Step 3
Select the Service Name from the drop down list in the Service Name field. The framework modules appear in the Module Name column. The framework modules depend on the service that you select.
Step 4
Select the debug level for each module. The debug level options are INFO, DEBUG, and TRACE. INFO logs minimum information required for debugging and is the default option. DEBUG is the next level of debugging. TRACE provides complete debugging information and creates huge logs.
Step 5
Enter the filename for the log file in the Log Filename field.
The default log file for UT LITE is NMSROOT\log\utlite.log The default log file for MACUHIC is NMSROOT\log\macuhic.log The default log file for UTManager is NMSROOT\log\utm.log
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647. Giving zero or negative values or alphabets results in errors.
Step 6
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note
Enabling debugging for these modules creates huge logs, which interferes with the Trap processing capability of LMS. We recommend that you enable debugging for this module only when requested by TAC.
Table 17-11 Dynamic User Tracking Debug Modules
For example: If you changed the log file from X to Y, but logging still happens in X , enable debugging for this module. listener execution framework execution Listens to data sent by the UTLite script installed in the Windows or Novell server. Checks for the integrity of the data received. Handles code level execution of the data received. Enable debugging for this module to debug Java related errors. Processes and validates the data received. UTLite receives MACAddress, IPAddress and User logged in for the end host. This information is updated to the database only if the endhost has been discovered in last UT Major Acquisition cycle or through Dynamic User Tracking.
17-27
Debugging Options
Table 17-11
Listens to SNMP traps sent by devices. Checks for the integrity of the data received. Handles code level execution of data received by MACUHIC. Enable debugging for this module to debug Java related errors. Validates the traps sent by devices by checking whether:
The trap is sent by a device managed by LMS. The SNMP version is correct The data received is duplicate data If the data is sent by a Link port or Access port.
execution
Checks whether:
Dynamic UT does not process traps sent from link ports. Updates the database with information received and forwards it to UTManager for further processing. UTManager control plane Handles configuration events related to:
Listens to data sent by UTLite and MACUHIC. Checks for the integrity of the data received. Handles code level execution of data received by UTManager. Enable debugging for this module to debug Java related errors. Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping MIB and the other data sent by external systems. Processes the data received and updates the database. Handles queries sent to External Systems. Handles SNMP queries sent to External Systems. Performs subnet calculation based on the information sent by External Systems. Handles database operations.
17-28
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears. Select the level of debugging. It can be any one of the following:
INFO Only informational messages are recorded in the log file. This is the default option. FATAL Messages related to fatal errors are recorded in the log file. DEBUG All User Tracking client side messages are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Cmapps.log
Step 3
Click Apply. Debugging is enabled for UT client side activities and the messages are recorded in the corresponding log file.
Each process monitors different error conditions using circular buffers in the memory. For each error condition, the buffer will have the count of error occurrences and the conditions under which the error occurred. You can write this information from the memory to a file if you need to, and troubleshoot based on that. To enable Dynamic User Tracking Console:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking Console. The debugging page appears. Select the Service name from one of the following:
Step 2
The error conditions related to that process are listed under the Error Details section.
17-29
Debugging Options
Step 3
Select the error condition for which you need details and click Generate. A new file is generated with all the error details and stored in the LMS server. It is also listed under the File list pane.
Step 4
Click View to see the file contents. Click Download to save the file in your local machine. Click Delete to delete the file from the server. You can delete multiple files at the same time.
Select Inventory > Tools > CiscoView. Select a device from the device selector, and select Administration > Debug Options And Display Log. The Trace Settings dialog box appears.
Step 3
SNMP Trace Displays SNMP request and response pairs, MIB instance ID, data value, data type, request method, and time stamp. Activity Trace Displays server activity such as which device and dialog boxes are open.
Step 4
VRF Lite Server (see VRF Lite Server Debugging Settings) VRF Lite Collector (see VRF Lite Collector Debugging Settings) VRF Lite Client (see VRF Lite Client Debugging Settings) VRF Lite Utility (see VRF Lite Utility Debugging Settings)
You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.
17-30
OL-20721-01
Chapter 17
Select Admin > System > Debug Settings > VRF Lite Server Debugging. The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite Server Debugging Settings is NMSROOT\log\Vnmserver.log. The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Table 17-12 Settings in VRF Lite Server Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Server are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Server, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.
17-31
Debugging Options
Select Admin > System > Debug Settings > VRF Lite Collector Debugging. The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log. The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Table 17-13 Settings in VRF Lite Collector Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Collector are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. Click Reset to reset the debug levels applied to VRF Lite Collector, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.
17-32
OL-20721-01
Chapter 17
Select Admin > System > Debug Settings > VRF Lite Client Debugging. The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log. The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Table 17-14 Settings in VRF Lite Client Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Client are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Client, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
Select Admin > System > Debug Settings > VRF Lite Utility Debugging. The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log. The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Table 17-15 Settings in VRF Lite Utility Debugging
Field
Debug Level
INFO
17-33
Debugging Options
Table 17-15
Description All messages related to VRF Lite Utility are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Utility, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.
17-34
OL-20721-01
CH A P T E R
18
Understanding Admin Tasks Understanding Report Tasks Understanding Configuration Tasks Understanding Monitor Tasks Understanding Inventory Tasks Understanding Work Center Tasks
Note
You should enable the Browse Jobs task to schedule any job across LMS.
Understanding System Tasks Understanding Trust Management Tasks Understanding Network Tasks Understanding Collection Tasks Light Weight Messaging System Jobs Getting Started Manage Portal
18-1
Log Rotation Cisco.com Settings Licensing Software Center Debug Settings System Preferences/Device Management Functions User Management Server Monitoring DBReader Access Group Management Authentication Mode Setup Backup SMTP Default Server
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
Proxy Server Setup You can update the proxy server configuration.
Apply Proxy Server Settings:
You can remove the proxy server settings that are already set up.
Cisco.com User Account Setup You can add and modify Cisco.com user login names and password.
Licensing
18-2
OL-20721-01
Chapter 18
Software Center
Schedule Device Downloads You can schedule device package downloads and specify the time, frequency of the downloads, and specify download policies if you have permissions.
Device Update You can view a list of all Cisco Prime related devices packages on your system, and the count of devices supported. The source location could be Cisco.com or the Server Side Directory.
Check For Updates
Layer2 Configuration/Reports and User Tracking Debug Options You can configure the debug options for Layer2 Configuration and Reports and User Tracking. Config and Image Management debugging settings
Loglevel Settings - Defaults/Apply
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual Config and Image Management packages.
IPSLA Debugging Settings You can view, set or reset the log levels for all the modules of IPSLA Performance Management.
18-3
VRF Lite Debug Settings You can set debugging options for:
VRF Lite Server VRF Lite Collector VRF Lite Client VRF Lite Utility
Common Services Log Configurations You can enable or disable the debugging option for Common Services components without restarting the services.
Fault Debugging Settings You can change the logging level of all the functional modules of Fault Management. Performance Debugging Settings You can configure and manage log level settings of Device Performance Management function of LMS.
You can configure system-wide information on the LMS Server. You can also enable or disable LMS functions like:
Inventory, Config and Image Management Network Topology, Layer 2 Services and User Tracking Fault Management IPSLA Performance Management Device Performance Management
User Management
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
Delete User
You can delete a local user profile from the LMS Server.
Modify My Profile
You can import local users from the client or from ACS. You can import local users from ACS only through CLI and not from the UI. You can export the local users.
18-4
OL-20721-01
Chapter 18
Notify Users You can broadcast messages to online users. Local User Policy Setup You can setup username and password policies for Cisco Prime local users in LMS. Role Management Setup The Role Management tasks are listed below:
Delete Role
You can import roles in the XML format from the client.You can export roles in the XML format. The file will be saved in the client.
Copy Role
You can set a role as a default role. When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles.
Server Monitoring
Process
Start Processes
You can get the required information about the server. This includes system information, environment, configuration, logs, web server information, device and credentials administration information, and grouping services information.
Delete Collect Server Information
18-5
Selftest You can view self test reports to test some basic functions of the server.
Create Self test
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share groups of devices. This section explains the following Group Management task groups:
Device Groups
Delete Group
You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that are belonging to users removed from Cisco Prime).
Edit Group
You can export a selected group or all user-defined groups from all applications, to an output file.
Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The membership of Automatic groups is recomputed dynamically.
Create Group
You can import user-defined device groups from an input XML file.
Group Details
You can use your current authentication database for Cisco Prime authentication and select a login module (Kerberos, TACACS+, RADIUS, and others), and set their options.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or monthly automatic database backups.
18-6
OL-20721-01
Chapter 18
Multi Server
Peer Server Certificate Setup You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL.
Delete Peer Certificate
You can add the certificate of a peer LMS Server into its trusted store.
System Identity Setup You can setup a System Identity user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain.
Peer Server Account Setup You can create users who can log into LMS Servers and perform certain tasks.
Peer Server Accounts Delete
You can add a secret user who can programmatically login to multiple LMS Servers and perform certain tasks.
Peer Server Accounts Edit
Single Sign-On Setup You can use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server.
18-7
Local Server
Certificate Setup You can create a self-signed certificate from the user interface. Browser-Server Security Mode Setup You can enable browser-server security.
Best Practices Deviation Settings Monitor/ Troubleshoot Notification and Action Settings PSIRT/EOS and EOL Settings Discovery Settings Purge Settings Software Image Management Configuration Job Settings Device Credential Settings Change Audit Settings Resource Browser
You can customize the Discrepancies Report and Best Practices Deviations Report to display only those discrepancies and Best Practice Deviations about which you want to be notified.
Monitor/ Troubleshoot
NAM Configuration You can view, add, edit, or delete the NAM configuration details. Load MIB You can load a MIB file. RMON Configuration You can enable RMON on all ports in selected devices. Fault Poller settings for topology You can configure fault poller settings for Topology.
18-8
OL-20721-01
Chapter 18
This section explains the following Notification and Action Settings tasks:
Performance - Syslog notification You can update, create, edit, or delete a syslog receiver group. IPSLA Syslog Configuration You can view, enable or disable IPSLA syslog configuration. Performance - SNMP Trap notification You can create, edit, or delete a trap receiver group. Fault Syslog Notification You can add, edit, suspend, resume, or delete a syslog notification subscription. Fault - SNMP trap notification You can add, edit, suspend, resume, or delete an SNMP trap notification subscription. ChangeAudit Automated Actions You can define automated actions on creation of change audit record. You can create, edit, delete, enable, disable, export, or import an automated action.
Event Sets You can configure a set of events that you want to monitor. Fault - SNMP trap forwarding You can forward SNMP traps from devices in the LMS inventory Fault - SNMP trap receiving settings You can update SNMP trap receiving port. Fault - Email notification You can add, edit, suspend, or resume a subscription for e-mail notification. You can also delete e-mail notification subscriptions that are no longer useful or are redundant. Syslog Message Filters You can create, edit, delete, enable, disable, export, or import syslog message filter. Fault Notification Customization You can customize names and event severity. Fault - Email subject customization You can customize the e-mail subject for forwarded events. Inventory and Config collection failure notification You can configure the destination server and port to receive trap notification on inventory collection or config fetch failure.
Syslog Automated Actions You can create, edit, delete, enable, disable, export, or import a syslog automated action. Fault Notification Group You can add, edit, or delete fault notification groups.
18-9
This section explains the following PSIRT/EOS and EOL Settings task:
PSIRT/EOX reports option You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report.
Discovery Settings
Purge Settings
Config Job purge settings You can configure the following config job settings:
Job Purge - Schedule/Enable/Disable/Purge Now
You can schedule, enable, or disable purging of configuration management jobs. You can also immediately purge the jobs.
Job Purge
Syslog Backup Settings You can set the syslog backup policy. IPSLA data Purge Settings
18-10
OL-20721-01
Chapter 18
You can set the purge period for IPSLA historical data and for audit reports. You can configure the following IPSLA data Purge settings:
Apply IPSLA Purge Settings
Syslog Force Purge You can perform a forced purge of syslog messages Performance Job Purge Settings You can configure the following performance Job purge settings:
Do Immediate Job Purge
Fault History Purging Schedule Configure the daily fault history purging schedule. VRF Lite Purge Settings You can purge VRF Lite jobs or report archives. ChangeAudit Force Purge You can perform a forced purge of change audit. Config Archive Purge Settings You can define the configuration archive purge policy. ChangeAudit Purge Policy You can set the change audit purge policy. Performance data purge settings You can configure the following performance data purge settings:
Do Immediate Data Purge
Syslog Purge Settings You can specify a default policy for the periodic purging of syslog messages. Layer2 Services and User Tracking Report Purge You can purge Layer2 services jobs or report archives.
18-11
Assign Approver Lists You can assign an approver list to the applications Create/Edit Approver Lists You can create, edit, or delete approver lists Approver Details You can specify approver details Approval Policies You can set up job approval for the applications Config Job Policies You can define the default job policies for configuration management applications
User Defined Fields You can add, rename, or delete the user-defined fields used to store additional information about a device.
Register/Unregister 3rd Party Application in DCR
You can add a User Defined Field to to store the additional information about a device.
Rename User Defined Fields in DCR
Mode Settings You can change DCR mode settings to master, slave or standalone. Verification Settings You can select the credentials that need to be verified while adding devices.
18-12
OL-20721-01
Chapter 18
Inventory Change Filter You can set inventory change filters. Exception Period You can specify the time when no network changes should occur.
Resource Browser
Browse Resources You can view the details of resources and manage resources. Free Resources You can free-up locked resources.
Inventory Collection Settings Config Collection Settings Data Collection Settings Syslog Collection Settings Performance Collection Settings User Tracking Collection Settings Fault Collection Settings VRF Lite Collection Settings
You can set the default values for inventory, config timeout, and retry settings. This section explains the following Inventory Collection Settings tasks:
Inventory Jobs You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection or polling job.
Inventory, Config Timeout and Retry Settings You can edit the inventory, config timeout, and retry settings.
18-13
Config Archive settings You can configure the Config Archive settings. You can move the configuration archive location, archive the running configuration, or enable or disable the use of shadow directory.
Config Collection Settings You can define the configuration collection setting. You can modify how and when the configuration archive retrieves configurations.
Secondary Credentials Settings You can enable or disable the secondary credentials fallback. Config Transport Settings You can view or define the protocol order for configuration management applications Config Job Timeout Settings You can configure the Job Result Wait Time per device for the Sync Archive jobs.
Data Collection schedule You can schedule the day and time of Data Collection. Start Data Collection You can start Data Collection. Layer2 Administration Settings You can configure Layer2 administration settings.
Subscribe/Unsubscribe Collector You can subscribe or subscribe to a Common Syslog Collector. Collector Status/Update You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to.
18-14
OL-20721-01
Chapter 18
IPSLA application settings You can configure the following IPSLA application settings:
Copy IPSLA Configuration to Running-config
You can view the configured collectors in the running configuration. You can also retain the default settings.
Set a source interface address
You can set a source interface address for the source router. You can also retain the default settings.
Performance Management SNMP timeouts and retry settings You can configure the Performance Management SNMP timeout and SNMP retries. You can also configure other Poll Settings.
User Tracking device trap configuration You can configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.
User Tracking Acquisition Action You can trigger the following acquisitions:
Device based Acquisition Subnet based Acquisition IP Phone Acquisition
User Tracking trap listener configuration You can configure the trap listener to direct the traps through HP Open View (HPOV) or LMS Fault Monitor.
User Tracking Acquisition Settings You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table.
User Tracking Acquisition Schedule You can modify UT acquisition schedule. User Tracking Administration Settings You can configure the various User Tracking administration settings.
18-15
Fault Management Rediscovery Schedule You can suspend, or resume the Fault Management rediscovery schedule, and add, modify, or delete additional schedules.
Fault Monitoring Device Administration You can rediscover specific devices. Fault Management SNMP timeouts and retries You can modify the Fault Management SNMP timeout and retries. Collection Summary Portlet You can view the report of successful and failed devices for fault discovery in this portlet. Fault Event Forensics Configuration You can enable the Event Forensics collection feature on LMS server to start collecting the event forensics data.
VRF Lite SNMP Timeouts and Retries You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions.
VRF Lite Collector Schedule You can schedule the VRF Lite Collector process to run after every Data Collection. You can also add, edit and delete VRF Lite Collector Schedule jobs.
The Light Weight Messaging system allows you to perform the following task:
Event Listener You can use this tool to send and receive events.
Jobs
Browse Jobs You can use the job browser and view the details of individual jobs.
Note
You should enable the Browse Jobs task to schedule any job across LMS. Delete Job You can use the job browser to delete the jobs. Stop Job You can stop the jobs using the job browser.
18-16
OL-20721-01
Chapter 18
Getting Started
Understanding Fault and Event Report Tasks Understanding Report Archives Tasks Understanding Report Designer Tasks Understanding Inventory Report Tasks Understanding Audit Report Tasks Understanding Technology Report Tasks Understanding Performance Report Tasks Understanding System Report Tasks Understanding Switch Port Report Tasks Schedule Reports in Layer2 Services and User Tracking User Tracking Job Archives Layer2 Services Job Archives Inventory/Syslogs/Change Audit Generate Reports Inventory/Syslogs/Change Audit View All Reports Inventory/Syslogs/Change Audit View Own Reports
18-17
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the polled data.
Thresholds You can create reports based on the threshold configured for the MIB variable. You can create, or view reports for specific threshold MIB variables. These reports are called IPSLA Threshold Violation reports.
TrendWatch Summary You can create consolidated reports based on the TrendWatches configured for the MIB variable. You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
Acknowledge/Unacknowledge Discrepancy You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices. You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best Practise Deviations Report.
Discrepancies You can fix the discrepancies detected in the network. Fix Best Practice Deviation You can the fix Best Practice Deviation detected in the network. Fix Discrepancy You can the fix discrepancies detected in the network. Deviation You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports. You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.
18-18
OL-20721-01
Chapter 18
History
Event History You can view the fault history report for a given event ID. Event Monitor/ Device Fault You can view information on events in device for the past 31 days. Event Monitor is a centralized place where in you can view the event details of all devices and device groups.
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
List Report Archives You can list the IPSLA report archives. Delete Report You can delete the IPSLA report archives.
You can view the list of the completed report jobs that you own or all report jobs.
Layer2 Services and User Tracking
You can view and delete archived Layer2 Services and User Tracking reports.
User Tracking
Custom Layouts You can view the list of Custom layouts. Custom Reports You can customize the layout and columns displayed in the UT reports to suit your needs.
18-19
Custom Report Template You can create new report templates customized according to your requirements. You can also view, add and edit, delete existing custom templates, view your own templates or view all templates.
Device Attributes
End Host History You can view the login and logout information of the endhosts User Tracking System and Custom Reports You can view User Tracking system and custom reports
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config Collection Status report.
Inventory and Config Collection Status You can generate the Inventory and Config Collection Status Report which helps you to identify possible causes for Inventory and Configuration collection failure and take timely corrective action.
System
18-20
OL-20721-01
Chapter 18
Performance
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
VRF Lite and VRF Lite Readiness report You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the VRF Lite Readiness report which provides the devices details that comply with the basic hardware and software support available, in contrast to the required support on the devices to configure VRF.
Create Performance Report View Performance Report Poller Device Create IPSLA Report View IPSLA Job Details View IPSLA Report Custom
Interface Report Displays the Interface availability information of a device during the last 24 hours. It also displays Interface utilization and error rate information for a device interface during the last 24 hours.
IPSLA Detailed Report You can generate various IPSLA detailed reports.
18-21
IPSLA Summary Report You can generate system reports for all collectors based on the report types and granularity after the consolidation of the statistical data.
EnergyWise Device Power Usage Displays the power usage data for each device that is polled for the EnergyWise Device Power Usage template.
EnergyWise Port Power Usage Displays the power usage data for each port that is polled for the EnergyWise Port Power Usage template.
PoE Port Utilization Report Displays the port level utilization for each device polled for the Power Over Ethernet (PoE) Port Utilization template.
PSE Consumption report Displays the power utilization and losses for each device polled for the Power Over Ethernet PSE Consumption template.
IPSLA Audit report Displays all IPSLA related audit changes that occurred in the network during a specified time period.
Interface Report IPSLA Detailed Report IPSLA Summary Report EnergyWise Device Power Usage EnergyWise Port Power Usage PoE Port Utilization Report PSE Consumption report IPSLA Audit report
Poller
You can:
View Poller Report You can view Poller Reports based on the template added in a given Poller. Create Poller Job You can create Poller Reports based on the template added in a given Poller.
Device
18-22
OL-20721-01
Chapter 18
You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values you entered.
View IPSLA Job Details
You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports. You can list and create IPSLA Audit Report.
Custom
Data Collection Metrics and Device Support Users ANI Server Analysis Status
You can view the duration of each data collection, and the device count. You can also view the icon, name, and object ID of the supported devices.
Users
You can view information about users currently logged into LMS.
Who is Logged on You can view information on users currently logged into LMS. Permission Report You can view information on roles and privileges.
You can view the status of the processes running on the LMS Server.
Log File You can view information on log file size and file system utilization. Process You can view the status of the processes running on the LMS Server.
18-23
Connected PortsThe ports that are administratively UP and are connected to a device will be listed here. Free PortsThe Ports that are administratively UP but are not connected to a device will be listed here. Free Down PortsThe ports that are administratively down will be listed here. Switch Port Capacity Report Lists switches that have crossed utilization threshold limits, along with the value of percentage port utilization.
Reclaim Unused Down Ports Report Displays ports that have been in Unused Down state for a specified interval of time. Reclaim Unused Up Ports Report Displays ports that have been in Unused Up state for a specified interval of time. Switch Port Summary Report Displays the number of Connected, Free, and Free down ports in each switch.
Ports
Port Attributes You can view information about the status of ports in the network
You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.
User Tracking Job Archives
18-24
OL-20721-01
Chapter 18
You can generate all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View All Reports
You can view all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View Own Reports
You can view all Inventory, Syslog, and Change Audit reports which you have generated.
Understanding Configuration Archive Tasks Understanding Configuration Tools Tasks Understanding ConfigCLI Tasks Understanding Configuration Workflows Tasks Understanding Configuration Job Browsers Tasks Understanding Compliance Tasks
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label Configs.
Summary
18-25
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
Custom Queries You can create a custom configuration query that searches information about the specified configuration files.
Search Archive You can search the archive for configuration containing text patterns for selected devices. Version Summary You can view all archived configurations for selected devices.
Software Repository You can view, add, delete, or update the images that are available in the Software Management repository.
Repository Synchronization You can update the software repository. Software/Patch Distribution You can distribute software images in the network. You can also distribute patches simultaneously to applicable devices.
Jobs You can check the status of a scheduled Software Image Management job. You can view, edit, stop, delete, retry or undo the job.
18-26
OL-20721-01
Chapter 18
NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
Assign Tasks You can assign tasks to a valid Cisco Prime user. User Defined Tasks You can create and edit user-defined tasks. Jobs
View
You can deploy and import configuration templates in LMS. You can also create NetConfig jobs.
Config Editor
Private Configs You can view changes made to a configuration file in the private work area. Edit Private Configs You can save an edited configuration file in the private work area on the server and retrieve the saved file when required.
Edit Public Configs You can save an edited configuration file in the public work area on the server and retrieve the saved file when required.
Delete Private Configs You can remove a configuration file from the private work area on the server. Delete Public Configs You can remove a configuration file from the public work area on the server. Public Configs You can view changes made to a configuration file in the public work area. Edit Mode Preference You can set up the default editing mode. Config Editor You can open, edit, or print configuration files. Jobs You can create, edit, delete, copy, or stop Config Editor jobs.
18-27
You can delete configurations older than a specified date from the configuration archive.
Compare With Baseline and Deploy
You can create a job that compares the given Baseline template with the latest version of the configuration for a device and download the configuration to the device if there is a non-compliance.
List Version
Lists the different versions of configuration files archived in the archival system.
Create Parameter file
You can create a parameter file if the Baseline template containing the parameters is specified.
Compare With Baseline
You can compare the given Baseline template with the latest version of the configuration for a device.
Deploy Baseline
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Get Change Audit Data
You can compare the latest running configuration for the device in the configuration archive with the configuration in the file, to generate a new configuration that is downloaded to the device, so that the configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
18-28
OL-20721-01
Chapter 18
write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running configuration.
Get Inventory Data
You can merge the running configuration of any devices with their startup configuration to give a new running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
VLAN
Configure Port Assignment You can manage ports on your network VLAN. Create/Delete Private VLAN You can create and delete private VLANs Configure Promiscuous Ports You can configure a promiscuous port Create/ Modify Trunk You can create a trunk for a port, or modify trunk attributes. Configure/ Delete VLAN You can create and delete VLANs configured on the devices in the network.
VRF Lite
VRF Configuration You can create, edit, extend, delete and assign Edge VLAN to VRF.
18-29
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another Approver approves it.
NetConfig
Out-of-Sync Summary
Compliance Check You can run a compliance check. Direct Deploy You can deploy a baseline template using a file system or UI. Templates You can manage a baseline template.
18-30
OL-20721-01
Chapter 18
Understanding Performance Settings Tasks Understanding Fault Settings Tasks Understanding Threshold Settings Tasks Understanding Troubleshooting Tools Tasks Understanding Monitoring Tools Tasks
IPSLA Setup
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
Devices You can add devices to manage IPSLA functionality. You can:
Enable IPSLA Responder
You can update the IPSLA responder enable or disable status. You can also save the latest information configured in a device to the database.
View Devices
You can edit the device attributes like SNMP Retry and SNMP Timeout.
Delete devices
You can add adhoc target devices to the IPSLA Performance Management function in LMS if you want to manage devices from an external source. The Adhoc devices may be either Cisco devices or devices with a unique IP address.
Collectors You can create, edit, delete, monitor, start, list, view, or stop collectors. When you have the authorization to create collectors you can import, export and reconfigure collectors.
18-31
Operations You can analyze IP service levels for IP applications and services. You can view operation details, list, create, edit, or delete operations.
Outage Settings You can view, list, create, edit, or delete planned outages.
Setup
Automonitor You can change the polling intervals. Pollers You can create and manage pollers. You can:
Edit Poller
You can clear all the failures recorded in the database for a Poller.
Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
View Failures
Templates You can create, copy, edit, list, delete, export, or import templates to monitor performance parameter.
Device Performance Management Summary You can view the Device Performance Management Summary portlet details. To access any custom role, you should select Device Performance Management Summary.
18-32
OL-20721-01
Chapter 18
Setup You can setup polling parameters, group priorities, and view device fault details.
Apply Changes
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port groups, and interface groups.
18-33
VRF Lite
Ping and Traceroute/Show Commands You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show commands
NetShow
Job Operations You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying failed jobs, stopping jobs, and deleting jobs.
Command Set Operations You can create, edit, or delete user-defined Command Sets. Assigning Command Sets You can assign command sets to network operators. Command Sets You can view the details of an existing Command Set. NetShow Jobs/Show Commands You can run NetShow commands and view NetShow jobs.
Connectivity Tools
Device Center You can launch the troubleshooting page by clicking device IPs. Packet Capture You can capture live data from the Cisco Prime machine to aid in troubleshooting. SNMP Walk You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering information about a certain device.
SNMP Set You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network connectivity problems, or diagnose devices.
18-34
OL-20721-01
Chapter 18
Fault Monitor Configure Inter-VLAN Routing View Link Bandwidth utilization Configure EtherChannel Device Operation Discover Devices View Trunk Attributes Time Domain Reflectometer Report Device Operation Delete Link Spanning Tree Reports Device Operation Delete Devices Topology Services Spanning Tree Configuration Device Operation Change management IP View Data Extraction Engine
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and display the information by a selected group of devices. You can clear or annotate faults. It allows you to own the fault or clear them.
Configure Inter-VLAN Routing
You can view bandwidth utilization across links, in the Topology maps.
Configure EtherChannel
You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.
18-35
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains discovered in your network, and you can filter, access, or view network information or status.
Spanning Tree Configuration
You can set a preferred management address to be used by LMS for devices which can have multiple IP addresses.
View Data Extraction Engine
Understanding Group Management Tasks Understanding Job Browsers Tasks Understanding Device Administration Tasks Understanding Inventory Tools Tasks
Fault groups You can view, create, edit, delete fault groups, or refresh groups. IPSLA Collector You can view, create, edit, delete or refresh IPSLA collector groups.
18-36
OL-20721-01
Chapter 18
Add / Import / Manage Devices Add Managed Devices Manage Device State Device Allocation Policy
View Credentials You can view device information for a single device or for multiple devices. Export Devices You can export a list of device and their credentials. View Reports You can generate the following reports:
Unreachable Devices
Displays the list of devices that are unreachable. To generate this report, select Reports > Inventory > Management Status > Unreachable Devices.
Excluded Devices
Displays the list of devices that should not be added in DCR. To generate this report, select Reports > Inventory > Management Status > Excluded Devices.
Imported Device Status
Displays the information about the devices that are imported into DCR. To generate this report, select Reports > Inventory > Management Status > Imported Device Status.
Known Device List
Displays the complete list and information of all devices in the repository. To generate this report, select Reports > Inventory > Management Status > Known Device List.
Device Administration
Displays the complete device list in DCR. To generate this report, select Reports > Audit > Device Administration.
18-37
Add Devices You can add devices, device properties or attributes, and device credentials to the DCR. View Devices You can view devices in DCR. Delete Devices You can delete devices from DCR. You can also schedule device polling job and view the Unreachable device report.
Bulk import You can import multiple devices into DCR. You can also view the Imported device report. Edit Devices You can edit device information for a single device or for multiple devices.
You can manually add managed devices without using the Device Allocation Policy.
Manage Device State
You can configure the device management policy for Device Management.
CiscoView Provides real-time views of networked Cisco Systems devices Mini-RMON Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate troubleshooting and improve network availability.
Understanding Smart Install Tasks Understanding Auto Smartports Tasks Understanding Identity Tasks Understanding EnergyWise Tasks
18-38
OL-20721-01
Chapter 18
Jobs You can view the status, delete, stop or manage Smart Install jobs. Readiness Assessment You can assess the readiness of your network for Smart Install. Getting Started You can provision Smart Install for Day 1 operations. Configure You can configure, and manage the Smart Install director.
Getting Started You can provision Auto Smartports for day 1 operations. Jobs You can view the status, delete, stop or manage Auto Smartport reports. Configure You can configure, and enable Auto Smartports on selected interfaces. Readiness Assessment You can view Auto Smartports based device details after assessing the network.
Configure You can configure Identity on Identity-capable devices. Jobs You can view the status, delete, stop or manage Identity jobs. Reports You can generate Identity reports. Getting Started You can provision Identity for Day 1 operations. Readiness Assessment You can view Identity-based device details after assess the network.
18-39
Readiness Assessment You can view EnergyWise-based device details after assessing the network. Jobs You can view the status, delete, stop or manage EnergyWise jobs. Getting Started You can provision EnergyWise for Day 1 operations. Reports You can generate EnergyWise reports like:
Power Usage
Manage Domains/General Settings You can manage the configured EnergyWise domains. You can configure the time to perform EnergyWise device collection, EnergyWise endpoint collection, and EnergyWise compliance check.
Configure You can configure energy management policies on devices and configure endpoints.
Manage Policies
Settings You can configure EnergyWise collection, cost settings, and data purge settings.
Cost Savings
18-40
OL-20721-01
CH A P T E R
19
Solaris Patches
LMS 4.1 is installed on global zone of Solaris 10 Operating System by default. Installation of LMS 4.1 in whole-root non-global zone in Solaris 10 is supported. The Solaris system requires the following patches to be installed on the server:
19-1
CH A P T E R
20
From the Online help. By accessing an application that uses the Sun Java Runtime Environment (JRE). You must download and install the plug-in when you start such an application for the first time, if the plug-in is not already installed.
The download and installation procedure differs depending upon your client platform and the browser you are using.
Related Topics
About Java Plug-ins Installation of Java Plug-in on Windows Installation of Java Plug-in on Solaris/Soft Appliance
20-1
Note
You will be asked to install Java Plug-in 1.6.0_24, when you invoke applications that use plug-in. For example, Topology Services. The following procedures are for installing and uninstalling the Java Plug-in on Windows XP Service Pack 3, Windows 2003, Windows 2003 R2, Windows 2008, Windows 2008 R2 and Windows 7 when you start Cisco Prime LMS server.
Before You Begin
Make sure you have 20 MB of free disk space for the download and installation.
Installing the Plug-in
Click here to download the executable plug-in file. If you are using the Mozilla browser client, in the Save As window, select a location for the jre-6u24-windows-i586-p_withjacorb.exe file and click Save. If you are using Internet Explorer browser client, you can install the plug-in from the server by choosing the Run this program from its current location, or you can save the jre-6u24-windows-i586-p_withjacorb.exe file on your system and then install it.
After the file is saved, select Start > Run. Enter the pathname of the .exe file and click OK. In the License Agreement window, click Yes. In the Set Up Type window, if you want to change the default location where JPI is installed, choose Custom.
a.
Select Typical if you want to install in the default location with default options (this is the recommended option). The Java Plug-in is installed in the default location. Select Custom if you want to customize your options and click Next. In the Choose Destination window, select the location where you want to install the Plug-in. In the Select Browsers window, we recommend that you leave the default options as is and click Next. Installs the Java Plug-in the specified location.
b. c. d.
Step 6
Close the blank browser window, and click the icon in the application window. The application restarts and runs the Java Plug-in. We recommend that you restart the client machine before using the application.
Step 7
Start the application. In the application window, click the icon. In the Plug-in Not Loaded window, click Get the plug-in.
20-2
OL-20721-01
Chapter 20
If you click No, a blank browser window appears. You must restart the application from Cisco Prime if browser client does not have plug-in already installed.
Select Start > Settings > Control Panel to display the Add/Remove Programs window. Select the plug-in to be uninstalled (for example, Java 2 Runtime Environment, SE v1.4.2_10) and click Add/Remove. Click OK.
Note
Make sure you have 120 MB in /usr of free disk space for download and installation. Make sure you have the required patches installed on the Solaris/Soft Appliance client machine before proceeding.
Note
You can obtain the patches from your warranty provider, from SunService (if you have a SunSpectrum contract), or from the SunSolve Recommended & Security Patches web site. Some of the J2SE 1.4.2 patches listed may not be on the SunSolve list of recommended product patches. However, you can find the patch download page by using SunSolve site's search facility. Search for the patch ID number, but do not include the two-digit patch version number. Some patches are also part of larger groups of patches available as patch clusters. See the Recommended & Security Patch Clusters SunSolve site. Each cluster has a readme file, accessible from the web site, which lists the patches it contains.
20-3
3.
If you are using a Japanese Solaris/Soft Appliance client, make sure that the SUNWjxcft package is installed on that machine. Cisco Prime applications running under the Java plug-in will not work if this package is not installed on the machine.
Installing the Plug-in
If you have previously installed Java plug-in software, uninstall it and unset the NPX_PLUGIN_PATH, CLASSPATH, and NPX_JRE_PATH environment variables. Click here to download the tar file. The Save As window appears. Click OK and wait for the download to finish. Uncompress the plugin-16024-sparc.tar.gz file to get the tar file (use gunzip utility or any other equivalent utility). Type the following command to extract the plug-in files: #tar -xf filename
Type su to become superuser and enter your password at the prompt. Change to the directory into which the plug-in files were extracted and install the plug-in. To install the plug-in the default base directory (/usr/j2se), enter: #./pam.sh Select option 1. During installation, you can configure Java Plug-in 1.6.0_24 to work with Mozilla 1.7. Source the corresponding file (/jpi.cshrc or /jpi.profile) before restarting your browser to have the correct environment. Restart your Netscape or Mozilla browser and reconnect to the LMS Server. When you start the application, it runs under the Java plug-in. Verify that the installation worked by selecting Help > About Plug-ins on the Netscape or Mozilla browser. If the Java Plug-in does not appear with all the mime-types enabled, close and then re-open the browser.
Step 9
Do not uninstall the plug-in if it is required by any of your applications. To uninstall the plug-in:
Step 1 Step 2
Type the following command: # ./pam.sh Select option 2. This will uninstall the Java Plug-in.
Related Topics
20-4
OL-20721-01
Chapter 20
20-5
A P P E N D I X
CLI Tools
This section explains all the CLI utilities that are available for the administrator in LMS 4.1. This section contains:
Setting Up Local Users Through CLI Changing Cisco Prime User Password Through CLI Managing Processes Through CLI Working With Third Party Security Certificates Setting up Browser-Server Security Backing up Data Using CLI Using LMS Server Hostname Change Scripts Using DCR Features Through CLI Using Group Administration Features Through CLI Deleting Stale Groups Using CLI User Tracking Command Line Interface Using Lookup Analyzer Utility Understanding UTLite User Tracking Debugger Utility Configuring Switches to Send MAC Notifications to LMS Server Administration Command Line Interface
A-1
CLI Tools
Note
You can use this CLI command for both system and user-defined roles. Each local user information should be represented in the following format in the text file: Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword where,
Username Local username. The local username is case-insensitive. Password Password for the local user account name. You can leave this field blank in the text file and enter the password in the command line when you run the CLI utility. Note that you should enter the password either in the command line or in the input text file. If you mention the password in both the places, the local user will be added with the password specified in the command line. On adding the user by giving password in the command line prompt, default role will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Roles Roles to be assigned to the local user. You should assign one or more of the following roles to the user separated by comma.
Help Desk Approver System Administrator Network Administrator Network Operator Super Admin
DeviceUnameDevice login username DevicePasswordDevice login password DeviceEnPassword Device enable password.
The following is an example of local user information to be represented in input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System Administrator:admin:roZes123:roZes
A-2
OL-20721-01
Appendix A
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows) Filename Absolute path of the filename containing local users information. Password Common password for all user accounts specified in the input text file. This command line parameter is optional if you have specified the passwords for local users in the input text file. Note that you should enter the password either in the command line or in the input text file. If you specify this parameter, the local users are added to Cisco Prime only with this password irrespective of the password entries specified in the input text file.
where,
For example, enter the following command to add local users mentioned in the input file localuser.txt with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add C:\files\localuser.txt admin
Even if you have entered password for the local users in the localuser.txt file, the local users are added with the password mentioned in the command line.
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) Protocol Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. Hostname Hostname or IP Address of the remote LMS Server. Portnumber Port Number of the remote LMS Server. Username Remote LMS Server Login Username. Password Remote LMS Server Login Password.
where,
A-3
CLI Tools
For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) Filename Ouput of executing CSUtil.exe. Password ACS password which is the default password assigned to all users.
where,
Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Set the LD_LIBRARY_PATH manually. The path is to be set as follows:
setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib:/opt/CSCOpx/lib
This environment variable set is applicable to the current working shell only. Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3
Enter NMSROOT/bin/resetpasswd username at the command prompt. Here NMSROOT refers to the Cisco Prime Installation directory. A message appears:
Enter new password for username:
Step 4 Step 5
Enter the new password. Enter /etc/init.d/dmgtd start to start the Daemon Manager.
A-4
OL-20721-01
Appendix A
Enter net stop crmdmgtd to stop the Daemon Manager. Enter NMSROOT\bin\resetpasswd username at the command prompt. A message appears:
Enter new password for username:
Step 3 Step 4
Enter the new password. Enter net start crmdmgtd to start the Daemon Manager.
Viewing Process Details Through CLI Viewing Brief Details of Processes Viewing Processes Statistics Starting a Process Stopping a Process
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the process details of one or more processes. See Viewing Process Details for description of each of these items.
Process Name Process State Process ID Process Return Code Process Signal Number Process Start Time Process Stop Time
A-5
CLI Tools
The pdshow command additionally displays the following process details. Process Details Core Description Not applicable means the program is running normally. CORE FILE CREATED means the program is not running normally and the operating system has created a file called core*. The core file stores important data about processes. core* refers to the name of the core file. The core file name contains the executable file name of the program and the process ID. For example, the name of the core file created for the Perl module is:
core.perl.51234
Information
Describes what the process is doing and how it is started. Not applicable means the program is not running normally.
During the startup of Daemon Manager, sometimes the pdshow command may display information message requesting you to wait and enter the command again. This happens particularly when the Daemon Manager is busy in running the tasks one by one in the queue. You must enter the command again to view the process details.
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format:
For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt, the following output is displayed:
ProcessStatePid *************** Tomcat Program Started - No mgt msgs received13824 Apache Running normally 13847
A-6
OL-20721-01
Appendix A
Note
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format in the command line. Process Details Pid %CPU RSS VSZ %MEM NLWP Process Description Process ID CPU usage of a process at a particular time expressed in terms of percentage Resident set size displayed in terms of KB Virtual memory size of process displayed in terms of KB Ratio of resident set size and physical memory expressed in terms of percentage Number of light weight processes of the specified process Name of the process
Starting a Process
You must enter the following commands to start a process through CLI:
/opt/CSCOpx/bin/pdexec pdexec
The dependent processes are started first before the specified process is started. If the process is being restarted after a shutdown, any dependent processes registered with the Daemon Manager is not automatically restarted. Dependent processes are automatically restarted only when the Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:
/opt/CSCOpx/bin/pdterm pdterm
The dependent processes are also shut down using this CLI command.
A-7
CLI Tools
Uploading Third Party Security Certificates to LMS Server Using the SSL Utility Script to Upload Third Party Security Certificates
This utility has the following options: Number Option 1 Display LMS Server certificate information What it Does...
Displays the Certificate details of the LMS Server. For third party issued certificates, this option displays the details of the server certificate, the intermediate certificates, if any, and the Root CA certificate.
Verifies if the certificate is valid. Verifies whether the certificate is in encoded X.509 certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server.
Display Root CA Generates a list of all Root CA Certificates. certificates trusted by LMS Server
A-8
OL-20721-01
Appendix A
What it Does... (continued) Verifies whether the server certificate issued by third party CAs, can be uploaded. When you choose this option, the utility:
Verifies if the certificate is in Base64 Encoded X.509Certificate format. Verifies if the certificate is valid on the server Verifies if the server private key and input server certificate match. Verifies if the server certificate can be traced to the required Root CA certificate using which it was signed. Constructs the certificate chain, if the intermediate chains are also given, and verifies if the chain ends with the proper Root CA certificate.
After the verification is successfully completed, you are prompted to upload the certificates to LMS Server. The utility displays an error:
If the input certificates are not in required format If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If any of the intermediate Certificates were not given as input. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates to Cisco Prime.
A-9
CLI Tools
What it Does... (continued) You must verify the certificates using option 4 before you select this option. Select this option, only if there are no intermediate certificates and there is only the server certificate signed by a prominent Root CA certificate. If the Root CA is not one trusted by Cisco Prime, do not select this option. In such cases, you must obtain a Root CA certificate used for signing the certificate from the CA and upload both the certificates using option 6. When you select this option, and provide the location of the certificate, the utility:
Verifies whether the certificate is in Base64 Encoded X.509 certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server. Verifies whether the server private key and input server certificate match. Verifies whether the server certificate can be traced to the required Root CA certificate that was used for signing.
After the verification is successfully completed, the utility uploads the certificate to LMS Server. The utility displays an error:
If the input certificates are not in required format If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again.
A-10
OL-20721-01
Appendix A
What it Does... (continued) You must verify the certificates using option 4 before you select this option. Select this option, if you are uploading a certificate chain. If you are also uploading the root CA certificate also, you must include it as one of the certificates in the chain. When you select this option and provide the location of the certificates, the utility:
Verifies whether the certificate is in Base64 Encoded X.509 Certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server Verifies whether server private key and the server certificate match. Verifies whether the server certificate can be traced to the root CA certificate that was used for signing. Constructs the certificate chain, if intermediate chains are given and verifies if the chain ends with the proper root CA certificate.
After the verification is successfully completed, the server certificate is uploaded to LMS Server. All the intermediate certificates and the Root CA certificate are uploaded and copied to the Cisco Prime TrustStore. The utility displays an error:
If the input certificates are not in required format. If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If any of the intermediate certificates were not given as input. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again. 7 Modify Certificate This option allows you to modify the Host Name entry in the LMS Certificate. You can enter an alternate Hostname if you wish to change the existing Host Name entry.
A-11
CLI Tools
Using the SSL Utility Script to Upload Third Party Security Certificates
To upload the certificates:
Step 1
Stop the Daemon Manager from the Cisco Prime CLI: On Windows:
On Solaris/Soft Appliance:
Step 2
Navigate to the directory where the SSL Utility script is located. On Windows:
a. b.
On Solaris/Soft Appliance:
a. b. Step 3 Step 4
Select option 4, Verify the input Certificate or Certificate Chain. Enter the location of the certificates (server certificate and intermediate certificate). The script verifies if the server certificate is valid. After the verification is complete, the utility displays the options. If the script reports errors during validation and verification, the SSL Utility displays instructions to correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5
Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed by a Root CA certificate. Or Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and intermediate certificates. Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime Daemon Manager. The utility displays a warning message if there are hostname mismatches detected in the server certificate being uploaded, but you can continue to upload the certificate.
Step 6
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime requirements for security certificates.
Step 7
Restart the Daemon Manager for the new security certificate to take effect. Enable SSL to establish a secured connection between LMS Server and your client browser, if you have not enabled already.
A-12
OL-20721-01
Appendix A
Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
To enable Browser-Server Security from CLI:
Step 1 Step 2 Step 3 Step 4
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache. Enter NMSROOT\bin\perl ConfigSSL.pl -enable Press Enter.
If you have the required security certificates available on the server, Cisco Prime enables SSL. If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser.
Step 6 Step 7
Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Step 8
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes:
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows.
A-13
CLI Tools
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
To enable Browser-Server Security from CLI:
Step 1 Step 2 Step 3 Step 4
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache\bin. Enter ./ConfigSSL.pl -enable Press Enter.
If you have the required security certificates available on the server, Cisco Prime enables SSL. If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser.
Step 6 Step 7
Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Step 8
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes:
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. Change the port number suffix from 1741 to 443.
If your LMS Server is integrated with any Network Management Station (NMS) in your network using the integration utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see the Integration Utility Online Help.
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
To disable Browser-Server Security from CLI:
Step 1 Step 2 Step 3 Step 4
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache. Enter NMSROOT\bin\perl ConfigSSL.pl -disable Press Enter.
A-14
OL-20721-01
Appendix A
Step 5 Step 6
Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Step 7
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes:
The URL should begin with http instead of https to indicate that connection is not secure. Change the port number suffix from 443 to 1741.
The port numbers mentioned above are applicable for LMS Server running on Windows.
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
To disable Browser-Server Security from CLI:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache\bin. Enter ./ConfigSSL.pl -disable Press Enter. Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Step 7
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes:
The URL should begin with http instead of https to indicate that connection is not secure. Change the port number suffix from 443 to 1741.
If your LMS Server is integrated with any Network Management Station (NMS) in your network using the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see Integration Utility Online Help.
A-15
CLI Tools
BackupDirectoryDirectory that you want to be your backup directory. This is mandatory. LogFile Log file name that contains the details of the backup Num_GenerationsMaximum backup generations to be kept in the backup directory.
To back up only selective data using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system [-log=LogFile] -gen=Num_Generations] On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system [-log=LogFile] [-gen=Num_Generations] where,
-dest=BackupDirectoryDirectory -systemCommand -log=LogFile
line option that allows you to back up only the selected system configurations from all applications instead of backing up the complete databases. This is mandatory. Log file name that contains the details of the backup. backup generations to be retained in the backup directory.
-gen=Num_GenerationsMaximum
Caution
Make sure that you run this command after you have changed your hostname and the appropriate entries specific to the operating system are updated.
A-16
OL-20721-01
Appendix A
Prerequisites
Before running the hostname change script, you should do the following:
Step 1
Update the hostname entries specific to operating system in your machine. On Solaris:
/etc/hosts - Modify loghost to the new hostname. /etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname. /etc/nodename or the appropriate interface file - Modify nodename to the new hostname. For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you through the server-renaming process. You can also do this when you change the hostname in the hosts, hostname.hme0, and nodename files in the /etc directory.
Login to vSphere client. Select the server where you want to Run hostnamechange.pl. Login to the selected server as system admin. Stop the daemons before changing the hostname in CARS CLI, by runing the command /etc/init.d/dmgtd stop in shell mode. Enter config terminal in the console. Config prompt appears. Enter hostname <new host name> Exit from the configure prompt. Enter write memory.
f. g.
Right-click the My Computer icon from the desktop and click System Properties. Or Click Start > Settings > Control Panel > System. The System Properties dialog box opens. Click the Computer Name tab. Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box. Enter the new hostname in the Computer Name field. Click OK to go back to System Properties dialog box. Click Apply to apply the changes.
b. c. d. e. f. Step 2
Restart the machine. You must restart the machine when you:
Update the operating system specific hostname entries. (on Solaris/Soft Appliance)
Step 3
/etc/init.d/dmgtd stop
A-17
CLI Tools
Step 4 Step 5
(on Windows)
Run the hostname script without command line options. See Running the Hostname Change Script for more information. Start the Daemon Manager by entering the following commands:
/etc/init.d/dmgtd start net start crmdmgtd
(on Windows)
A-18
OL-20721-01
Appendix A
Run the hostname change script without specifying any command line options After you have restarted your system, ensure that you stop the Daemon Manager and then enter the following command to run the hostname change CLI utility.
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows) NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance)
Or
Run the hostname change script with command line options Use this option to change the hostname only if the previous attempt of running this script had failed and the hostname changes were unsuccessful. You need not restart your machine to run the hostnamechange.pl CLI utility with command line options Enter the following command to run the hostnamechange.pl CLI utility:
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl -ohost Old_ Hostname -nhost
New_Hostname -domain Domain (on Solaris/Soft Appliance) where, Old_ Hostname Old Hostname of the LMS Server New_Hostname New Hostname of the LMS Server Domain Domain name of the LMS Server. Entering domain name is optional. The hostnamechange.pl script performs the following:
1.
2.
Changes ASName to the new hostname of LMS Server in the following files:
/opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance) NMSROOT\lib\classpath\sso.properties (on Windows)
3.
Updates the hostname in the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager\CurrentVersion\Environment The CLI utility looks for all the instances of hostname under these registry entries, and replaces them with the new hostname.
4. 5.
Changes the hostname in regdaemon.xml (NMSROOT/MDC/etc/regdaemon.xml). Changes the hostname in web.xml (NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml).
A-19
CLI Tools
6.
Creates a file NMSROOT/conf/cmic/changehostname.info, with the information on the updated hostname in the format: OldhostName:NewhostName OldhostNamePrevious hostname as registered with CCR(regdaemon.xml) NewhostNameCurrent hostname as registered with CCR(regdaemon.xml) The entries for hostname in regdaemon.xml and changehostname.info should be identical. The changehostname.info file resides in the LMS Server until you restart the Daemon Manager. This file will not be available in LMS Server after the Daemon Manager is restarted.
7.
The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted.
8. 9.
Starts the LMS 4.1 database and updates the database table entries with the new hostname. After updating the database table entries, it stops the LMS 4.1 database. Detects and displays the details of the certificate in the LMS Server.
If the certificate is a third party certificate, you should regenerate your certificate with the new
hostname. Or
If the certificate is a self-signed certificate, the script allows you to regenerate the certificate.
You can enter y to re-generate the certificate with the new hostname or n to re-generate the certificate later. See Creating Self Signed Certificates for details. After you have completed running the script, ensure that you:
Redo the integration, if you have integrated any third party network management application to Cisco Prime, using Integration Utility. Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server setup. For example, if you are changing the hostname of a machine that is configured as a Slave, then it needs to reregister with the Master. If you are changing the hostname of a machine that is configured as a Master, then all its Slaves need to be updated with the new Master hostname.
If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some cases.
A-20
OL-20721-01
Appendix A
The Display Name of a device is the same as that of any other device The Host Name/Domain Name combination of a device is the same as that of any other device Auto Update Device ID is the same as that of any other device (in case of AUS managed device) Cluster and Member Number, together is same as that of any other device (in case of Cluster managed device)
dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode runs the specified command and exits to the prompt after the command is run. You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode. The password file should contain an entry in the format username password. Make sure that there is only one blank space between the username and the password in the password file. For example, if admin is the username and the password for the Cisco Prime user, the password file must contain the following entry:
admin admin
Viewing the Current DCR Mode Using CLI Viewing Device Details Changing DCR Mode Using CLI
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username. Enter lsmode It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.
A-21
CLI Tools
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username. Enter details id=DeviceID This lists all the details about the device with the ID you have specified. For example,
detail id=54341
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setmaster The DCR mode gets changed to Master.
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setstand The DCR mode gets changed to Standalone.
A-22
OL-20721-01
Appendix A
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setslave master=value You have to specify the Master for this slave. The DCR mode gets changed to Slave. For example,
setslave master=1.2.1.3 port=443
Export Groups to an output XML file Import Groups to Grouping Server from an input XML file
You should have Network Administrator, System Administrator, or Super Admin privileges to use OGSCli command line utility. OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the command is run. This section explains:
A-23
CLI Tools
Or
where, NMSROOT is the directory where you have installed CiscoWorks. CiscoWorks_Username is the login username of a CiscoWorks user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Enter export. The system prompts you to enter an output file name. Enter a file name for export output file with its absolute path name. If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin. A warning message appears indicating that the selected file will be overwritten with the new information on exported groups. The system uses the file name that you have entered to generate the output XML file irrespective of whether the file exists on the server. You should have the required directory-level permissions where you want to save the output XML file. You must either enter y to continue or n to exit. The system prompts you to enter an export group hierarchy. Enter All or the export group hierarchy name. Default value is All. For example, you can enter the group hierarchy name as /CS@doc-pc2/User Defined Groups/Group1. The system generates an export format XML file and stores on the specified directory on the server.
Step 4
Step 5
Step 6
A-24
OL-20721-01
Appendix A
Or
where, NMSROOT is the directory where you have installed CiscoWorks. CiscoWorks_Username is the login username of a CiscoWorks user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Enter import. The system prompts you to enter the input XML filename. Enter the input XML filename with its absolute path name. The system lists the groups to be imported from the source XML file. Enter your choices using the item numbers displayed for the listed groups. You can enter one or more item numbers separated by comma. The system lists the Grouping Server locations where you can import the groups. Enter your choices using the item numbers displayed for the listed Grouping Servers. You can enter one or more item numbers separated by comma. You must enter 1 to import the selected groups to all listed servers. A message appears indicating whether the import of groups is successful. See Exporting Groups for the possible causes for the import groups job to fail.
Step 4
Step 5
Step 6
Step 7
A-25
CLI Tools
Enter NMSROOT\bin Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser
On Solaris/Soft Appliance:
Step 1 Step 2
Enter NMSROOT/bin Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser
Current user who has the necessary privileges to delete groups. Absolute Path of the text file with Cisco Prime login password of the current user, in one line. The user whose group has to be deleted.
-pfile:
-staleuser:
If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale groups will be deleted.
Use the -prompt command if you do not want to enter your password from the command line. Using -prompt prevents other users from running ps and seeing your password. The -host option is required when you run the CLI command on a remote LMS Server.
A-26
OL-20721-01
Appendix A
Table A-1
Option
-prompt
Function This command is required if you do not enter your password from the command line. If -prompt is specified, User Tracking prompts you to enter your password.
-help
Prints the command line usage. Enables the Ping Sweep option so that the ANI Server pings every IP address on known subnets before discovery. The default is the last setting used. User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not display the IP addresses. In larger subnets, the ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources. To perform Ping Sweep on larger subnets, you can:
-ping
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the
arp time-out interface configuration
Use any external software, which will enable you to ping the host IP addresses. This ensures that when you run User Tracking Acquisition, the ARP cache of the router contains the IP addresses.
-performMajorAcquisition
No keywords or arguments.
Acquires data about all users and hosts on the network and updates the LMS database. This option starts an acquisition but does not wait for it to complete.
A-27
CLI Tools
Table A-1
Option
-query
Arguments
Function
This option takes one of Queries the Topology and Layer 2 services module the following database and updates the User Tracking table. arguments: all name dupMAC dupIP hub Gets all User Tracking entries. Similar to All Host Entries or a simple query in the GUI. Runs the named advanced or simple query, created earlier in the GUI. Finds duplicate MAC addresses. Finds duplicate IP addresses. Finds ports with multiple MAC addresses (hubs). Gets all IP Phone entries. Runs the named advanced query, created earlier in the GUI. Uses the specified main table layout while performing a query to fetch User Tracking display entries. Uses the specified IP phone table layout while performing a query to fetch IP phone display entries.
-queryPhone
all name
-layout
layout_name layout_name
-layoutPhone
-host
ANI Server device name Specifies the host name or IP address of the LMS or IP Address Server. Use this argument when you need to run the CLI command on a remote LMS Server.
-port
Specifies the web server port number of the ANI Server. The default is 1741. Exports data to a text file. You must first specify the -query option to fetch the data that you want to export.
-export
-import
filename filename
Imports lost or deleted UserName and Notes fields from the last exported file. Imports MACs and converts them to OUI and adds the MACs to the Acceptable OUI List. For example:
cd NMSROOT/bin ut -cli -importMACToAcceptableOUI filename -u username -p password
-importMACToAcceptableOUI
-stat
Displays statistical information, such as time of last acquisition, acquisition status, number of records in the User Tracking database, and so on. Enables trace and debug messages for the User Tracking client application.
-debug
A-28
OL-20721-01
Appendix A
Table A-1
Option
-wireless
Function Displays detailed information on Wireless clients connected to the network. If you enter this option along with the export option, data can be exported to a text file. For example:
NMSROOT/campus/bin ut -cli -wireless -export c:/sample -u username -p password
For complete details on this, see Exporting Switch Port Usage Report. For complete details on this, see Exporting Switch Port Usage Report For complete details on this, see Exporting Switch Port Usage Report
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility
A-29
CLI Tools
Ports that are administratively up or down and Ports that were previously connected to an endhost or a device but are unconnected at least for a period of one day.
Switch port usage reports can be generated from the command prompt as given in Table A-2:
Table A-2 Switch Port Reports from the Command Prompt
Purpose Switch Port Capacity Report To generate reports where the utilization is less than the specified percentage (for all devices managed by LMS) To generate reports where the utilization is less than the specified percentage (for specific devices) To generate reports where the utilization is greater than the specified percentage (for all devices managed by LMS) To generate reports where the utilization is greater than the specified percentage (for specific devices)
NMSROOT/campus/bin ut -cli
-switchPortCapacity greaterthan -export
NMSROOT/campus/bin ut -cli
-switchPortCapacity greaterthan 60 -devices 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for all devices -switchPortCapacity between 10 60 -devices all managed by LMS) -export c:/sample -u username -p password To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for specific -switchPortCapacity between 10 60 -devices devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password
A-30
OL-20721-01
Appendix A
Table A-2
Command Generates reports for unused ports that are in up or down state.
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for all devices managed by LMS) -switchPortReclaimReport type up days 2 -devices all -export c:/sample -u username -p password To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for specific devices) -switchPortReclaimReport type up days 2 -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password To generate Reclaim Unused Down Ports report (for all devices managed by LMS) NMSROOT/campus/bin ut -cli
-switchPortReclaimReport type down days -devices all -export
2 c:/sample -u username -p
password To generate Reclaim Unused Down Ports report (for specific devices) NMSROOT/campus/bin ut -cli 2 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password
-switchPortReclaimReport type down days -devices
Switch Port Summary Report To generate Switch Port Summary report for all devices To generate Switch Port Summary report for select devices
Generates reports that gives the number of Connected, Free, and Free down ports in each switch. NMSROOT/campus/bin ut -cli
-switchPortSummary -devices all -export
c:/sample -u username -p password NMSROOT/campus/bin ut -cli -switchPortSummary -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password
Note
The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in Windows, replace all forward slash (/) with reverse slash (\). The report generated by the above options is saved as a file in the CSV format, at the specified location. You can generate various Switch Port Usage reports, select Reports > Switch Port.
DNS Server Efficiency for each DNS Server Overall Summary of DNS Servers
A-31
CLI Tools
Namelookup related settings in ut.properties file Issues found and recommendations to overcome them
For Solaris/Soft Appliance: The utility file is NMSROOT/campus/bin/LookupAnalyzer.sh If dir is the directory where the file is present, run the following command to run the utility: dir# ./LookupAnalyzer For Windows: The utility file is NMSROOT\campus\bin\LookupAnalyzer.bat If dir is the directory where the file is present, run the following command to run the utility: dir> LookupAnalyzer Example output of the Lookup Analyzer script:
Host IP: 172.20.123.74, DNS Server: 64.104.76.247, Time taken: 35, Status: FAILURE Host IP: 172.20.123.74, DNS Server: WINS, Time taken: 22, Status: FAILURE Host IP: 10.77.209.254, DNS Server: 64.104.128.248, Time taken: 18, Status: FAILURE .. .. DNS Server : 64.104.128.248 Success Count: 12 Failure Count: 76 Failure % : 86 % Total Time : 1 secs 561 ms Min Time : 0 ms Max Time : 52 ms Avg Time : 17 ms Server Efficiency(successCount/totalTime): 7.0 -------------------------------DNS Server : 64.104.76.247 Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 2 secs 729 ms Min Time : 0 ms Max Time : 61 ms Avg Time : 35 ms Server Efficiency(successCount/totalTime): 0.0 -------------------------------DNS Server : WINS Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 750 ms Min Time : 0 ms Max Time : 23 ms Avg Time : 9 ms Server Efficiency(successCount/totalTime): 0.0 -------------------------------Overall Summary ----------------Success Count: 12 Failure Count: 76 Failure % : 86 % ----------------Current Namelookup Related Settings --------------------------------UTMajorUseDNSSeperateThread: false UT.nameResolution: both
A-32
OL-20721-01
Appendix A
UT.nameResolution.threadCount: 1 UT.nameResolution.winsTimeout: 2000 UT.nameResolution.threadThresholdPercentage: 10 UT.nameResolution.dnsTimeout: 2000 UTMajorUseDNSCache: false nameserver.usednsForUT: true DB.dsn: ani --------------------------------ISSUES/RECOMMENDATIONS ----------------------Issue #1: Failure Percent is greater than 20% Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured Issue #2: DNS reverse lookup is NOT done as separate process Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties Issue #3: Name Resolution DNS server order is not optimal Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0, WINS=0.0, Other Recommendations: * If hostnames in your network are less likely to change often, set UTMajorUseDNSCache=true * If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout, UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage * Optimal timeout values are: UT.nameResolution.winsTimeout=0, UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
Understanding UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at the rate of 150 traps per second, with a default buffer size of 76800. If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400. To increase the buffer size:
Step 1 Step 2 Step 3 Step 4
Enter pdterm UTLITE at the command line to stop the UTLite process. Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Set Socket.portbuffersize=102400 Enter pdexec UTLITE at the command line to start the UTLite process.
Caution
Increasing the buffer size beyond 102400 results in performance degradation of UTLite.
A-33
CLI Tools
Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Change the property of URTlite state by changing the value from "URTlite.state=disable" to "URTlite.state=enable". Or You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS domains and click Apply.
Windows NT Windows 2000 Windows XP Windows 2003 Windows Vista Novell Directory Services (NDS) Solaris HP-UX AIX Installing UTLite Script on Active Directory Installing UTLite Script on Windows Installing UTLite Script on NDS Uninstalling UTLite Scripts From Windows Uninstalling UTLite Scripts From Active Directory Uninstalling UTLite Scripts From NDS
A-34
OL-20721-01
Appendix A
Log into the Active Directory server as Administrator. Obtain the UTLite files from the Server Configuration: NMSROOT\campus\bin\UTLite33.exe NMSROOT\campus\bin\UTLiteNT.bat where NMSROOT is the directory in which you installed Cisco Prime.
c.
Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder. NETLOGON is located at: %SystemRoot%\sysvol\sysvol\domain DNS name\scripts, where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain
Step 2
Open the UTLiteNT.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the Campus Manager server:
start
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Edit the logon script files to run the UTLiteNT.bat file when users log into the network by adding this line:
UTLiteNT.bat
Step 3
Update the domain controller logon script for each Windows domain that you add. The first time users log into the network after you edit this script, UTLite33.exe is copied to the local WINDIR directory on their Windows client system.
A-35
CLI Tools
Log into the Windows primary domain controller as Administrator. Obtain the UTLite files from the Server Configuration: C:\Program Files\CSCOpx\campus\bin\UTLite33.exe C:\Program Files\CSCOpx\campus\bin\UTLiteNT.bat where C:\Program Files\ is the directory in which you installed Cisco Prime. Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder. NETLOGON is located at %SYSTEMROOT%\system32\Repl\Import\Scripts, where, SYSTEMROOT% is the root directory for the Windows operating system files.
c.
Step 2
Open the UTLiteNT.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the LMS Server:
start
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings.
Step 3
Edit the logon scripts. Edit users logon script files to run the UTLiteNT.bat file when users log into the network by adding this line:
UTLiteNT.bat
Step 4
Update the domain controller logon script for each Windows domain that you add. The first time users log into the network after you edit this script, UTLite33.exe is copied to the local WINDIR directory on their Windows client system.
A-36
OL-20721-01
Appendix A
Copy the required files to the Novell Server. Log into the Novell Server as Administrator. Obtain the UTLite files from the LMS Server:
C:\Program Files\CSCOpx\campus\bin\UTLite33.exe C:\Program Files\CSCOpx\campus\bin\UTLiteNDS.bat where C:\Program Files\ is the directory in which you installed Cisco Prime.
Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the folder. Edit the UTLiteNDS.bat file: Open the UTLiteNDS.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the LMS server:
start
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Edit the logon scripts.
Step 8 Step 9 Step 10 Step 11
Enter \\Novell_Server_Name\SYS\public\NaL.exe at the command prompt. Click NWAdmin32 to run the Novell Netware Administrator program. Right-click on the users or organizational units whose logon scripts you want to modify and select Details. Click Login Script and enter: @\\%FILE_SERVER%\sys\public\your_folder_name\UTLiteNDS.bat where your_folder_name is the name of the folder you created in Step 1.
Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller. Remove the call to run UTliteNT.bat from users' logon scripts. Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
A-37
CLI Tools
Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server. Remove the call to run UTliteNT.bat from users' logon scripts. Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server. Remove the line added to the login scripts for all users and organizational units. Delete UTLite33.exe from the WINDIR directory of all clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
A-38
OL-20721-01
Appendix A
The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports in User Tracking. This tool also has an SNMP component embedded which runs an SNMP query for the table as a part of verification for SNMP failure. For example, SNMP bugs in Catalyst operating system because of which User Tracking may fail to discover devices. This generates an Action Report that you can use to analyze the data. The Debugger Utility:
1. 2. 3. 4.
Checks the switch ports in a sequential order. Reports violation of basic rules for each of the missing ports such as link ports and trunk ports. Checks for SNMP retrieval of data, if the ports pass the validity check. Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
where, switch is the switch to which the end hosts are connected. ports are the ports on the switch which have missing end hosts User Tracking.
-export
filename specifies that the debug messages be stored in the file specified. If this option is not used, the messages are displayed on the console.
For example, utdebug -switch 10.29.6.12 -port 5/12 utdebug -switch 10.29.100.10 -port Fa0/10 utdebug -switch 10.29.6.14 -port Gi6
A-39
CLI Tools
Replacing Corrupted Database Re-initializing the Database Deleting all Active Entries from User Tracking, and Restarting Servers Deleting all Inactive Entries from User Tracking, and Restarting Servers Deleting all History Entries from User Tracking, and Restarting Servers Deleting all User Tracking Entries, and Restarting Servers Restoring the Original Data in the Server Restoring Data from Another Server Performance Tuning Tool
If you have a corrupted database, you can use the database administration tools to restore the database from a previous backup. However, if you do not have a previous backup, you must re-initialize the database. When you run this command, if Data Collection is running, it is automatically stopped and then restarted when the database initialization is complete.
Caution
If you re-initialize the database, information from discovered devices will be lost. However, user and host information is retained. Replace the database only if recommended by a Cisco technical representative.
Note
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl On Windows: perl NMSROOT\campus\bin\reinitdb.pl The following message appears:
This will erase all data from the database. Are you sure [y/n] ?
If you enter y, it erases all data (database tables Wbu*...) from the server.
A-40
OL-20721-01
Appendix A
Deleting all Active Entries from User Tracking, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Deleting all User Tracking Entries, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -all On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -all
Note
Before executing the -restore command, you should stop the daemon manager and start again manually. For details, see Using Daemon Manager.
Restoring Data from Another Server
When you take database backup for LMS in one server and restore it in another server, the NMSROOT logfile location may not be the same in both servers. In that case, LMS will log messages to the log file stored in the default NMSROOT location in the restored machine. where NMSROOT is the root directory where you installed CiscoWorks.
A-41
CLI Tools
When you get out of memory errors in LMS, the following command can be used to tune the performance: NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize
Heap size should be multiples of 512 and should not exceed 1536 MB. Ensure you have enough swap space in the server before tuning the heap size. MaxPermSize will set the JVM MaxPermSize option to 64m.
For using various LMS features in devices running SNMPv3, you must make specific configurations on the devices. The commands that need to be configured are:
Configuring MIB Views Configuring Access Groups Configuring Device with Context Name Configuring a New User Configuring Password for a User Relating a User to a Group Configuring Privacy Protocol
oid-tree included
A-42
OL-20721-01
Appendix A
You must set the access rights for a group with a certain security model in different security levels. For Catalyst devices, enter the following command:
set snmp access campusgroup security-model v3 authentication read campusview write campusview nonvolatile
access-list
IOS image versions prior to12.4 support only exact context name. IOS image versions 12.4 or higher, support both exact or prefix context names. You need to configure the device with and without context name, since Data Collection manages the device without context name and User Tracking requires context name to contact the device.
Configuring a New User
A-43
CLI Tools
Using a specified security model you can relate a user to a group. For Catalyst devices, enter the following command:
set snmpw group campusgroup user campususer security-model v3 nonvolatile
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device, associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS. You can enable it by creating a view and by including and excluding MIBs as mentioned in the below configuration:
snmp-server view <view-name> iso included snmp-server view <view-name> internet included snmp-server view <view-name> internet.6.3.15 excluded snmp-server view <view-name> internet.6.3.16 excluded snmp-server view <view-name> internet.6.3.18 excluded snmp-server view <view-name> cTapMIB excluded snmp-server view <view-name> internet.6.3.16.1.1 included
In LMS, by default the property vacmContextNameEnabled in ANIServer.properties under NMSROOT/campus/ect/cwsi has the value 0. This value has to be changed to 1 and then restart the daemons.
Note
The device side configuration has to be done on all the devices in the network before changing the property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.
A-44
OL-20721-01
A P P E N D I X
Troubleshooting Guidelines
This section provides guidelines on the following:
Symptom
Probable Cause
User Tracking cannot discover any There may not be information in the LMS database. users or hosts or User Tracking cannot display any IP phones. User Tracking cannot discover certain users or hosts. The device might not be part of DCR and you must run Device Discovery and Data Collection. The LMS server might not have discovered one or more devices to which users and hosts are connected.
Discovering Devices in Inventory Management with Cisco Prime LAN Management Solution 4.1 Administering Data Collection Check the CiscoWorks topology for the missing devices Ensure that CDP and SNMP are enabled on the devices, rediscover these devices, Verify that they appear on the topology view.
1. 2. 3.
B-1
Table B-1
Probable Cause The LMS server might not have discovered the specific Media Convergence Server (MCS) that runs the instance of Cisco CallManager to which the IP phones are registered.
Possible Solution
1.
Check the CiscoWorks topology for the missing MCS that runs the instance of Cisco CallManager to which the phones are registered. Ensure that Cisco CallManager is shown as a service running on the MCS and is discovered by the LMS Server. Rediscover all IP phones.
2.
3.
User Tracking table does not contain device name, IP address, and subnet information for some hosts.
User Tracking cannot find the most recent network information. Network changes are not currently reflected in ARP information (routers) or bridge tables (switches). User Tracking does not perform Ping Sweep on large subnets; for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and the User Tracking may not display the IP addresses. In larger subnets, the ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources.
Enable Ping Sweeps when User Tracking performs Discovery. Ping Sweeps are enabled by default. To perform Ping Sweep on larger subnets, you can either:
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. Or Use any external software, which will enable you to ping the host IP addresses. This will ensure that when you run User Tracking Acquisition, the ARP cache of the router contains the IP addresses.
You have:
A complete Device Discovery process has not run since you added your Made changes to the network. changes. Run User Tracking Major User Tracking Major Acquisition is not Acquisition. a full network discovery. The process The changes do not appear in discovers only the user and host data in the User Tracking display. your network. Changes that you make to your network might not appear after a User Tracking Major Acquisition.
1. 2. 3.
Run Device Discovery. Run a complete Data collection. Generate a new report after data collection is complete to see the changes.
B-2
OL-20721-01
Appendix B
Purpose
Action
Administrative Tasks Runs self-tests and Select Admin > System > Server Monitoring > generates a report with the Selftest. results. Checks whether back-end Select Admin > System > Server Monitoring > processes are in an interim Processes. state. Provides system information, environment, configuration, logs, and web server information. Select Admin > System > Server Monitoring > Collect Server Information Or Enter the following command:
B-3
Table B-2
Server Status
Log files
Configuration settings The utility creates a tar file in NMSROOT\MDC\etc directory. Memory information If \etc directory is full, or if you want to preserve the Complete system data collected previously by not over writing the tar related information file, you may create another directory by running the Process status following command: Host environment MDCSupport.exe Directory information For Solaris/Soft Appliance, It also collects any other 1. Set the LD_LIBRARY_PATH environment relevant data, into a variable to /opt/CSCOpx/MDC/lib: deliverable tar /opt/CSCOpx/lib: (compressed form) file to support the MDCs 2. Go to /opt/CSCOpx/MDC/bin and run the installed. command:./mdcsupport The MDC Support utility also queries CCR for any other support utilities registered, and run them. Other MDCs need to register their own support utilities that will collect their relevant data. The utility creates a tar file in CSCOpx/MDC/etc directory. If \etc directory is full, or if you want to preserve the data collected previously by not over writing the tar file, create another directory by running the following command:
./mdcsupport
Directory
Before you close the command window, ensure that the MDC Support utility has completed its action. If you close the window prematurely, the subsequent instances of MDCSupport Utility will not function properly. If you happen to close the window, delete the mdcsupporttemp directory from NMSROOT\MDC\etc directory, for subsequent instances to work properly.
B-4
OL-20721-01
Appendix B
Troubleshooting Suggestions
Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
Table B-3 Troubleshooting Suggestions
Symptom
Authorization required. Please log in with your username and password. Daemon Manager could not start. The port is in use.
Probable Cause Incompatible browser causing cookie failure (unable to retrieve cookie). The operating system has not yet reallocated the port. LMS cannot recover forgotten passwords.
Possible Solutions Verify that you have Accept all cookies enabled. Refer to the installation documentation for supported Internet Explorer and Mozilla Firefox software and setup procedures.
Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww | grep CSCO). Wait five to ten minutes, then try to restart the Daemon Manager. A system administrator-level user must either change the password or delete the user account and add it again.
1. 2.
You are logged out of Changes in the login the Cisco Prime module configuration file Server. might not be correct. Authentication server might be down and there were no fallback logins set.
Log into Cisco Prime LMS Server. Enter the following commands:
NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl
(on Windows)
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl
Restart Daemon Manager. Stop all processes. Enter the log file maintenance commands:
NMSROOT\cgi-bin\admin\ (on Windows) NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance)
The Log File Status Files need to be backed up so that file size will be window displays files that exceed their reset to zero. limit.
1. 2.
3.
B-5
Table B-3
Probable Cause Device is not SSH enabled or the server is not authorized to initiate SSH connection.
Possible Solutions
1. 2.
Check whether the device is up or not. Try connecting to the device with a commercial SSH client. If you are able to connect, go to step 3. If you are not able to connect, check whether the device is running SSH enabled (K2 or K9) image.
If it is not the correct image, download the appropriate image to the device. If you have the correct image, check whether you have created RSA key pairs in the device. Creating RSA keys will enable SSH in the device.
3.
Check whether your server or network is authorized to initiate SSH connections to device.
While launching the The Group Administration Start the Group Administration server from the user interface or from the Group server is either not running CLI. Administration page, or yet to be up. To start the server from the user interface: the following error 1. Select Admin > System > Server Monitoring > Processes. message is displayed: The Process Management Dialog Box appears.
Error in communicating with Group Administration Server.
2. 3.
Check the CMFOGSServer check box in the Process Management dialog box Click Start.
To start the server from the CLI, enter: NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime LMS Installation directory. See Installing and Migrating to Cisco Prime LAN Management Solution 4.1 for troubleshooting tips on Cisco Prime installation.
User Tracking FAQs VRF Lite FAQs Cisco Prime LMS Server FAQs Fault Management FAQs Device Performance Management FAQs IPSLA Performance Management FAQs
B-6
OL-20721-01
Appendix B
Q.Why are outdated entries appearing in my User Tracking table? Q.How does User Tracking acquisition process differ from that of the LMS Server? Q.How does User Tracking user and host acquisition process work? Q.Why is User Tracking not performing Ping Sweeps on some subnets? Q.How long does User Tracking maintain data? Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP) devices? Q.Where does User Tracking log errors? Q.Why am I getting a parse error when trying to parse some of the output files?
Q. Why are outdated entries appearing in my User Tracking table? A. Outdated entries result when: A user or host is assigned to new VLAN/port/VTP domain. A power failure occurred. A workstation has been switched off or removed from the network.
User Tracking does not automatically delete outdated end-user host entries. To delete these entries:
Manually delete selected entries.
Or
Configure delete interval for purging old records more than the given number of days. Select Admin > Network > Purge Settings > User Tracking Purge Policy Q. How does User Tracking acquisition process differ from that of the LMS Server? A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is required for logical, user, and path acquisition.
User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user information in the LMS server database, correlates this information, and displays it in the User Tracking Reports. For more information about the various acquisition processes, see Various Acquisitions in User Tracking.
B-7
Q. How does User Tracking user and host acquisition process work? A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4 User Tracking User and Host Acquisition Process
Description Pings all IP addresses on all known subnets, if you have Ping Sweeps enabled (the default). This process updates the switch and router tables before User Tracking reads those tables. This ensures that User Tracking displays the most recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table. switches The bridge forwarding table provides the MAC addresses of end stations, and maps these MAC addresses to the switch port on which each workstation resides. Obtains IP and MAC addresses from routers Obtains hostnames Obtains usernames Records discovered information Reads the Address Resolution Protocol (ARP) table in routers to obtain the IP and corresponding MAC addresses. Performs a Domain Name Service (DNS) lookup to obtain the hostname for every IP address. Attempts to locate the users currently logged in to the hosts and tries to obtain their username or login ID. Records the discovered information in the LMS database.
Q. Why is User Tracking not performing Ping Sweeps on some subnets? A. The criterion for whether or not User Tracking performs Ping Sweeps on a subnet is the number of
hosts in the subnet: You must check if you have excluded the subnets from Ping Sweep. If a subnet has 256 or fewer hosts, User Tracking performs Ping Sweeps on that subnet. User Tracking does not perform Ping Sweeps on the subnets, which have more than 256 hosts. If Ping Sweeps are not performed, User Tracking still obtains information from the router and switch mapping tables during a discovery. For more details on Ping Sweep, see Notes on Ping Sweep Option.
Q. How long does User Tracking maintain data? A. It depends on the delete interval you have set. For more details, see Deleting User Tracking Purge
Policy Details.
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
B-8
OL-20721-01
Appendix B
Q. Where does User Tracking log errors? A. User Tracking major acquisition errors are logged in the User Tracking error log. Data Collection
errors are logged in the respective log file. The log files are located at Solaris/Soft Appliance : /var/adm/CSCOpx/log Windows: NMSROOT\log Where NMSROOT is the directory where you have installed Cisco Prime.
Q. Why am I getting a parse error when trying to parse some of the output files? A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them. To overcome this, you have to manually search for those elements with special characters and append CDATA as given in the example below: If there is an element
<checksum> o </checksum>
Change it to:
<checksum> <![CDATA[o ]]> </checksum>
Q.What is VRF Lite ? Q.What is Network Virtualization? Q.What are the pre-requisites to manage a device using VRF Lite? Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector? Q.What are the different categories in which the devices are managed by Virtual Network Manager? Or what criteria are used by Virtual Network Manager to categorize the devices in the network? Q.Sometimes, while performing VRF Lite configuration, I get the following message: Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? Q.When is the VRF Lite Collection process triggered? Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is the reason for failure? Q.How can I configure SNMP timeout and retries details for VRF Lite? Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the Create VRF Lite and Extend VRF Lite workflows ? Q.How do I enable the debug messages for Virtual Network Manager? Q.Why are some port-channels not discovered in VRF Lite? Q.What are the processes newly introduced for VRF Lite ? Q.What is tested number of devices support in VRF Lite? Q.What are the property files associated with VRF Lite?
B-9
Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why are values for the IP Address and SubnetMask fields empty? Q.What is protocol order for configuration workflows? Q.What is protocol ordering for troubleshooting? Q.If you configure commands to be deployed to two different devices, will the commands be deployed parallelly or serially? Q.Which VRF Lite configuration jobs that are failed can be retried? Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
Q. What is VRF Lite ? A. Virtual Routing and Forwarding Lite (VRF Lite) is the one of the simplest form of implementing
virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as VPN routing/forwarding instance. A VRF Lite consists of an IP Routing table, a derived forwarding table, a set of interfaces that use the forwarding table and set of routing protocols that determine what goes into the forwarding table. VRF Lite is an application that allows you to pre-provision, provision and monitor Virtual Routing and Forwarding-Lite (VRF Lite) technology on an enterprise network.
Q. What is Network Virtualization? A. Virtualization deals with extending a traditional IP routing to a technology that helps companies
utilize network resources more effectively and efficiently. Using virtualization, a single physical network can be logically segmented into many logical networks. The virtualization technology supports multiple virtual routing instances of a routing table to exist within a single routing device and work simultaneously.
Q. What are the pre-requisites to manage a device using VRF Lite? A. The pre-requisites to manage a device in VRF Lite are: 1. 2. 3.
The device must be managed by LMS. The device must either be L2/L3 or L3 device The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite. The device must have the necessary hardware support. For more information on hardware support, see http://www.cisco.com/en/US/partner/products/sw/cscowork/ps563/products_device_support_table s_list.html. If the device hardware is not supported then the device will be classified as Other devices If a device supports MPLS VPN MIB, it is classified as a capable device. VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB, VRF Lite will not manage VTP Clients.
4. 5.
B-10
OL-20721-01
Appendix B
Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration. A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management with Cisco Prime LAN Management Solution 4.1. If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN Configuration then a device will not be listed in the Device Selector, if a device is not participating in the selected VRF Lite. In the Readiness Report, a device listed as a supported device may be because it is not managed by LMS. You can check if a device is managed by using the Device Management State Summary (Inventory > Device Administration > Manage Device State). In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not participating in the selected VRF Lite. In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3 devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
support required to configure VRF Lite on the devices. Based on the available hardware and software support in the devices, Virtual Network Manager classifies the devices into following categories:
VRF Lite Supported Devices Represents the devices with required hardware and software
But the device software must be upgraded to support MPLS VPN MIB. For information on the IOS version that supports MPLS VPN MIB, refer http://tools.cisco.com/ITDIT/MIBS/MainServlet. VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite Capable devices as these devices do not have the required MPLS VPN MIB support.
Other Represents the devices without required hardware support to configure VRF Lite.
B-11
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with display name(s) are already locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time Or Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Or Selected Device(s) are locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time OR Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations. Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? A. The following are the details of the VRF Lite log files: 1. 2. 3. 4.
Vnmserver.log This log file logs the messages pertaining to the VRF Lite Server process. Vnmcollector.log This log file logs the messages pertaining to the VRF Lite collection. Vnmclient.log This log file logs the messages related to the User Interface. Vnmutils.log This log file logs the messages pertaining to the utility classes used by VRF Lite client and server.
The above-mentioned VRF Lite log files are located in the following location: In Solaris/Soft Appliance : /var/adm/CSCOpx/log/ In Windows: NMSROOT\logs
Q. When is the VRF Lite Collection process triggered? A. Manually:
You can manually schedule to run the VRF Lite Collection process by: Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule option. Automatically: If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector Schedule page. The VRF Lite Collection process will be automatically triggered after the completion of Data Collection. You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF Lite > VRF Lite Collection Settings page.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin > Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite? A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six seconds and retry attempt of 1 second.
B-12
OL-20721-01
Appendix B
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the following procedure
1. 2.
An SVI, VRF Lite searches for free VLANs in the range 1- 1005 An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. How do I enable the debug messages for Virtual Network Manager? A. You can enable the debugging levels for a particular module using
Admin > System > Debug Settings > VRF Lite Client Debugging Options. Admin > System > Debug Settings > VRF Lite Collector Debugging Admin > System > Debug Settings > VRF Lite Server Debugging Admin > System > Debug Settings > VRF Lite Utility Debugging
You can manually change the name and the size of the log file. The configuration log files are available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will be reflected after approximately 60 seconds.
Q. Why are some port-channels not discovered in VRF Lite? A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What are the processes newly introduced for VRF Lite ? A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite
configuration supported in 550 devices in your network. However, at a given time, you can select up to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.
Q. What are the property files associated with VRF Lite? A. The following property files are associated with VRF Lite: 1. 2. 3.
NMSROOT/vnm/conf/VNMClient.properties This property file is used to provide the settings for Purge and Home page auto Refresh NMSROOT/vnm/conf/VNMServer.properties This property file is used to provide the SNMP and VRF Lite Server settings. NMSROOT/vnm/conf/VRFCollectorSnmp.conf This property file stores the SNMP Timeout and Retries that you have configured.
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
B-13
Q. What is protocol order for configuration workflows? A. Configuration workflow uses the protocol order similar to ordering used by NetConfig in Resource
Manager Essentials. Choose the NetConfig as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting? A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow
in Resource Manager Essentials. Choose the NetShow as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite? A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
Lite wont put the list of VLANs allowed on a trunk The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the selected devices.
General Security Software Center Event Distribution Services and Event System Services Backup and Restore Database Apache and Tomcat
B-14
OL-20721-01
Appendix B
General
The section lists you the general FAQs on LMS:
Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly? Q.Why cannot I start my Cisco Prime application? Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine? Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? Q.Do I need to change the Cisco Prime configuration after changing the IP address? Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it for a while? Q.How do I change the port for osagent in Windows? Q.How do I change port for osagent in Solaris? Q.How do I ensure that jrm is running fine? Q.How do I change the casuser password in Windows? Q.How do I change the Cisco Prime user password? Q.How do I enable debugging for Session Management Services? Q.What does a diskWatcher process do? Q.Cisco Prime Time is not synchronized with System time. What should I do? Q.How can I increase the timeout value of Cisco Prime LMS user interface? Q.How should I change the syslog port of Cisco Prime from 514 to another number? Q.What should I do when Daemon Manager and multiple processes are not started on a Windows machine? Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running it for a while? Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime? Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? Q.What are the specific ports required for Internet HTTP features? Q.Why is the display name not available in the home page after importing? Q.How do you ensure to register using a template and launch the links properly? Q.I am getting timeout exception in cmdsvc (command service library) during a device connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.
B-15
Click Start > Settings > Network and Dial-up Connections > Local Area Connection. The Local Area Connection Status dialog box appears. Click Properties. The Local Area Connection Properties dialog box appears. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP) Properties dialog box appears. Select the radio button Use the following IP address. Change the IP address as required, in the IP address field. For the subnet mask and default gateway values, enter the ipconfig command at the command prompt. The subnet mask and default gateway values appear. Enter these values in the Subnet mask and Default gateway fields. Click OK to go back to Local Area Connection Status dialog box. Click OK. Restart the server.
Step 2
Step 3
Step 4 Step 5
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP address of the required interface. For example, at the command prompt, you can enter:
ifconfig
where the variable interfacename represents the name of the interface and ipv4address represents the new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime? A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Launch Internet Explorer and click Tools > Internet Options. Click the Security tab and select Trusted Sites. Add the Cisco Prime LMS Server to the trusted zone. Clear the selection in Require server verification for all sites in this zone. Click OK to return to the Security tab. Click the Custom level button from the Security level for this zone panel. Select the Enable option for scripting of Java applets. Click OK to return to the Security tab. Click Apply.
B-16
OL-20721-01
Appendix B
Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
Click Start > Run. The Run dialog box opens. In the Open box, enter: Regedit, then click OK. The Registry Editor opens. Go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl. Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl, create a new key named FEATURE_DISABLE_TELNET_PROTOCOL. Add a DWORD value named iexplore.exe and set the value to 0 (decimal). Close the Registry Editor. Restart the browser, the Telnet protocol is enabled
Step 4
Q. What are the specific ports required for Internet HTTP features? A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
imported.
Q. How do you ensure to register using a template and launch the links properly? A. Before you register through a template, you should ensure that: The host is reachable. Port information specified is correct and reflects the current port of the bundle. The application is available and can be launched by entering the application URL in the browser. Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly? A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function properly.
B-17
Q. Why cannot I start my Cisco Prime application? A. If you cannot start your Cisco Prime application and see error messages, it may be because the web
server may not be running. This may occur although pdshow indicates that those processes are running. You need to check how your machine resolves its server name and IP address. The Cisco Prime CORBA applications require name resolution to work properly. Domain Name Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly. Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the application correctly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine? A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
tag is disabled in the browser. To enable the META-REFRESH tag in the browser:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Click Tools > Internet Options. The Internet Options dialog box opens. Click the Security tab. Select the Internet zone. Click Custom level... The Security Settings dialog box opens. In the Miscellaneous options, select the Enable option for Allow Meta Refresh field. Click OK, and then Apply to update the settings. Close the IE 7 or IE 8 open windows. Launch a new IE 7 or IE 8 window and login into LMS.
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default configuration, log into Cisco Prime, and return to the login module to correct one or more of the following:
Session Time out Change from SSL mode to non-SSL mode Change from non-SSL mode to SSL mode Log out from any other Cisco Prime application Visit other sites and then return to Cisco Prime
Do not alter the existing technologies in the default configuration file. If all of the parameters listed are correct, see Troubleshooting Suggestions.
Q. Do I need to change the Cisco Prime configuration after changing the IP address? A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco
Prime uses hostname for most of the communication. Only devices need to point to the new IP address. However, after changing the IP address, you must reboot the system on a Solaris server and restart the Daemon Manager on a Windows server. This is to make the changes effective.
B-18
OL-20721-01
Appendix B
Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
windows registry entries. You can use the hostnamechange.pl CLI utility to update the new host name information in files and windows registry entries. See Using LMS Server Hostname Change Scripts for more information.
Q. How do I change the port for osagent in Windows? A. Before you change the port for osagent in Windows: Ensure that the daemons are not running.
To change the port for osagent in Windows, run the following script at the command prompt: NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535. The script completes the following:
Updates the value of the following registry entries with the new port numbers.
HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current
Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the script.
Q. How do I change port for osagent in Solaris? A. Before you change the port for osagent in Solaris: Ensure that the daemons are not running.
Make sure that no CSCO processes are running. Back up NMSROOT/objects/dmgt/dmgtd.conf file.
To change the port for osagent in Solaris, run the following script at the command prompt: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535.
B-19
Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers. Updates the new port number in /etc/services file. Updates the entry in /var/sadm/pkg/CSCOmd/pkginfo file.
Reboot the server and start the Daemon Manager after you have completed running the scripts.
Q. How do I ensure that jrm is running fine? A. To check whether jrm is working on Windows, at the command prompt enter:
cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
NMSROOT com.cisco.nm.cmf.jrm.jobcli
If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
If you do not get the above message, contact the technical assistance center with the error
message.
If your jrm in down or inaccessible, youll get a message while accessing the UIs. Q. How do I change the casuser password in Windows? A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator
Step 2
Enter 2, and press Enter. It prompts you to enter the password. Confirm the password.
Step 3
Note
You must know the password policy. If the password entered does not match the password policy, it exits.
Q. How do I change the Cisco Prime user password? A. See Changing Cisco Prime User Password Through CLI for details.
B-20
OL-20721-01
Appendix B
Q. How do I enable debugging for Session Management Services? A. To enable debugging for Session Management Services: Step 1
Step 2
Q. What does a diskWatcher process do? A. The diskWatcher process monitors disk space availability on the Cisco Prime LMS Server.
This process calculates the disk space information of a drive (in Windows machine) or a file system (in Solaris machine) at regular intervals and stores them in diskWatcher.log file. See Configuring Disk Space Threshold Limit for more information.
Q. Cisco Prime Time is not synchronized with System time. What should I do? A. You should complete the following: a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine. b. Set the TZ=standard_timezone. For example, you can specify TZ=MET. c. Save the TIMEZONE file. d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface? A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml where NMSROOT is your Cisco Prime Installation directory. You should change the value of an XML tag by name session-timeout. You should specify the value in minutes. The default timeout value is set to 2 hours. You cannot disable this option as this may increase the load in the server.
Q. How should I change the syslog port of Cisco Prime from 514 to another number? A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters. After you have changed the syslog port, you need to restart the syslog service.
B-21
Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
Right-click the My Computer icon on your desktop and click Properties to open the System Properties dialog box. Click the Advanced tab. Click Settings from the Performance panel to open the Performance Options dialog box. Click the Data Execution Prevention tab. Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove the programs from the blocked list. Click OK to close the Performance Options dialog box. Click OK to close the System Properties dialog box. Reboot the server.
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
in the following directory: $NMSROOT/objects/cmf/data To change the default timeout and delay values:
Step 1 Step 2
Go to the directory $NMSROOT/objects/cmf/data Open the cmdsvc.properties file. Various timeout and delay values are listed in the file. Remove the Hash symbol (#) to uncomment a particular timeout or delay value. Remove the existing timeout or delay value. Enter new timeout or delay value. Save the cmdsvc.properties file.
Security
The following are the FAQs on LMS Security:
Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This makes the process tedious. Is there a way to reduce the number of dialog boxes and steps? Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a security alert related to the site's security certificate. It asks for my input to proceed further. Why? Q.My server certificate for Cisco Prime has expired. What should I do?
B-22
OL-20721-01
Appendix B
Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the problem? Q.What are the minimum and maximum length of user account names? How do I control them? Q.What are the rules to enter a valid username and password? Q.Where is the SSL log present? Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options: If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browsers trusted certificate stores, if you are confident about the identity of the server.
Use a server certificate issued by a prominent third party certificate authority (CA). Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
(Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security. This appears if any of the following conditions is not satisfied:
The certificate of the server (Cisco Prime Server in this case) must be issued by trusted
Certificate Authority.
The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
The server should be invoked with the name same as the Issued to' field of the certificate. To install the certificate in Internet Explorer:
Step 1
Click View Certificate in the alert box. The Certificate dialog box displays the Certificate information. Click Install Certificate.
Step 2
Q. My server certificate for Cisco Prime has expired. What should I do? A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates. If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
B-23
Note
Before you perform any certificate management operationscreating or modifying certificates, back up the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this: Step 1 Step 2
Login as Admin. Select Admin > System > Authentication Mode Setup. The Select Login Module dialog box appears. Select a login module from the Available Login Modules list box and Click on Edit Options. The Login Module Options dialog box appears. Select the radio button True and click Finish. This enables the Debug option. Enabling debug mode allows the login module to add the detailed progress and failure information to log files. The log files are located at: NMSROOT/MDC/Tomcat/logs/stdout.log For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the failure. For example, if the Usersroot configuration is incorrect, then the login module cannot match the complete DN string with any entries in the Active Directory database. It indicates which portion of the DN matched and which portion did not match. You can verify your Active Directory setup and the entries for the Usersroot. In some cases, the log file contains error messages with NameError. This indicates that either you entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Step 3
Step 4
Q. What are the minimum and maximum length of user account names? How do I control them? A. The minimum length of a user account name is 5 characters. The maximum length of a user account
name is 255 characters. You can control the length of user account names using the Local User Policy Setup page. See Setting up Local User Policy for more information.
Q. What are the rules to enter a valid username and password? A. The username can contain the alphabets in lower and upper cases, numerals, hyphens (-),
underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#), Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space. The username should start with alphabets, numerals and underscore characters. The password can contain the alphabets, numerals, leading and trailing spaces, and any special characters. The length of username and password can span from 5 to 256 characters.
B-24
OL-20721-01
Appendix B
Q. Where is the SSL log present? A. The SSL log is present in the NMSROOT directory, where NMSROOT is your Cisco Prime
Installation directory.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages? A. You should check whether the casuser is assigned with the required local security policies.
Click Start > Settings > Control Panel> Administrative Tools. Click the Local Security Policy shortcut from the Administrative Tools folder. The Local Security Policy window opens. Click Local policies > User Rights Assignment in the Local Security Policy window. Check whether the casuser is assigned with the following privileges:
Step 3 Step 4
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again. Enter the following commands to run the resetCasuser utility:
where NMSROOT refers to the Cisco Prime Installation directory. The other possible solutions are:
Remove or disable the anti-virus software Restart Daemon Manager Uninstall or disable IIS Log on as a batch job Disable Cisco Security Agent Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so, kill the stray processes from the Task Manager or stop them from the Services panel. Ensure that the casuser or administrator has the read permission for the CSCOpx, CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:
Q.How do I find out which devices are supported by a particular application? Q.What are the prerequisites for downloading Software Updates from Cisco.com? Q.Does the Software Center list only the software updates that are not installed in this machine? Q.What should I do if I see errors when using Software Center or having issues with LMS not correctly working with supported devices?
B-25
Q. How do I find out which devices are supported by a particular application? A. Select Admin > System > Software Center > Software Update. Under Applications Installed,
click the application name to see a list of the supported devices. See Selecting Software Updates for more information.
Q. What are the prerequisites for downloading Software Updates from Cisco.com? A. You should check for the following: Valid Cisco.com credentials are configured during Server administration Valid proxy details are configured and Cisco Prime support basic authentication of proxy server.
packages are installed and which devices are supported, become corrupted. If such files become corrupted, you may notice one or more of the following symptoms:
"HTTP 500" error occurs while trying to view package information from Admin > System >
Software Center > Device Update. One possible exception is: java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source)
The following errors will be seen in NMSROOT\log\psu.log:
[ <date time > ] ERROR range: -1 [CreateMaps : removeDupEntries] :String index out of
Devices shown as supported in "Supported Devices Table for CiscoWorks LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but succeeds for other devices with identical configuration, yet different models.
Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded for them. This is frequently seen with Configuration related functionality. To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files which store information on which device support packages are installed and devices they support. Run the following script: NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance) or NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)
B-26
OL-20721-01
Appendix B
where NMSROOT is your Cisco Prime installation directory. If issues persist after running this script, contact the Cisco Technical Asssistance Center for further assistance.
Q.How do I change the ESS port? Q.Why do the EDS process is not starting? Q.How should I configure EDS in a multi-homed machine?
Q. How do I change the ESS port? A. You can change the ESS port by running the following commands: NMSROOT/objects/ess/conf/Ports2Alternate.pl NMSROOT/objects/ess/conf/Ports2Primary.pl
B-27
Stop the Daemon Manager. Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number where, NMSROOT Cisco Prime Installation directory Port_number Osagent port Restart the Daemon Manager.
Step 3
Q. How should I configure EDS in a multi-homed machine? A. To run Cisco Prime LMS and configure EDS on a multi-homed machine, you must all the IP
Addresses in DNS.
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Step 1 Step 2 Step 3
Change the value of attribute jacorb.dns.enable in orb.properties file from on to off. Regenerate the self-signed certificate with IP address instead of hostname. Restart the Daemon Manager.
Q.What kind of directory structure does Cisco Prime use when backing up data? Q.What should I do when backup fails and displays a Backup.LOCK file exists error message? Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
Q. What kind of directory structure does Cisco Prime use when backing up data? A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-5 for a sample directory structure on Cisco Prime LMS Server.
Table B-5 Sample Backup Directory
B-28
OL-20721-01
Appendix B
Table B-5
Directory Path
Description
Usage Notes Application data is stored in the datafiles.txt which are compiled into the tar file. Includes the following files for each database:
/tmp/1/cmf/fileb Cisco Prime LMS Server ackup.tar application tar files /tmp/1/cmf/data base Cisco Prime LMS Server database directory
xxx_DbVersion.txt xxx.db (database files) xxx.log (database log files) xxx.txt (database backup manifest file)
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI for more information.
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts? A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Daemon Manager to run the backup.pl scripts. See Backing up Data Using CLI and Restoring Data for more information.
Database
The following are the FAQs on Database:
Q.How can I find the version of a Sybase Database? Q.What if the database is inaccessible?
Q. How can I find the version of a Sybase Database? A. Run the following command:
opt/CSCOpx/objects/db/bin64/dbsrv10 v
Q. What if the database is inaccessible? A. If the server is not able to connect to the database, the database might be corrupt or inaccessible.
This can occur if processes are not running. Try the following:
Step 1 Step 2
Log in to Cisco Prime LMS server as admin. Select Admin > System > Server Monitoring > Processes. A list of Cisco Prime back-end processes appears. You can check if there are any failed process appear in the list. Select Admin > System > Server Monitoring > Selftest.
Step 3
B-29
Select Admin > System > Server Monitoring > Collect Server Information. Click Product Database Status to get detailed database status. Contact the Cisco TAC or your customer support to get the information you need to access the database and find out details about the problem. After you have the required information, perform the following tasks for detecting and fixing database errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed. Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires the database engine to be running. To detect database corruption:
Step 1 Step 2
Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows). Stop the Daemon manager if it is already running:
/etc/init.d/dmgtd stop net stop crmdmgtd
(on Windows)
Step 3
Make sure no database processes are running and there is no database log file. For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is /opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4 Step 5
Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris machines. If not, change the ownership of these files to user casuser and group casusers. Run the commands on the command prompt:
cd
NMSROOT/objects/db/conf
NMSROOT/bin/perl configureDb.pl action=validate dsn=cmf The dbvalid command displays a list of tables being validated. The Validation utility scans the entire table, and looks up each record in every index and key, defined on the table. If there are errors, the utility displays a message such as:
Validating DBA.xxxx run time SQL error -- Foreign key parent_is has invalid or duplicate index entries 1 error reported
Caution
To do this, you have to run the following command: NMSROOT\bin\perl NMSROOT\bin\dbRestoreOrig.pl dsn=dsn dmprefix=dmprefix
B-30
OL-20721-01
Appendix B
Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the same system? Q.Why does the Apache process not come up after installation or why does the process go down suddenly? Q.How do I change web server port numbers? Q.How should I enable or disable web server SSL mode from the command line? Q.How do I increase Tomcat heap size? Q.How do I validate a Server certificate? Q.How do I modify a certificate which is not self-signed? Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface? Q.What version of Tomcat is installed on my server?
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
certificate. You should first check the Apache configuration syntax. To do this: On Windows: Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .
Note
Do not omit the . On Solaris/Soft Appliance: Go to NMSROOT/MDC/Apache/bin and run the command ./web_server t If the Apache configuration syntax is correct, a message appears:
Syntax OK
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL Utility Script.
B-31
Q. How do I change web server port numbers? A. To change the web server port numbers, you must run separate commands for both Windows and
Solaris. On Solaris: You can change the web server port numbers for the webservers. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server administrator, and run the following command at the prompt: NMSROOT/MDC/Apache/bin/changeport If you run this command without any command line parameter, Cisco Prime displays:
*** CiscoWorks Webserver port change utility *** Usage: changeport <port number> [-s] [-f]
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > CiscoWorks > CiscoWorks). You have to manually invoke the browser, and specify the URL, with the changed port number. The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port. The port number must be a numeric value in the range 1026 65535. Values outside this range, and non-numeric values are not allowed. If port 443 is specified for any of the web servers, that web server process is started as root. This is because ports lower than 1026 are allowed to be used only by root in Solaris. However, according to Apache behavior, only the main web server process run as root, and all the child processes run as casuser:casusers. Only the child processes serve the external requests. The main process that runs as root monitors the child processes. It does not accept any HTTP requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and thus ensures security.
If you do not want Cisco Prime processes to run as root, do not use the port 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs.
B-32
OL-20721-01
Appendix B
This utility lists all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs. This utility lists out all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file index.txt. This text file contains information about the changed port and a list of all files that are backed up and their actual location in the Cisco Prime directory.
Note
All of the above files and the unique directories are stored with read only permission to casuser:casusers. To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write permissions. The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log. This file is saved to the directory: /var/adm/CSCOpx/log/changeport.log This file contains the date and time stamps to indicate when the log entries were created. On Windows: You can change the web server port numbers for the LMS Webserver. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must have administrative privileges. Run the following command at the prompt: NMSROOT\MDC\Apache\changeport.exe
B-33
If you run this utility without any command line parameter, Cisco Prime displays the following usage text:
*** Common Services Webserver port change utility *** Usage: changeport <port number> [-s] [-f]
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
change the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > CiscoWorks > CiscoWorks). You have to manually invoke the browser and specify the URL, with the changed port number. The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and if any conflict is found, the utility rejects the specified port. There is no reliable way to determine whether any other service or application is using a specified port. If the service or application is running and actively listening on a port, it can be easily detected. However, if the service is currently stopped, there is no way that the utility can determine what port it uses. This is because on Windows there is no common port registry equivalent to /etc/services as in Solaris.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and non-numeric values are not allowed.
When you run the utility with the appropriate options, it displays messages on the actions it is performing.Cisco Prime It lists out all the files that are being updated. Before updating, the utility backs up all the affected files in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory. A sample backup may be similar to:
[drive:] | `--\Program Files | `--\CSCOpx | `--\conf |
B-34
OL-20721-01
Appendix B
`--\backup | |--README.txt (Notes the purpose of this dir as it is initially empty) | `--\skc03._Ciscobak (Autogenerated unique backup directory). | |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application config file) |--regdaemon.key (Common Services config registry key file) |--regdaemon.xml (Common Services config registry data file) `--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All the above files and the unique directories are stored with read only permissions. Only the administrator and casuser have write permissions, to ensure the security of the backup files. The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log. This file is saved to the directory: NMSROOT\log\changeport.log This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line? A. To enable or disable the web server SSL mode:
Step 1 Step 2
Stop the Daemon Manager. Run the ConfigSSL.pl script. Enter the commands:
NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the command line) NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the command line)
Step 3
Q. How do I increase Tomcat heap size? A. To increase Tomcat heap size: Step 1
On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop On Windows: Run net stop crmdmgtd
Step 2
B-35
Step 3
On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop On Windows: Run net start crmdmgtd
If Tomcat is already configured for higher memory than what you specify when you run the command, the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Navigate to the directory where the SSL Utility Script is located. On Windows:
a. b.
On Solaris/Soft Appliance:
a. b.
After you have entered this command, the system displays a set of options.
Step 2 Step 3
Select the fourth option Verify the input Certificate/Certificate Chain by entering 4. Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt The script verifies if the server certificate is valid. If the script reports errors during validation and verification, you have to regenerate the certificate by running SignTool.pl from the above directory.
Step 4
Note
Q. How do I modify a certificate which is not self-signed? A. LMS does not allow modifying certificates other than the self-signed certificates. Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface? A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http
requests.
B-36
OL-20721-01
Appendix B
Q. What version of Tomcat is installed on my server? A. To find out the version of Tomcat installed on your server, you should: Step 1 Step 2 Step 3 Step 4
Navigate to the NMSROOT/MDC/tomcat/server/lib directory. Unzip the catalina.jar file available in this directory. Navigate to the location where you have extracted this jar file. Open the Serverinfo.properties file under the orgapachecatalinautil directory. This file displays the version of Tomcat installed on the Cisco Prime LMS Server.
Q.How do I enable Incharge debugging, and execute Incharge commands? Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event Trap Forwarding? Does LMS support both of these methods? Q.How can I receive Syslog messages from the LMS server? Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
Q. How do I enable Incharge debugging, and execute Incharge commands? A. Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging
Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands link. See, Enable Incharge Debugging for more information.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. When LMS receives certain SNMP traps, it analyzes the data found in fields such as Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap message. If needed, LMS changes the property value of the object property. These are Processed Traps. To configure Processed event/alert trap forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap notifications if there is a threshold violation in the LMS managed devices. For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.1
B-37
Q. How can I receive Syslog messages from the LMS server? A. To receive Syslog messages from a LMS server: Step 1 Step 2
Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog notification Point it to any Solaris machine and run the following:
/etc/init.d/syslog start tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x? A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1 Step 2
cd /plugins ln -s /plugin/sparc/ns610/libjavaplugin_oji.so
Include the period at the end. For Netscape 6.x/7.x or Mozilla browsers, restart your browser. In Netscape, go to Help > About Plug-ins to confirm that the Java Plug-in is loaded.
at these locations:
On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log/ Report specific logs are stored under DPMReportJobs under the log directory.
B-38
OL-20721-01
Appendix B
Q.How can I enable debugging in IPSLA Performance Management? Q.I have problems while migrating the IPSLA Performance Management data. What should I do?
Q. How can I enable debugging in IPSLA Performance Management? A. Do the following: Step 1
Select Admin > System > Debug Settings > IPSLA Debugging Settings. The IPSLA Debugging Settings page appears. Select the module and log level from the Module and Logging Level drop-down lists. The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG. Click Apply.
Step 2
Step 3
Q. I have problems while migrating the IPSLA Performance Management data. What should I do? A. Check the following log files for information: restorebackup.log migration.log ipmclient.log ipmserver.log
B-39
A P P E N D I X
Overview of Data Extraction Engine The cmexport Command cmexport User Tracking cmexport Topology Command cmexport Discrepancy Command cmexport Manpage
Generating user tracking data in XML format: Allows you to access servlet and command line utilities that can generate user tracking data for devices discovered by LMS Server.
Generating Layer 2 topology data in XML format: Allows you to generate the latest Layer 2 topology data including information on neighbor devices. Elements in XML file are created at the device level.
Generating discrepancy data in XML format: Allows you to use discrepancy APIs to retrieve latest discrepancy data from LMS server.
C-1
Archiving XML Data: Data generated through CLI is archived at the following locations:
Table C-1
where PX_DATADIR is either %NMSROOT%/files folder (on Windows) or /var/adm/CSCOpx/files directory (on Solaris/Soft Appliance). NMSROOT is the directory where you installed LMS; timestamp is the time at which the log was written in YearMonthDateHourOfDayMinuteSecond format. You can also specify a directory to store the output. This utility does not delete the files created in the archive. You should delete these files when necessary. While generating data through the servlet, the output appears at the client terminal.
Generating user tracking and configuration data in XML format using the Servlet: Allows you to generate and download the user tracking, topology and discrepancy XML files using the servlet. You must upload a payload XML file, which contains the cmexport and utexport command options and Cisco Prime user credentials. You should write your own script to invoke the servlet with a payload of this XML file. If the credentials are correct and options are valid, the servlet returns the exported file in XML format.
C-2
OL-20721-01
Appendix C
where:
cmexport
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format.
command specifies the core operation that is to be performed. arguments are the additional parameters required for each core command. options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command immediately after cmexport.
Commands
Core Command
ut l2topology discrepancy
Description Generates User Tracking data in XML format. Generates layer 2 topology data in XML format. Generates discrepancy data in XML format.
You must invoke the cmexport command with one of the core commands specified in the above table. If you do not specify any core commands, cmexport can only execute the -v or -h options:
Option -v displays the version of the cmexport utility Option -h (or null option) lists the usage information for this utility.
Mandatory Arguments Optional Arguments Function-Specific Options Displaying Help Uses of cmexport
C-3
Mandatory Arguments
The arguments that must be specified with all functions are:
-u -p
userid: Specifies the Cisco Prime userid. password: Specifies the password for Cisco Prime userid. store your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. You must enter the password in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. If there are duplicate entries the password that matches the first user name is considered.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Optional Arguments
The arguments you can specify with any function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, logging will not occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output is displayed in the standard output.
C-4
OL-20721-01
Appendix C
Function-Specific Options
DEE supports the following function-specific option:
-f
filename
If used with:
User Tracking function Specifies the name of the file to which the user tracking information is to be exported. Topology function Specifies the name of the file to which the layer 2 topology information is to be exported. Discrepancy function Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h. This displays a list of options for cmexport. On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut
User Tracking XML output for host will be generated and it is stored in the file filename.xml. If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {u
Notations
The notations followed in describing the command line arguments are explained below: {argument}Argument is a mandatory parameter. [argument]Argument is an optional parameter. argumentArgument is a variable. argument 1 | argument 2Either argument 1 or argument 2 may be specified but not both. Table C-3 lists the notations part of the cmexport syntax.
C-5
Table C-3
Notations Descriptions
Command
ut
Description
cmexport ut {-u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]
l2topology discrepancy
{-u userid} [-p password] [-f filename] {-u userid} [-p password] [-f filename] [-v | -h] the version of the cmexport utility.
empty
-vDisplays -hLists
Name
cmexport ut:
Synopsis
cmexport ut: { -u
C-6
OL-20721-01
Appendix C
Table C-4
Command Descriptions
Argument host-options
Can be one of the Following -query queryname -query queryname -view viewname -layout layoutname -layoutlayoutname -view viewname -query queryname -layout layoutname -query queryname -layout layoutname -view viewname
phone-options
-queryPhone
queryname
-layoutPhone layoutname
-queryPhone
options
-f filename
-d
debuglevel
-l logfile
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:
-u -p
userid: Specifies the Cisco Prime userid. password: Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.
C-7
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
-host:
-phone:
Options
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option, an XML file of the format timestamput.xml is stored in the following directory: PX_DATADIR/cmexport/ut
-view Specifies the format in which the user tracking XML data is to be presented. It supports two optional arguments:
a. switch: User Tracking data is displayed based on the type of switch. b. subnet: User Tracking data is displayed based on the subnet in which they are present.
-query queryname User Tracking host data is exported in XML format for the query provided in queryname. This option must be used with the -host argument. For this option:
Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layout layoutname User Tracking host data is exported in XML format for the layout provided in layoutname. This option must be used with the -host argument. For this option:
Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
C-8
OL-20721-01
Appendix C
-queryPhone queryname User Tracking phone data is exported in XML format for the query given in queryname. This option must be used with the -phone argument. For this option:
Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layoutPhone layoutPhone User Tracking phone data is exported in XML format for the layout given in layoutPhone. This option must be used with the -phone argument. For this option:
Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
Accessing Help
Displays a list of options for cmexport. Displays a list of options for the cmexport ut command.
cmexport ut -h:
Examples
Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout, queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following:
cmexport cmexport cmexport cmexport cmexport cmexport cmexport ut ut ut ut ut ut ut -u -u -u -u -u -u -u admin admin admin admin admin admin admin -p admin -host -p admin -phone -p admin -host -query host1Query -layout all -p admin -host -query host1Query -layout layoutname -p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout -p admin -host -f file1.xml -view switch -host
Name
cmexport
C-9
Synopsis
cmexport l2topology
Table C-5
Command Description
Argument options
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are: The options that you must specify with the cmexport L2Topology function are:
-u -p
Specifies the password for Cisco Prime user ID. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.
C-10
OL-20721-01
Appendix C
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Options
The options you can specify with the layer 2 topology function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampL2Topology.xml is stored in the following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help
Displays a list of options for cmexport. Displays a list of options for the cmexport l2topology command.
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin cmexport L2Topology -u admin -p admin -f file1.xml cmexport L2Topology -u admin -l file.log
C-11
Name
cmexport Discrepancy:
Synopsis
cmexport discrepancy
where
Table C-6 Command Description
Argument options
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:
-u -p
Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
C-12
OL-20721-01
Appendix C
The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Options
The options you can specify with the Discrepancy function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help
Displays a list of options for cmexport. Displays a list of options for the cmexport discrepancy command.
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin cmexport Discrepancy -u admin -p admin -f file1.xml cmexport Discrepancy -u admin -d 2
C-13
cmexport Manpage
This sections contains:
where:
cmexport
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format.
command specifies the core operation that is to be performed. arguments are the additional parameters required for each core command. options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options is not important. However, you must enter the core command immediately after cmexport.
Commands
Table C-7 lists the command part of the cmexport syntax.
Table C-7 Command Description
Description Generates User Tracking data in XML format. Generates Layer 2 topology data in XML format Generates discrepancy data in XML format
You must invoke the cmexport command with one of the core commands specified in the above table. If no core command is specified, cmexport can execute the -v or -h options only:
Option -v displays the version of the cmexport utility. Option -h (or null option) lists the usage information of this utility.
C-14
OL-20721-01
Appendix C
Mandatory Arguments
The options that must be specified with all functions are:
-u
Optional Arguments The options you can specify with any function are:
-p
password
Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output.
C-15
Function-Specific Options
The following function-specific option is supported
-f
filename
User Tracking functionSpecifies the name of the file to which the user tracking information is to be exported. Topology functionSpecifies the name of the file to which the layer 2 topology information is to be exported. Discrepancy functionSpecifies the name of the file to which the discrepancy information is to be exported.
Accessing Help
Enter the following in the CLI:
cmexport -h:
Displays a list of options for cmexport. Displays a list of options for the cmexport command.
Schema for User Tracking Data User Tracking Schema for Switch Data User Tracking Schema for Phone Data User Tracking Schema for Subnet Data Schema for Topology Data Schema for Discrepancy Data Using Servlet to Export Data from LMS
C-16
OL-20721-01
Appendix C
C-17
C-18
OL-20721-01
Appendix C
C-19
<xs:complexType> <xs:sequence> <xs:element name="SubnetId" type="xs:string"/> <xs:element name="UTData" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="UTData"> <xs:complexType> <xs:sequence> <xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
C-20
OL-20721-01
Appendix C
</xs:sequence> </xs:complexType> </xs:element> <xs:element name="Device"> <xs:complexType> <xs:sequence> <xs:element name="DeviceName" type="xs:string"/> <xs:element name="IPAddress" type="xs:string"/> <xs:element name="DeviceState"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="Reachable"/> <xs:pattern value="UnReachable"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="DeviceType" type="xs:string"/> <xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Neighbors"> <xs:complexType> <xs:sequence> <xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Neighbor"> <xs:complexType> <xs:sequence> <xs:element name="NeighborIPAddress" type="xs:string"/> <xs:element name="NeighborDeviceType" type="xs:string"/> <xs:element name="Link" type="xs:string"/> <xs:element name="LocalPort" type="xs:string"/> <xs:element name="RemotePort" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
C-21
<xs:element ref="Network-Discrepancy" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Best-Practices-Deviation"> <xs:complexType> <xs:sequence> <xs:element name="Details" type="xs:string" /> <xs:element name="Type" type="xs:string" /> <xs:element name="Severity"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="High" /> <xs:pattern value="Medium" /> <xs:pattern value="Low" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Description" type="xs:string" /> <xs:element name="FirstFound" type="xs:string" /> <xs:element name="Acknowledged" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Network-Discrepancy"> <xs:complexType> <xs:sequence> <xs:element name="Details" type="xs:string" /> <xs:element name="Type" type="xs:string" /> <xs:element name="Severity"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="High" /> <xs:pattern value="Medium" /> <xs:pattern value="Low" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Description" type="xs:string" /> <xs:element name="FirstFound" type="xs:string" /> <xs:element name="Acknowledged" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
To export User Tracking data, use UTExportServlet. To export Discrepancy and Layer 2 Topology data, use CMExportServlet.
C-22
OL-20721-01
Appendix C
To invoke cmexport and utexport commands, the servlet requires a payload file that contains details such as:
User credentials The command you want to execute. Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results in XML format. You must create the payload file to include the input details and submit it when you ask for servlet access. Typically, servlet access is used when you need to use the data export feature from a client system. To use DEE export features, you can write a script to upload the payload file and perform the data export functions. See the following sample scripts:
Sample Perl Script (test.pl) to Access the Servlet Sample Java Code to Access the Servlet HTTP Mode HTTPS Mode
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:
HTTP Mode
HTTPS Mode
C-23
#-- Activate a CGI: sub url_call { my ($url) = @_; my $ua = new LWP::UserAgent; $ua->timeout(5000); my $hdr = new HTTP::Headers 'Content-Type' => 'text/html'; my $req = new HTTP::Request ('GET', $url, $hdr); $req->content($str); my $res = $ua->request($req); my $result; if ($res->is_error) { print "ERROR : ", $res->code, " : ", $res->message, "\n"; $result = ''; } else { $result = $res->content; if($result =~ /Authorization error/) { print "Authorization error\n"; } else { print $result ; }
} }
class CMExportServletRun { static void main (String args[]) { try { URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet"); String payload = "adminadminut_hostdee.log1"; HttpURLConnection con; InputStream is; //opens connection to servlet con = (HttpURLConnection)url.openConnection(); con.setRequestMethod("POST"); con.setRequestProperty("Content-type", "text/xml"); con.setDoOutput(true); con.setUseCaches(false); OutputStream bos = new BufferedOutputStream(con.getOutputStream()); PrintWriter out = new PrintWriter(bos); out.println(payload); out.flush(); out.close();
C-24
OL-20721-01
Appendix C
//prints out response from CMExportServlet byte [] strBytes=new byte[10]; int noOfBytes = 0; is = con.getInputStream(); BufferedReader bfr = new BufferedReader(new InputStreamReader(is)); String str = null ; while ( ( str = bfr.readLine()) != null ) { System.out.println(str); } } catch (Exception e) { System.out.println(e.toString()); } } }
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for data export. Schema for the payload XML file is given in Schema for Payload File. Table C-8 describes the elements in the schema.
Table C-8 Elements in the Schema
Description Cisco Prime user name. Password for Cisco Prime username. Command inside this tag can be ut_host, ut_phone, l2topology or discrepancy. Use this option when you specify ut_host. This is optional. This specifies the presentation of the User Tracking data in the hierarchical format with either switch or subnet as the root.
queryname
User Tracking host data is exported in XML format for the query provided in queryname. You can use this option when you specify ut_host User Tracking host data is exported in XML format for the layout provided in layoutname. You can use this option when you specify ut_host User Tracking phone data is exported in XML format for the query given in queryphone. You can use this option when you specify ut_phone
layoutname
queryphone
C-25
Table C-8
Element layoutphone
Description User Tracking phone data is exported in XML format for the layout given in layoutPhone. You can use this option when you specify ut_phone Optional. Debug messages can be collected only if log file is specified in the log option. The debug level could be 1 or 2. You can set the value to: 1For basic debug information. 2For detailed debug information. This is optional.
debug
You can use the following schema for creating the payload file in XML format.
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="payload"> <xs:complex Type> <xs:sequence> <xs:element name="username" type="xs:string"/> <xs:element name="password" type="xs:string"/> <xs:element name="command" type="xs:string"/> <xs:element name="view" type="xs:string"/> <xs:element name="queryname" type="xs:string"/> <xs:element name="layoutname" type="xs:string"/> <xs:element name="queryphone" type="xs:string"/> <xs:element name="layoutphone" type="xs:string"/> <xs:element name="debug" type="xs:string"/> </xs:sequence> </xs:complex Type> </xs:element>
C-26
OL-20721-01
A P P E N D I X
General SecurityPartially implemented by the client components of Cisco Prime and by the system administrator. Server SecurityPartially implemented by the server components of Cisco Prime and by the system administrator. Application SecurityImplemented by the client and server components of the Cisco Prime applications.
For more information on security related features, see Setting up Security. The following sections describe the general and server security levels.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network management applications. Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure than the standard computing model that only requires a system login to execute applications. The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco Prime applications and data. However, Cisco Prime applications can change the behavior and security of your network devices. Therefore, it is critical to limit access to applications and servers as follows:
Limit access to personnel who need access to applications or the data that the applications provide. Limit Cisco Prime LMS Server logins to just the systems administrator. Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.
D-1
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the code and data files that reside on the server. The following Cisco Prime LMS Server security control elements apply:
ServerImposed Security
The Cisco Prime LMS Server has many dimensions, such as:
Files, File Ownership, and Permissions Runtime Remote Connectivity Access to Systems Other Than the Cisco Prime LMS Server Access Control
UNIX SystemsCisco Prime must be installed by a user with root privilege. It should be installed as the user, casuser with a casusers group. If the system administrator needs to work on causer files, a user with a name chosen by the system administrator, must be created and added to the causers group. All files and directories are owned by casuser with group equal to casusers. Temporary files are created as the user casuser with permissions set to read-write for the user casuser and read for members of group casusers. The only exception to this rule is the log files created by the Cisco Prime web server and diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their log files are owned by the user root with group=casusers.
Windows SystemsCisco Prime must be installed by the administrator and must be installed as the user casuser.
If it is a new installation, the system displays a message prompting you to either create or to
cancel the process. You can enter the password or it can be automatically generated.
If it is not a new installation, the system displays a message prompting you to either continue
resetting the password or to retain the old password. The Cisco Prime LMS Server uses the password but the casuser user is not intended as a general user of the Windows system. No user is required to log on the Windows system as casuser. All files and directories are owned by the user casuser. Read and write access are restricted to the user casuser and the administrator. Temporary files are created as the user casuser with permissions set to read-write for the user casuser. The Cisco Prime LMS Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows systems. If Cisco Prime is installed on a FAT filesystem, most security assumptions made about controlled access to files and network management data are not valid.
D-2
OL-20721-01
Appendix D
Runtime
This describes the runtime activities.
UNIX SystemsTypically Cisco Prime back-end processes are run with permissions set to the user ID of the binary file. For example, if user Joe owns an executable file, it will be run by the Cisco Prime daemon manager under the user ID of Joe). The exception are files owned by the root user ID. To prevent a potentially harmful program from being run by the daemon manager with root permissions, the daemon manager will run only a limited set of Cisco Prime programs that need root privilege. This list is not documented to preclude any user from trying to impersonate these programs. All back-end processes are run with a umask value of 027. This means that all files created by these programs are created with permissions equal to rwxr-x, with an owner and group of the user ID and group of the program that created it. Typically this will be casuser and group=casusers. Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web servers child processes or the servlet engine, which all run as the user casuser. Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser have access to the directories that these services read and write to. The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the Resource Manager Essentials Software Management application to run image download jobs.
WindowsCisco Prime back-end processes are run with permissions set to the user casuser. Some of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID. These processes include:
Daemon manager Web server Servlet engine Rcp/rsh service TFTP service Corba service Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control of the web server and the servlet engine that run as the user localsystem. The local system user has special permissions on the local system but does not have network permissions. Cisco Prime provides several services for RCP, TFTP communication with devices. These services are targeted for use by Cisco Prime applications, but can be used for purposes other than network management. The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager Essentials Software Image Manager application. Jobs run by the at command, run with system level privileges.
D-3
Remote Connectivity
The remote connectivity details for Windows and Solaris are:
UNIX SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server. Windows SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
UNIX SystemsSystems used by the Cisco Prime LMS Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information. Windows SystemsSystems used by the Cisco Prime Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information.
Access Control
The access control details are:
UNIX SystemsThe UNIX user casuser is a user ID that is not typically enabled for login. Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies the installation process and ensures limited access to the Cisco Prime Server. This is because casuser is not a valid login ID as there is no password assigned to it. However, the casuser user on UNIX systems can perform system and possibly network-wide operations that could be harmful to the system or the network.
Windows SystemsThe user casuser, created as part of the install process, has no special permissions or considerations on a system so it is a safe user ID under which to run the Cisco Prime Server and application code. The localsystem user can perform harmful system operations. Therefore, consider that by using the localsystem user ID to run some of the backend processes, the localsystem user ID cannot perform network operations.
Note
The system administrator should review and adopt the security recommendations in System Administrator-Imposed Security.
D-4
OL-20721-01
Appendix D
Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server. Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any other file-sharing protocol. Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who are permitted to log into Cisco Prime LMS Server. Place your network management servers behind firewalls to prevent access to the systems from outside of your organization. Change the database password after installation and periodically based on your companys security policies. Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection between the client browser and management server, and Secure Shell (SSH) to provide secure access between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients. Certificates are issued by Certificate Authorities (CAs) such as VeriSign or Thawte. A certificate vouches for the identity and key ownership of an individual, a computer system (or a specific server running on that system), or an organization. It is a general term for a signed document. Typically, certificates contain the following information:
Subject public key value. Subject identifier information (such as the name and e-mail address). Validity period (the length of time that the certificate is considered valid). Issuer identifier information. The digital signature of the issuer. This attests to the validity of the binding between the subject public key and the subject identifier information.
A certificate is valid only for the period of time specified within it. Every certificate contains Valid From and Valid To dates, which are the boundaries of the validity period. For example, a user's certificate verifies that the user owns a particular public key. The server certificate for the server named myserver.cisco.com verifies that a specific public key belongs to this server. Certificates can be issued for a variety of functions such as web user authentication, web server authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code signing.
D-5
Cisco Prime LMS Server supports security certificates for authenticating secure access between client browser and management server. Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates. For more information, see Creating Self Signed Certificates.
Secure Socket Layer (SSL) Public Key, Private Key Secure Shell (SSH) PKCS#8 Base64- Encoded X.509 Certificate Format Certificate Authority Cisco Prime TrustStore or KeyStore
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography, developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple, Microsoft, DEC, Lotus, Sun and MIT. The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation of OSI standards. The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509 standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13 and #14 are currently being developed. PKCS #8 describes a format for private key information. This information includes a private key for some public-key algorithm, and optionally a set of attributes.
D-6
OL-20721-01
Appendix D
Note
Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you confirm with the CA the format of the certificate, and request specifically for Base64 Encoded X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA then issues a certificate.
D-7
A P P E N D I X
Overview of Dynamic Updates Configuring Switches With MAC Notification Commands Device Operating System Version-Specific Commands List of Commands to Enable MAC Notification Traps on Devices
Choose Admin > Trust Management > Multi Server > System Identity Setup. Renter the password for the System Indentity user.
Ensure that the System Indentity User user name and password are are valid, also under Admin > System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more information.
E-1
Global commands Device Family-specific commands Device Type-specific commands Device Operating System version-specific commands
While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for each device based on the fallback rule in the following order:
1. 2. 3. 4.
Device Operating System version-specific commands Device Type-specific commands Device Family-specific commands Global commands
If a device OID matches an OS version, the Device OS version-specific commands should be selected to configure the device. Otherwise, the Device Type-specific commands should be selected. If a device OID could not find a specific match on both Device OS version-specific commands and Device Type-specific commands, the Device-Family specific commands should be selected. The Global commands are selected for configuring the device when there is no match of Device OS version-specific, Device Type-specific, or Device Family-specific commands available for the device. The device is considered as an unknown device type when there is no match of any of the command sets available. In other words, for an unknown device type, command set will not be generated.
[12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and excluding 12.2(43). [,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40). [12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.
E-2
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
E-3
Table E-1
Device Family
Device Type
SysOID -
Global Command Set mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notificatio
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
C3750-STACK -
C3750-STACK 1.3.6.1.4.1.9.1.516
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
12.2(52)SE
E-4
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
NME16ES1GP 1.3.6.1.4.1.9.1.702
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-5
Table E-1
Device Family
Device Type
SysOID 1.3.6.1.4.1.9.1.664
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
NMEXD24ES 1SP
1.3.6.1.4.1.9.1.665
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-6
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Family
Device Type
SysOID 1.3.6.1.4.1.9.1.666
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.574
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-7
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.589
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3550-24ME
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.590
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-8
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.591
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3550-24ME
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.592
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-9
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.688
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3550-24ME
[12.1(19)EA1,12 .2(46)SE)
C3750-24P
1.3.6.1.4.1.9.1.536
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-10
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.530
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.511
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-11
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.512
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.513
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-12
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.514
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.535
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-13
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.602
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.603
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-14
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.604
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750P
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.624
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-15
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.656
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3550
mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C3550-24
1.3.6.1.4.1.9.1.366
[,12.1(11)EA1)
C3550-48
1.3.6.1.4.1.9.1.367
[,12.1(11)EA1)
E-16
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.368
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C3550-12G
1.3.6.1.4.1.9.1.431
[,12.1(11)EA1)
C3550-24FX
1.3.6.1.4.1.9.1.453
[,12.1(11)EA1)
C3550-24DC
1.3.6.1.4.1.9.1.452
[,12.1(11)EA1)
C3550-24PWR 1.3.6.1.4.1.9.1.485
[,12.1(11)EA1)
E-17
Table E-1
SysOID 1.3.6.1.4.1.9.1.563
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C3560-48PS
1.3.6.1.4.1.9.1.564
[,12.1(11)EA1)
C3560G-24PS
1.3.6.1.4.1.9.1.614
[,12.1(11)EA1)
C3560G-24TS
1.3.6.1.4.1.9.1.615
[,12.1(11)EA1)
C3560G-48PS
1.3.6.1.4.1.9.1.616
[,12.1(11)EA1)
E-18
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.617
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C3560E
1.3.6.1.4.1.9.1.930
C3560E
1.3.6.1.4.1.9.1.956
C3560E
1.3.6.1.4.1.9.1.1015 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
E-19
Table E-1
SysOID 1.3.6.1.4.1.9.1.909
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
3000
1.3.6.1.4.1.9.1.910
3000
1.3.6.1.4.1.9.1.911
3000
1.3.6.1.4.1.9.1.912
E-20
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.918
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
3000
1.3.6.1.4.1.9.1.919
3000
1.3.6.1.4.1.9.1.920
3000
1.3.6.1.4.1.9.1.921
E-21
Table E-1
SysOID 1.3.6.1.4.1.9.1.922
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
3000
1.3.6.1.4.1.9.1.947
3000
1.3.6.1.4.1.9.1.948
3000
1.3.6.1.4.1.9.1.949
E-22
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.999
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
3000
1.3.6.1.4.1.9.1.1000 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.1001 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.1002 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
3000
3000
E-23
Table E-1
SysOID 1.3.6.1.4.1.9.1.958
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
C3000IE
1.3.6.1.4.1.9.1.959
C3500XL
C3524PWRXL 1.3.6.1.4.1.9.1.287
E-24
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
C2970G-24T
1.3.6.1.4.1.9.1.527
[,12.1(19)EA1)
C2970G-24TS
1.3.6.1.4.1.9.1.561
[,12.1(19)EA1)
371098-001
1.3.6.1.4.1.11.2.3.7. mac-address-table 11.33.3.1.1 notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.781 mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
ME-3400G-12 CS-D
[,12.1(19)EA1)
E-25
Table E-1
SysOID 1.3.6.1.4.1.9.1.780
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(19)EA1)
C2960-24TC-S 1.3.6.1.4.1.9.1.928
[,12.1(19)EA1)
[,12.1(19)EA1)
C2960G-48TC -L
1.3.6.1.4.1.9.1.697
12.2(35)SE5
12.2(44)SE6
ME-3400
1.3.6.1.4.1.9.1.873
E-26
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type ME-3400 ME-3400 ME-3400 C2960 C2960 C2960 C2960 C2960 C2960 C2960 C2975 C2975
SysOID
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
1.3.6.1.4.1.9.1.1067 1.3.6.1.4.1.9.1.1068 mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
C2900XL
C2908XL C2900XL (continued) C2924XL C2924CXL C2924XLV C2924CXLV C2912XL C2924MXL C2912MFXL
E-27
Table E-1
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
C2950-12
1.3.6.1.4.1.9.1.323
[,12.1(11)EA1)
C2950-24
1.3.6.1.4.1.9.1.324
[,12.1(11)EA1)
E-28
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.325
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C2950T-24
1.3.6.1.4.1.9.1.359
[,12.1(11)EA1)
C2950G-24
1.3.6.1.4.1.9.1.428
[,12.1(11)EA1)
C2950G-12
1.3.6.1.4.1.9.1.427
[,12.1(11)EA1)
C2950G-48
1.3.6.1.4.1.9.1.429
[,12.1(11)EA1)
E-29
Table E-1
Device Type
SysOID
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C2950G-24DC 1.3.6.1.4.1.9.1.472
C2950-24SX
1.3.6.1.4.1.9.1.480
[,12.1(11)EA1)
C2955C-12
1.3.6.1.4.1.9.1.489
[,12.1(11)EA1)
C2955S-12
1.3.6.1.4.1.9.1.508
[,12.1(11)EA1)
C2955T-12
1.3.6.1.4.1.9.1.488
[,12.1(11)EA1)
E-30
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
SysOID 1.3.6.1.4.1.9.1.483
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C2950ST-24L RE
1.3.6.1.4.1.9.1.482
[,12.1(11)EA1)
C2940-8TT
1.3.6.1.4.1.9.1.540
[,12.1(11)EA1)
C2940-8TF
1.3.6.1.4.1.9.1.542
[,12.1(11)EA1)
C2950-48SX
1.3.6.1.4.1.9.1.560
[,12.1(11)EA1)
E-31
Table E-1
SysOID 1.3.6.1.4.1.9.1.592
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification set cam notification enable:set snmp trap enable macnotification:set snmp trap HOST COMMUNITY version TRAPVERSION port PORT mac-address-table notification change:mac-address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version [,12.1(11)EA1)
C6000
set cam notification added enable INTERFACE:set cam notification removed enable INTERFACE snmp trap mac-notification change added:snmp trap mac-notification change removed
E-32
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type
SysOID
Global Command Set set cam notification enable:set snmp trap enable macnotification:set snmp trap HOST COMMUNITY port PORT
Interface Command Set set cam notification added enable INTERFACE:set cam notification removed enable INTERFACE -
OS Version -
catalyst6513IO 1.3.6.1.4.1.9.1.400 S ciscoWSC6503 1.3.6.1.4.1.9.1.449 ciscoWSC6509 1.3.6.1.4.1.9.1.534 neba catalyst6509V E Cisco C6503-IOS C4000 1.3.6.1.4.1.9.1.832 1.3.6.1.4.1.9.1.449 -
E-33
Table E-1
Device Type -
SysOID -
Global Command Set mac-address-table notification change:mac-address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps mac-notification:snmp-serve r host HOST version 1 COMMUNITY udp-port 1431 mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification change added:snmp trap mac-notification change removed
OS Version -
12.2(53)SG
cisco4948-10G 1.3.6.1.4.1.9.1.659 E cisco4948-10G 1.3.6.1.4.1.9.1.875 E cisco4948-10G 1.3.6.1.4.1.9.1.877 E cisco4948-10G 1.3.6.1.4.1.9.1.874 E cisco4948-10G 1.3.6.1.4.1.9.1.876 E C4506-IOS 1.3.6.1.4.1.9.1.502
C4900ME -
C4900ME
1.3.6.1.4.1.9.1.788
E-34
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
Table E-1
Device Type -
SysOID -
Global Command Set mac address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
C2400ME C2350
1.3.6.1.4.1.9.1.735
1.3.6.1.4.1.9.1.1104 -
E-35
INDEX
A
access connection security, understanding control, security and access ports customizable groups system defined groups Role Management roles on NDG basis, assigning admin application settings purge settings setting log level administering LMS
3-1 3-2 3-23 3-6 16-19 17-12 8-27 2-13 5-44 5-43 D-4 D-5
default credential set policies, creating default credential set policies, deleting
default credential set policies, Display name policy type example 4-32 default credential set policies, examples
4-31
default credential set policies, host name policy type example 4-33 default credential set policies, IP range policy type example 4-31 default credential set policies, ordering default credential sets device polling settings mode, changing
4-15 4-21 4-22 4-22 4-22 4-24 4-17 4-16 4-35
Master-Slave configuration, prerequisites unreachable devices deletion user-defined fields, adding user-defined fields, deleting user-defined fields, renaming Display Settings and DCR
A-5 4-1
database password, changing processes, back-end processes processes, managing processes, starting processes, stopping processes, viewing restoring data DCR default credentials
4-23 4-23 3-21 3-3
administering LMS ANI data collection, using best practices in discovery scheduling data collection, scheduling
3-5 6-3 6-3
debugging options
17-22
user and host acquisition, using delete interval, modifying purge policy, specifying schedule, modifying Administering VRF Lite Setting VRF Lite Debugging Options
17-31 7-18 7-20 7-20 7-23
default credentials,using
default credentials,using in multi-server setup 4-24 default credential set,configuring default credential set,deleting
4-25 4-27
IN-1
Index
VRF Lite Client Debugging Settings VRF Lite Server Debugging Settings VRF Lite Utility Debugging Settings Using VRF Lite Administration
8-35 8-34
VRF Lite Collector Debugging Settings Modifying VRF Lite SNMP Timeouts and Retries 8-19 Scheduling VRF Collector Administering VRF Using VRF Administration admin setting application log level purge log file
8-27 8-27 8-17 8-18
shadow directory, enabling and disabling automated actions, defining in Change Audit creating deleting editing
11-9 11-11 11-14 11-13 11-13 11-13
8-37
ANI data collection administration, using best practices in discovery scheduling data collection, scheduling debugging options applications Job Approval licensing licensing information, viewing licensing procedure obtaining a license updating licenses application settings running-config archive purging
8-27 8-28 3-30 3-30 3-31 3-30 12-13 17-22 6-1 6-3
10-41
exporting, importing
10-44
10-42
B
backing up data back-up data directory structure of using CLI using CLI
A-16 B-27 B-27 3-18
D-7
Catalyst commands
8-34
IN-2
OL-20721-01
Index
C
cautions regarding admin password, guest password
2-6 17-2
Cisco Prime processes and Fault Monitor collecting information on locked out of MDC support
B-18 B-4 B-3 11-5 3-16
backups, and the Cisco Prime Daemon Manager changing Change Audit purge settings data restoration from a backup
3-21 16-6
resetting purge policy in Syslog Analyzer restarting Daemon Manager on Solaris restarting Daemon Manager on Windows certificates terms and definitions in
D-6
Cisco Prime LMS Server back-end process Cisco Prime LMS Server Processes
3-6, A-5
3-6
D-7
cmexport command (see under Data Extraction Engine) C-2 cmf as part of database path, explanation of LMS user log-in information collector group assigning membership defining rules operation based
5-67 5-72 5-69 1-8 B-18
membership details
5-74
11-9 11-10
5-73
5-71
enabling, disabling exporting, importing exception periods creating defining deleting editing
11-8 11-7 11-9 11-9
11-5
7-20
D-5
IN-3
Index
B-28 B-18
Base64-encoded X.509 certificate format CA (certificate authority) PKCS#8 SSH SSL connectivity tasks
B-3 B-3 B-3 D-6 D-6 D-6 D-6
database password, changing available formats Solaris Windows DCR administering default credentials
3-23 3-24 3-24
C-1
checking process status MDC support copying IP SLA creating user-defined collector groups Server portlets job information status log space usage customizable groups access port device editing interface restrictions trunk port
5-44 5-46 5-44 5-45 5-44 5-44 1-6 5-44 1-8 8-27 B-4
Master-Slave configuration, prerequisites unreachable devices deletion user-defined fields, adding user-defined fields, deleting
4-21 4-22 4-22 4-22 8-24 8-25
5-65
user-defined fields, renaming changes, effect on Fault Monitor Fault Management discovery and log file
17-9
DCR (Device and Credential Repository) CLI interface, using A-20 DCR mode, changing importing using listing attributes
A-22 A-20 A-20 A-20 A-21
listing default credential sets viewing current DCR mode viewing device details DDV log file
17-8 17-21 A-21
D
Daemon Manager, using restarting on Solaris restarting on Windows Daily Purging Schedule log file database
Administration of Cisco Prime LAN Management Solution 4.1
C-1
C-5
17-8 16-20
managing
IN-4
OL-20721-01
Index
C-12 C-9
4-7 4-8
Advanced Search
4-7 4-6
C-21 C-22
10-5
Fault Monitor Object Grouping Services Server, log file 17-8 discovery DCR synchronization and events that trigger log file
17-9 8-24 8-24 8-24 8-25
User Tracking phone data schema User Tracking subnet data schema User Tracking switch data schema overview Default deleting device groups
5-19 4-22 4-24 C-1
rediscovery
user-defined fields from DCR device groups, managing customizable deleting groups rules
5-53 6-4 6-4 5-44 5-60 5-59 5-46
14-2 3-42
E
editing device group details local user profile e-mail configurations (Notification Services) E-Mail Notification Subscriptions E-Mail Subject Customization notifications (Notification Services) SMTP server
10-22 3-31 10-16 10-3 10-13 10-13 5-17 2-13
4-3, 4-4
forwarding traps to Fault Monitor importing using CLI log files rediscovering Device Selector Device Selector settings
4-10 A-22 17-8, 17-9 8-24
ESS (Event Service Software) changing the port for in Solaris events changing names log files Event Processing Adapters Event Promulgation Module
17-8 17-8 10-5 B-26
IN-5
Index
Event Sets (see Notification Services) expired server certificate, how to handle exporting automated actions in Syslog Analysis message filters, in Syslog Analyzer
11-13 10-48 B-23
summaries
5-56
system defined Fault Monitor user defined editing creating deleting groups
5-19 5-6 5-46 5-43
Groups, administering
F
Fault History log file filters Inventory change report filters, setting creating deleting editing
10-46 10-48 10-47 10-47 10-48 11-21 10-45 17-8 D-2
exporting
5-4 5-16
in Syslog Analyzer
G
group administration groups creating
5-46, 5-50 5-44 5-46 5-45 5-64 5-63
5-11
simple group rule example single server scenario single server setup syntax checking
5-3 5-9, 5-10
5-11
5-13
IN-6
OL-20721-01
Index
H
HP OpenView
10-23 7-30
J
Java Plug-in, version to use Job Approval, using approver lists assigning
12-16 12-15 12-18 12-13 12-14 B-17
I
IBM SecureWay Directory, changing login module to 2-27 images IOS images, and recommendation filters importing devices and credentials using CLI interfaces customizable groups system defined groups Inventory change report filters, setting inventory effect of DCR changes log files Inventory Collector Inventory Interactor Inventory Service Inventory, using collection or polling schedule, changing Inventory Job Browser job details, viewing inventory collection log file overview IOS images, and recommendation filters
11-19 17-9 8-24 8-1 8-7 8-12 17-8 17-8 17-9 8-24 11-21 5-44 5-43 A-22 11-19 11-13
jobs, approving and rejecting task workflow Job Browser, using jrm, checking
B-20
8-1
K
KerberosLogin, changing login module to
2-28
L
licensing Cisco Prime applications license information, viewing licensing procedure obtaining a license updating licenses local user policy setup
3-30 3-30 3-31 2-4 3-30
locked out of Cisco Prime LMS Server, troubleshooting B-18 log files, maintaining on UNIX
17-3 17-3 3-41
on Windows
logrot utility, configuring logrot utility, running login module setting to non-ACS
2-26 3-41
2-27 2-27
IN-7
Index
NetShow Administering NetShow settings defining default job policies defining protocol order purging jobs
12-11 17-17 12-13 12-12 12-10
Local UNIX system, changing to MS Active Directory, changing to Netscape Directory, changing to Radius, changing to log level setting logrot utility configuring running logs configuring
17-19 17-8, 17-9 3-41 3-41 17-12 2-35 2-36
TACACS+, changing to
10-23
Notification Groups (see Notification Services) configuring notifications, overview E-Mail Configurations E-Mail Notifications
17-8 10-13 3-31, 10-3 10-13 17-9 10-6
Fault Monitor log files incharge log files Lookup Analyzer, using
10-16
M
managed source interface managing LMS resources
3-34 12-13 8-28
10-6
Masking credentials of show commands message filters, in Syslog Analysis creating deleting editing
10-46 10-48 10-47 10-47 10-48 3-34 10-45
10-3, 10-17
O
online users, messaging Solaris Windows
2-30 B-19 B-19 3-34
overview authentication using login modules overviews Common Syslog Collector Syslog Analyzer overviews of
8-49 8-49 2-24
N
NetConfig, using job password
12-13 2-34
C-1
IN-8
OL-20721-01
Index
P
peer server certificates setting up
2-18 14-2 7-18
17-8
10-22
physical discrepancy reports ping sweep options, modifying PKCS#8, definition polling log files adapter database manager log files adapter database manager Administration Creating Groups Attributes Examples
5-32 5-34 5-29 17-8 17-8 17-8 17-8 D-6
device packages, listing dependents device packages, uninstalling device updates, downloading software updates, downloading software updates, querying
13-12 13-13
13-13
13-11
grouping services
17-8
17-8
D-6
16-19
grouping services
17-8
11-5 16-7
11-4 16-6
in Syslog Analyzer
5-29
R
Radius, changing login module to range operator rediscovery
5-39 5-10 2-35
8-25
10-22
preferences for system, modifying private key, definition processes Cisco Prime
3-16 D-6
8-21
5-73 D-4
IN-9
Index
Remote server and other portlets object finder reports discrepancy reporting understanding user tracking switch port usage reports, exporting resources, managing in LMS restoring data LMS data solaris windows LMS portlets Audit Trail Information Job Approval
1-10 1-11 1-10 3-21 3-22 3-34 A-28 14-1 14-2 1-12
S
Secure Shell (SSH), definition security access control, and understanding general server
D-2 2-1 2-23 D-1 D-1 D-4 D-5 D-6
physical discrepancies
14-1
certificates, understanding
security, setting up
Authentication mode, setting up Cisco.com login, setting up login module setting to non-ACS multi-server mode setting up
2-18 2-41 2-15 2-26 2-41
3-21 3-22
2-7
2-3
DEBUG_CATEGORY_NAME
8-55 8-55
A-13, A-14
8-55 8-55
enabling
user management local user profile, modifying peer server, setting up users, adding
2-10 A-2 2-16 2-13
QUEUE_CAPACITY
8-55 8-56
users, setting up through CLI Self Signed certificates server, configuring AAA mode, setting up applications, licensing licensing information, viewing licensing procedure obtaining a license
3-30 3-30 2-23 2-14 3-33
TIMEZONE_FILE running-config
2-24
IN-10
OL-20721-01
Index
3-31
D-2
connection
server-imposed
A-5
server information, collecting disk space, threshold configuring log files, maintaining List of log files on UNIX
17-3 17-3 17-17 17-3
logging, configuring
LMS device attributes setting up, local user modify profile security levels
2-13 2-7 2-6
2-41
user accounts
setting up, local user policy setting up, local users SMTP server, default SNMP MAC notification listener
3-35 2-6 3-31
2-4
SNMP trap listener, configuring SNMP traps on ports, enabling SNMP traps
integrating SNMP trap receiving with other NMS 10-23 SNMP Trap Notifications trap forwarding port trap receiving port Software Center event log
13-1 13-10 13-9 13-8 10-25 10-24 10-3, 10-9
server certificate for Cisco Prime, expiration, how to handle B-23 server information, collecting (LMS)
3-31
scheduled job
IN-11
Index
13-4
10-42
16-5 8-50
software updates, downloading software updates, performing software updates, selecting Software Center CLI utility Software Management, using administration tasks
11-14
13-2
preferences, viewing and editing preferences, viewing and editing protocol order, selecting Solaris, changing ports in for ESS
B-26 B-19 2-2 2-3 11-18
11-15
editing
11-15
overview
Syslog Notifications
System Admin dashboard portlets critical message window system administration databases, purging logging, configuring SMTP default server
16-20 10-22 1-3
for osagent
SSL, enabling on the server from the CLI SSL, definition changing enabling
2-22 2-19 A-13, A-14 D-6
starting Cisco Prime applications, troubleshooting subscriptions (see Notification Services) Syslog Analyzer purge policy caution regarding changing values setting
16-6 8-50 8-50 16-6
system defined groups Fault Monitor System Preferences Loading MIB Files Poll Settings Purging Data Purging Jobs
8-26 16-15 16-13 17-9 15-2 9-2 5-43
Syslog Analyzer and Collector, using automated actions creating deleting editing example
10-37 10-42 10-39 10-41
Creating Syslog Reveiver Group Deleting Syslog Reveiver Group Editing Syslog Reveiver Group Filtering Syslog Reveiver Group Trap Receiver Group
10-25
enabling, disabling
10-43
IN-12
OL-20721-01
Index
Creating Trap Receiver Group Deleting Trap Reveiver Group Editing Trap Receiver Group Filtering Trap Reveiver Group Viewing Audit Trail Log Report Viewing Purge Details
16-17
database inaccessability ESS port change Solaris FAQs list Apache and Tomcat
B-29 B-26 B-28 B-18
T
TACACS+, changing login module to
2-36 D-6 D-7
B-27
B-26
terms and definitions in security certificates Base64-encoded X.509 certificate format CA (certificate authority) PKCS#8 SSH SSL thresholds log files adapter database manager topology groups system-defined groups creating, based on subnet transport protocols, configuring order, defining traps forwarding from devices to Fault Monitor SNMP (see SNMP traps) troubleshooting back-up data, directory structure of Cisco Prime applications, starting Cisco Prime LMS Server locked out of, diagnosing server status, verifying
B-18 B-3 B-27 B-17 8-48 8-46 5-24 17-8 17-8 17-8 D-6 D-6 D-6 D-6 D-7 D-7
B-25 B-17
Java Plug-in, which version to use osagent port change Solaris Windows suggestions User Tracking
B-19 B-19 B-4
outdated entries in User Tracking table Troubleshooting and FAQs trunk ports customizable groups system defined groups
5-44 7-22 B-38
B-7
grouping services
17-8
U
UNIX systems changing login module to local UNIX system log files, maintaining on
10-22 17-3 2-29
IN-13
Index
15-1
subnet discovery, configuring user-defined collector groups user defined groups editing
5-46 5-65
5-71 5-71
membership details
7-18 7-8
5-72
User Tracking acquisition schedule, modifying acquisition settings, modifying command-line interface DHCP snooping Dynamic updates FAQs error logging
B-9 B-8 7-25 7-24 7-24 A-25
log file
17-9 5-46
view groups
W
warnings regarding
configuration change detection schedule, and purging 16-2 Windows 2003 or Windows NT systems log files, maintaining on Windows systems
7-13 7-11 17-3
properties from the backend, configuring User Tracking Debugger Utility understanding using using
7-2 7-2 A-29 7-10 A-38 A-37 A-37
UT data, accessing UT data, importing various acquisitions User Tracking Utility installing
UT in DHCP environment
7-3
A-35 A-37
V
verifying Cisco Prime LMS Server status
B-3
IN-14
OL-20721-01